AxioRankZero-Trust for AI Agents
Open the console

Transparency log

An audit log you can check, not just read.

Most audit trails ask you to trust the dashboard. Ours is a sealed Merkle log with hourly signed tree heads and a public key. Membership is a proof you can verify offline, and tampering with any past event breaks the signature on every head since.

Verify our logRead the docs

RFC 6962 Merkle · hourly Ed25519 heads · offline verifier

signed-tree-head.json
{
  "treeSize": 184203,
  "merkleRoot": "b7f1…9c0a",
  "timestamp": "2026-06-13T18:00Z",
  "signature": "ed25519:4f2a…"
}
a new head signed every hour, against a key you pin
Merkle
RFC 6962 hash-chained log
Hourly
Ed25519 signed tree heads
Offline
Verify with just a public key
Open
Source verifier, zero dependencies

Sealed, not editable

Membership is a proof, not a promise.

Each event is a leaf hashed into a tree. The root is signed every hour. To prove an event is in the log, you check a short path of hashes up to a signed root, so the log cannot quietly drop or rewrite anything without the math giving it away.

signed root · b7f1…9c0a
h(01)
h(23)
evt 0
evt 1
evt 2
evt 3

change one event and every hash above it changes, so the signed root no longer matches.

The building blocks

Three primitives, one tamper-evident record.

Nothing here is exotic. It is the same transparency-log design that secures the public certificate ecosystem, applied to your agents' actions.

A hash-chained log

Events are leaves in an append-only Merkle tree, so each one is bound to every event before it.

Signed tree heads

The root is signed hourly under an Ed25519 key, with a public endpoint so anyone can pin it.

Receipts with proofs

A governed action can be issued as a receipt that carries its own membership proof and signed head.

Do not trust us

Verify it yourself, including against us.

An open-source verifier re-implements every check with zero dependencies, in TypeScript, Python, and a CLI. Verification needs nothing of ours running, so the proof does not depend on our goodwill.

# verify a receipt against a key you pinned
npx @axiorank/audit-verify receipt.json --jwks jwks.json

Pin once, trust never again

Pin the public key a single time. From then on, every receipt and every checkpoint is checkable without asking us anything.

Split-view protection

A second pair of eyes the operator cannot fool.

A dishonest log could try to show different histories to different people. Independent witnesses co-sign the heads they see, so a forked view cannot stay hidden. Run your own witness for the strongest guarantee.

See self-hosted witnessPackage it as auditor evidence

Keep exploring

Continue across the control plane.

Provable security

Information-flow control plus an offline-verifiable receipt for every governed action.

Open

Compliance evidence

A one-click evidence bundle for SOC 2, ISO 27001, and the EU AI Act, verifiable offline.

Open

Agent identity

Short-lived signed tokens that verify locally and cannot be replayed.

Open

Self-hosted witness

Run your own witness so a forked log cannot hide from you.

Open

Tool transparency log

The same machinery, applied to MCP tool-definition changes.

Open

Verify our log

Pin our key, pull the checkpoints, and watch for a fork.

Open

Stop trusting the dashboard. Start verifying the math.

Pin our key once, then prove any action happened and that the log was never rewritten, with nothing of ours running.

Verify our logRead the claims