Automatic Verification

Verification without manual paste.

CommandLayer receipts can be verified automatically by apps, webhooks, SDKs, MCP flows, badges, and agent-to-agent systems.

Open Webhook Auto-Verify Demo View Example Code

The working model

Runtime signs receipt

→ receipt delivered to a system

→ system calls verifier

→ valid receipt accepted

→ tampered receipt rejected

The webhook auto-verify example demonstrates this server-side. The public demo demonstrates the same flow in the browser using runtime signing and runtime verification.

Runtime: https://runtime.commandlayer.org
Verifier: https://runtime.commandlayer.org/verify

Webhook Auto-Verify

Working example of automatic receipt verification.

Open demo

Live today

Manual verifier

Paste receipt JSON and inspect each verification check.

Open verifier

Runtime verifier

Programmatically verify receipts with POST https://runtime.commandlayer.org/verify.

Open runtime docs

Webhook auto-verify

Backend receives receipt, verifies it server-side, and accepts/rejects the event.

Open demo page
Open GitHub example

Embedded badge

Display verification state in a UI.

Open badge demo

SDK/runtime verification

Use @commandlayer/agent-sdk or direct runtime calls in application code.

SDK records
API reference

Webhook auto-verification

This is the no-paste model: POST /webhook receives { event, receipt }, the server posts { receipt } to the verifier, valid proof returns accepted, and tampered proof returns rejected.

cd examples/webhook-auto-verify
npm install
npm run generate:samples
npm start

curl -X POST http://localhost:3000/webhook \
  -H "Content-Type: application/json" \
  --data @sample-valid-webhook.json

curl -X POST http://localhost:3000/webhook \
  -H "Content-Type: application/json" \
  --data @sample-tampered-webhook.json

Expected:
valid -> 200 accepted
tampered -> 400 rejected

Trust checks

receipt structure
metadata.proof present
canonicalization = json.sorted_keys.v1 (standard canonical JSON path)
erc8211.composable.v1 — ERC-8211 composable execution canonicalization recognized. Merkle authorization verification is deferred pending the companion Merkle authorization ERC.
metadata.trace optional for correlation across multi-step workflows and batch execution
hash_alg = SHA-256
hash_matches
signature_alg = Ed25519
signature_valid
signature.kid = vC4WbcNoq2znSCiQ
signer_id = runtime.commandlayer.eth
supported capability verb
tamper invalidation

Schema-valid alone is not verified. Verification requires hash and signature checks.

Trust boundaries

Runtime signs.
Verifier validates.
MCP bridges.
SDK wraps.
Schemas describe.

Webhook sender authentication is separate from receipt verification. Production webhooks still need sender authentication, replay protection, timestamps, rate limits, and idempotency.

Verification URLs

Demo verification routes are available for illustrative receipt IDs:

/verify.html (demo route)
/verify.html (demo route)

Live vs planned

Live today: manual verifier, runtime /verify, webhook auto-verify example, SDK/runtime verification, and embedded badge demo.

Planned: managed webhook delivery network, third-party callbacks, continuous monitoring, replay-check service, and dashboard/history pipelines.

View Production Proof · Runtime · API · Verifier