ActionPass spec and verifier

ActionPass is Axtary's portable authorization artifact for AI-agent actions. It is a strict JWS/JWT profile that binds the actor, human owner, intent, resource, policy, TTL, and exact payload hash for the action about to execute. The canonical public draft is served at:

/spec/actionpass-v0.md

That draft is the contract for the token shape, normalized action model, canonical hashing rules, approval binding, revocation, ledger attestation, Merkle inclusion proofs, and fail-closed verification algorithm. It is a draft profile, not an IETF or OpenID standard.

Verify an export

The independent verification path starts with a signed ledger bundle:

axtary attest-ledger --ledger .axtary/actions.jsonl --out attestation.json
axtary verify-export attestation.json

verify-export is standalone. It checks the ES256 signature, export digest, hash chain, signed Merkle head, and approval-to-execution equivalence from the bundle. It does not need a running proxy, hosted Axtary service, provider credentials, or access to the original payload body.

For one-record proofs, use the inclusion verifier:

axtary prove-inclusion attestation.json --record ap_<jti> --out proof.json
axtary verify-proof proof.json --bundle attestation.json

The proof shows that one exact record is committed by the signed tree head without sharing the rest of the export.

Conformance shape

The repository includes clean-room conformance tests that re-implement the spec's verification rules without importing Axtary hash helpers. They cover:

  • ActionPass canonicalization and JWS verification.
  • Ledger attestation verification with a single-byte tamper check.
  • RFC 6962-style inclusion and consistency proofs.
  • Approval-to-execution equivalence failures.
  • Cross-issuer evidence verification against one pinned public trust root.

What it proves

  • A signed ActionPass authorized one exact normalized action and payload hash.
  • A signed ledger export has not been edited, reordered, truncated, or extended after signing.
  • An approved execution either proves approvedPayloadHash == executedPayloadHash or fails verification.
  • A cross-issuer audit can pin one issuer's public trust root and verify the pass, ledger attestation, inclusion proof, and fresh status evidence together.

What it does not prove

  • It does not claim to prevent prompt injection.
  • It does not prove events that were never recorded.
  • It does not replace key custody for the issuer's signing keys.
  • It is not a public trust network or arbitrary federation-chain resolver.

For command details, see Verify the ledger. For the runtime programming surface, see the TypeScript SDK.