A2A v1.0 AP2 V0.1 eddsa-jcs-2022 did:web:workloft.ai Zero-trust

Verify a Workloft credential

Paste any Workloft-issued signed JSON — an A2A Agent Card, an AP2 Intent or Cart Mandate, or any credential carrying our W3C Data Integrity proof — and verify the signature against our public key.

Zero-trust verification. The verification runs entirely in your browser using @noble/ed25519 and canonicalize (RFC 8785 / JCS) from a public CDN. Our public key is fetched from https://workloft.ai/.well-known/did.json. We never see what you paste, and you don’t need our servers up to verify. Open DevTools and read the source if you don’t take our word for it.

Signed credential (JSON)

Verification result

Awaiting credential…

How this works (the short version)

You paste a signed credential.
Your browser fetches our DID document at /.well-known/did.json, which contains the Ed25519 public key.
The credential is JCS-canonicalised (RFC 8785), the proof block is canonicalised separately, both are SHA-256’d into a single digest.
The proof value (multibase-base58btc encoded) is decoded and verified against the digest with the public key.
If the signature is valid, the credential is genuinely Workloft-issued and unmodified.

References

Public DID document: https://workloft.ai/.well-known/did.json
Cryptosuite spec: w3.org/TR/vc-di-eddsa/
JCS (JSON canonicalization): RFC 8785
A2A v1.0 spec: a2a-protocol.org
AP2 V0.1 spec: ap2-protocol.org