GAFAIG PUBLIC KEY

Public verification key for GAFAIG signed proof

GAFAIG uses a public verification key to allow external systems to validate signed AI governance certification records. The public key verifies that a GAFAIG proof payload was signed by GAFAIG and has not been altered.

Open Public Key JSON Developer Docs Verify a Record

Algorithm

Ed25519

Public Key Endpoint

/api/.well-known/gafaig-public-key

Canonical Payload

proof.messageString

HOW VERIFICATION WORKS

Signed proof makes certification independently verifiable

Each GAFAIG verification response includes a canonical messageString and signature. External systems fetch the public key, verify the signature against the exact messageString, and then evaluate lifecycle and eligibility fields.

Fetch the public verification response from /api/verify/{registryId}.

Read proof.messageString exactly as returned.

Read proof.signature and proof.verificationKeyUrl.

Fetch the GAFAIG public key and validate the signature.

Trust only active, public, eligible certified records.

Never reconstruct messageString from JSON fields.

PUBLIC KEY ENDPOINT

Fetch the GAFAIG public key

The public key endpoint exposes the verification key used by external systems to validate GAFAIG signatures.

curl https://www.gafaig.com/api/.well-known/gafaig-public-key

VERIFY ENDPOINT

Fetch a signed verification payload

The verify endpoint returns the public record, proof object, signature, messageString, and public key URL for a GAFAIG registry record.

curl https://www.gafaig.com/api/verify/GAFAIG-00363095

CANONICAL RULE

Verify the exact messageString

Independent verification depends on the exact signed payload. Any change to whitespace, ordering, timestamp format, escaping, or field values invalidates the signature.

Verification MUST use:

proof.messageString
proof.signature
proof.verificationKeyUrl

Do not reconstruct the payload from record fields.

TRUST CLAIM RULE

When a GAFAIG record may be trusted

A downstream system may display a trusted GAFAIG certification claim only when the signature validates and the record satisfies the public trust contract.

Signature validates successfully against proof.messageString.

certificationStatus is CERTIFIED.

lifecycleStatus is active.

visibilityStatus is public.

verificationEligible is true.

badgeEligible is true.

FAIL SAFE

If verification fails, do not trust the record

If messageString is missing, the signature is missing, the key is unavailable, or signature validation fails, external systems must treat the record as invalid or unavailable.

Missing messageString means verification is invalid.

Missing signature means no cryptographic proof is available.

Public key failure means verification is unavailable.

Signature mismatch means payload integrity failed.

Expired records must not be shown as currently active.

Revoked records must not be shown as trusted.