verify
Verify a feed's signatures and sequence integrity.
Verify a feed’s signatures and sequence integrity. This command loads the SIG metadata, resolves the JWKS, and checks every event in the feed.
Usage
ak verify <SIG_METADATA>Arguments
| Argument | Description |
|---|---|
<SIG_METADATA> | SIG metadata URL (https://...) or local file path. |
Behavior
The verify command performs the following checks:
- Loads metadata from the provided URL or file path.
- Resolves the JWKS to obtain the issuer’s public keys.
- Reads all events from the event feed.
- Verifies every JWS signature against the corresponding key in the JWKS.
- Checks sequence ordering to ensure events are strictly sequential with no gaps.
- Validates all payloads for structural correctness.
The command exits with code 0 on success and a non-zero code on failure.
Examples
Verify a local feed
ak verify ./issuer-root/.well-known/sig.jsonOutput on success:
Verified 12 events, all signatures valid.Verify a remote feed
ak verify https://example.com/.well-known/sig.jsonOutput on success:
Verified 12 events, all signatures valid.Verification failure
ak verify ./tampered-issuer/.well-known/sig.jsonOutput on failure:
Error: signature verification failed for event at seq=4 (kid: orgsign-1)Notes
- Remote verification fetches the metadata, JWKS, and events over HTTPS.
- Local verification reads all files from the filesystem relative to the metadata path.
- This command is read-only and does not modify any files.
- Use
dump-stateif you also want to see the derived relationship state after verification.