What is a Receipt?
A TrigGuard receipt is a JSON document containing the authorization decision, signed with Ed25519. Receipts are self-contained — you can verify them without contacting TrigGuard.
{
"receipt_id": "tg_rcpt_7f3a9c2b1d4e5f6a",
"decision": "PERMIT",
"surface": "deploy.release",
"action": "promote-to-production",
"timestamp": "2026-03-13T14:22:00.000Z",
"expires_at": "2026-03-13T14:32:00.000Z",
"context_hash": "sha256:abc123...",
"key_id": "tg_key_2026_03",
"signature": "ed25519:jK8sPq2R..."
}Receipt Properties
Verification
Verify receipts using public keys published at /.well-known/trigguard-keys.json. Cache keys locally for air-gapped verification.
# Verify with CLI
tg verify --receipt receipt.json
# Verify with cURL + jq
KEYS=$(curl -s https://api.trigguardai.com/.well-known/trigguard-keys.json)
# ... verify signature against keys
# Output
✓ Signature valid
✓ Receipt not expired
✓ Key ID: tg_key_2026_03 (active)Compliance Use Cases
Change Management
Prove who authorized changes to production systems and when.
Access Control
Document authorization for secrets access and sensitive operations.
Incident Response
Reconstruct timeline of authorized actions during incidents.
Audit Trail
Export receipts for SOC 2, ISO 27001, FedRAMP, or internal audits.
Storage Best Practices
Store receipts as immutable artifacts alongside your deployment records.
Recommended Storage
S3 with object lock, GCS with retention policy, or append-only logging systems. Keep receipts for as long as you keep deployment records — typically 7+ years for compliance.
Try Receipt Verification
Paste a receipt and verify it in your browser. No data sent to TrigGuard.