For banks and insurers

Underwrite crude deals against the same attestation your counterparty’s operator signed.

Pull a Digital Passport or an Audit Bundle programmatically, verify the Ed25519 signature locally against our published JWKS, and wire a webhook so a post-issuance OFAC flip reaches your credit committee in seconds instead of weeks.

Sample signed Audit Bundle

A compliance engineer should be able to inspect the artifact format before scheduling a call. The files below are byte-exact copies of what our production API produces for a Subscriber generating an LC packet, signed with a committed sample key. Verify the signature against /samples/sample-jwks.json; production bundles verify against /.well-known/jwks.json.

sample-audit-bundle.pdf — the LC-packet artifact (cover page + per-UUID entries).
sample-audit-bundle.json — the canonical payload, SHA-256 hash, Ed25519 signature, and signing key id.
sample-jwks.json — the sample public key in JWKS form, scoped to verifying the sample bundle only.
README.md — the four-step verification procedure.

Ed25519 signing and public JWKS

Every Digital Passport and every Audit Bundle is signed with an Ed25519 key. The signing_key_id on each artifact corresponds to a kid in the published JWKS, so key rotations do not invalidate historical passports. Your IT team can pin the JWKS fetch into whatever signed-response verification stack you already run; there is no Sovereign Ledger SDK to install to do so.

Canonical JWKS URL: getsovereignledger.com/.well-known/jwks.json. See /security for the complete cryptographic and operational posture, and /how-it-works for the canonical payload shape under the signature.

Webhooks

A Subscriber registers an HTTPS endpoint and a watchlist of UUIDs. On any state change — new passport issued against a watched UUID, post-issuance OFAC flip, severance flip, watchlist TTL expiry — we POST a signed event to the endpoint, Stripe-style: idempotency key in a header, HMAC-SHA256 signature in X-Sovereign-Signature, retry on 5xx at roughly 1s, 4s, 16s, 64s, 4m, 15m before permanent failure. A delivery history and manual re-send are available in the Subscriber dashboard.

An example batch.flagged body:

{
  "type": "batch.flagged",
  "batch_uuid": "ec3d5870-1a2b-4c0d-9e3f-0a1b2c3d4e5f",
  "subscriber_id": "11111111-1111-4111-8111-111111111111",
  "occurred_at": "2026-04-11T02:18:04Z",
  "reason": "ofac_hit",
  "current_status": "FLAGGED"
}

Vendor-intake references

/docs/api — Subscriber API reference (full OpenAPI spec in progress; see issue #29).
/security — cryptographic primitives, US-only data residency, event-sourced architecture, SOC 2 roadmap, coordinated disclosure.
/status — live backend uptime.
/.well-known/jwks.json — production public signing keys.

Request an institutional evaluation

We respond to bank and insurer evaluation requests from sales@getsovereignledger.com within one business day. The form below is attributed to the bank/insurer pipeline so your note reaches the right inbox.