AttestLayer

Program lane

ID-01 — Authority and identity evidence

ID-01 packets record who is authorized to act on behalf of an organization or workflow, with reviewer-friendly evidence of authority. The lane is for platforms and partners that need a consistent identity-and-authority packet alongside their existing identity providers.

Evidence profileRecord-onlyVerifier-friendlyNot a certification

A program lane is a packet structure and an evidence-expectation profile. It is not a certification, audit opinion, or legal/regulatory approval.

Where ID-01 fits

Platform partners

Platforms that issue authority to operators and need a packet reviewers can verify.

Vendor onboarding

Onboarding workflows that need authority evidence on the vendor side.

Privileged-action records

High-impact admin actions that need a packaged authority record.

Counterparty review

Reviewers asking for a verifier-friendly record of who held authority for an action.

What the ID-01 packet records

Identity reference

Authority holder reference (without exposing private credentials).

Authority scope

What the holder was authorized to do, and the time window.

Issuance trail

How the authority was issued, by which authorizer, and when.

Verification path

Binder, manifest, signed receipt, hash trail, offline verifier.

What ID-01 does not do

  • does not certify the underlying compliance, security, or legal state
  • does not promise buyer, regulator, insurer, PSP, or auditor acceptance
  • does not opine on the truthfulness of submitted records
  • does not replace audit, regulatory, legal, or insurance review

Request Program review See illustrative case examples

The AttestLayer trust model

AttestLayer’s trust model is intentionally narrow. It records what was submitted, what was accepted into scope, what was issued, and how the issued kit can be checked.

The model uses

  • SHA-256 artifact hashing
  • manifest-based evidence inventory
  • canonical receipt hashing
  • Ed25519 receipt signatures
  • JWKS public-key discovery
  • offline verification
  • fail-closed verification behavior

What it proves

  • files match the manifest
  • manifest matches the receipt
  • receipt key ID matches a public key
  • receipt signature verifies
  • the kit has not been modified since issuance

What it does not prove

  • company compliance status
  • company security status
  • controls are operating effectively
  • a buyer, auditor, insurer, bank, regulator, or PSP has accepted the packet
  • the evidence content is legally sufficient

Integrity and issuance evidence only. Not audit, certification, or compliance guarantee.