Webhook Auto-Verify

Automatic verification without manual paste.

This demo is now part of Live Proof. Open /proof.html for the complete proof hub.

Live Proof

This demo shows a webhook-style flow where a receipt is generated, verified automatically, then tampered and rejected.

Run Live Demo View Example Code

New to CommandLayer?

Start in Playground

Live demo panel

Idle.

NOT_RUN

{}

Tampered verification result

NOT_RUN

{}

How this maps to a webhook

External system → sends { event, receipt } → webhook server calls verifier → accepted or rejected

The browser demo proves the same verification logic. The backend example in examples/webhook-auto-verify performs the check server-side with POST /webhook.

Backend example commands

cd examples/webhook-auto-verify
npm install
npm run check
npm run generate:samples
npm start

curl -X POST http://localhost:3000/webhook \\
  -H "Content-Type: application/json" \\
  --data @sample-valid-webhook.json

curl -X POST http://localhost:3000/webhook \\
  -H "Content-Type: application/json" \\
  --data @sample-tampered-webhook.json

Expected:
valid -> 200 accepted
tampered -> 400 rejected

Runtime signs the original receipt.

Verifier recomputes canonical hash.

Verifier checks Ed25519 signature.

Tampering changes payload and invalidates proof.

No manual paste is required.

What this does not replace

Receipt verification proves receipt integrity.
It does not replace webhook sender authentication.
Production webhooks still need sender auth, replay protection, timestamps, idempotency, and rate limiting.
Schema-valid alone is not verified.
MCP is a bridge, not a signer.

Runtime signs.

Verifier validates.

MCP bridges.

SDK wraps.

Schemas describe.

Ambient Verification API Reference Runtime Verifier Production Proof Example Code