How to Verify an AI Execution Record Without Trusting the Provider

NexArt introduces Certified Execution Records (CERs) for AI systems, enabling independent verification of execution records without trusting the provider. The CER uses canonical JSON, integrity anchoring, and signed trust material to allow third parties to detect tampering and validate authenticity. A developer walkthrough demonstrates verifying a CER using only its bytes, public node metadata, and standard cryptographic primitives.

A developer-focused walkthrough of verifying a Certified Execution Record using only its bytes, public node metadata, and standard cryptographic primitives. A client challenges an AI decision six weeks later. They do not want a dashboard screenshot. They do not want a model card. They want something much harder: show me exactly what happened, and prove it. Most systems fail this test. Logs can be edited. Pipelines evolve. Re-running a model rarely reproduces the original result. You end up explaining what should have happened instead of proving what did. This is where execution evidence starts to matter. In NexArt, that evidence takes the form of a Certified Execution Record, or CER. A CER is not just a log entry with a checksum. It is a structured execution artifact with a deterministic identity, integrity anchoring, and signed trust material that can be checked later. The core flow is simple: artifact, hash, trust surface, independent verification. This article walks through what it actually means to verify a CER without trusting the original provider, using the current public NexArt model. The core problem Most AI accountability systems are still closed loops. The application produces the decision. The application writes the logs. The provider stores the logs. The provider explains the logs later. That may be enough for debugging. It is much weaker when someone outside the system wants proof. If a customer, auditor, partner, or regulator asks what happened in one specific execution, the real question is no longer "do you have logs?" It becomes: Can the record be checked later? Can tampering be detected? Can the trust material be validated separately? Does verification depend on trusting the same provider that produced the execution? That is the gap verifiable execution is meant to close. What real proof requires To turn an execution into something stronger than an internal claim, you need three things. Canonical form. The record must have one deterministic representation for hashing and signing. Integrity. If the record changes later, that change must be detectable. Authenticity. You need a way to prove who attested to the record. Without canonical form, hashing becomes unstable. Without integrity, later modification cannot be detected. Without authenticity, the record may still only be self-asserted. What a CER looks like A current AI execution CER uses the cer.ai.execution.v1 bundle type, with top-level fields such as bundleType, version, createdAt, snapshot, optional context and contextSummary, and certificateHash. { "bundleType": "cer.ai.execution.v1", "version": "0.1", "createdAt": "2026-05-15T14:30:00Z", "snapshot": { "executionId": "exec 123", "provider": "openai", "model": "gpt-4o-mini", "input": { "messages": { "role": "user", "content": "Summarize this contract." } }, "output": { "text": "This contract..." }, "parameters": { "temperature": 0.2 } }, "certificateHash": "sha256:7b1f9a2c..." } The most important field is certificateHash. But the key detail is this: the certificate hash is not computed over the entire bundle blindly. The current spec computes the hash from a strict projection over bundleType, version, createdAt, snapshot, and context / contextSummary when present. Fields like certificateHash, meta, and any declaration or verification material are outside the hash projection. That matters because it tells you exactly what the integrity anchor covers. Step 1: Canonicalize the correct payload You cannot hash raw JSON as-is. Two logically identical objects can serialize to different byte sequences if key order changes. The protocol uses RFC 8785 JCS canonicalization for hashing and signing. Alternative serialization is not acceptable for protocol-correct verification. js function cerHashProjection bundle { const projection = { bundleType: bundle.bundleType, version: bundle.version, createdAt: bundle.createdAt, snapshot: bundle.snapshot }; if bundle.context == undefined projection.context = bundle.context; if bundle.contextSummary == undefined projection.contextSummary = bundle.contextSummary; return projection; } Then canonicalize that projection using an RFC 8785 implementation. If you are using NexArt's own package surface, prefer helpers like toCanonicalJson in @nexart/ai-execution rather than ad hoc normalization. Step 2: Recompute the certificate hash python import crypto from "node:crypto"; function sha256Hex data { return "sha256:" + crypto.createHash "sha256" .update data .digest "hex" ; } const canonicalJson = toCanonicalJson cerHashProjection bundle ; const recomputed = sha256Hex canonicalJson ; if recomputed == bundle.certificateHash { throw new Error "Integrity check failed" ; } If the recomputed hash matches, the integrity anchor passes. If it does not match, one of two things is true: the bundle content changed, or the hash is not the correct one for that artifact. Either way, verification fails. Step 3: Fetch the public trust material NexArt's public node metadata is exposed at the well-known node endpoint: curl -s https://node.nexart.io/.well-known/nexart-node.json keys.json This is where public node identity and key material are published for verification flows. If you want to fetch a public CER from the node trust surface, the documented public lookup flow is: curl -s "https://node.nexart.io/v1/cer/public?certificateHash=<HASH " record.json That public endpoint requires no API key. Step 4: Verify the attestation receipt signature The public response includes attestation material. The node trust model uses Ed25519 signing, attestation receipts, and verification-envelope semantics. At a practical level, the next step is: take the receipt payload, canonicalize it correctly, find the matching public key, and verify the signature. python import crypto from "node:crypto"; function verifyEd25519 publicKeyPem, messageCanonical, signatureBase64url { return crypto.verify null, Buffer.from messageCanonical , publicKeyPem, Buffer.from signatureBase64url, "base64url" ; } const receipt = bundle.receipt || bundle.meta?.attestation?.receipt; const signature = bundle.receiptSignature || bundle.signature || bundle.meta?.attestation?.signature; if receipt || signature throw new Error "Missing attestation material" ; const receiptCanonical = toCanonicalJson receipt ; const ok = verifyEd25519 publicKeyPem, receiptCanonical, signature ; if ok throw new Error "Invalid attestation signature" ; The important point is not the exact code shape. The important point is that authenticity is checked separately from integrity. The certificate hash tells you the artifact content matches. The signature tells you the attestation came from the expected node identity. Those are distinct checks. Step 5: Understand the trust boundary clearly A CER public lookup response is enough to verify the certificate hash, verify the receipt signature, and inspect the trust material around the record. The public response is redacted for privacy. Public verification is not the same as reconstructing every original private field. Full envelope-level verification of the exact original unredacted bundle requires access to that original artifact, not only the public projection. So the honest way to say it is: Public verification gives you a real trust surface. Privacy-aware public lookup is not the same as publishing the full original private execution. That is a feature, not a flaw. Step 6: Use the CLI when you want protocol-correct verification If you want a simpler local verification path, the NexArt CLI already provides one: nexart ai verify bundle.json That gives developers a protocol-aware way to validate a CER bundle locally without reimplementing the full flow from scratch. The verification path involves correct canonicalization, correct hash projection, correct trust-material handling, and correct signature checks. Those details matter. What this proves A successful verification proves a few specific things: The protected CER payload has not been altered since sealing. The attestation material was signed by the expected node identity. The record you are checking matches the cryptographic identity claimed by its certificateHash. That is already a meaningful standard. It is far stronger than a screenshot, a dashboard entry, a database row, an internal log line, or a provider simply asserting "this is what happened." What this does not prove Verification of a CER does not automatically prove: That every conceivable relevant fact was included. That the underlying model was correct. That a probabilistic model would reproduce the same output now. That the record was written to a public ledger. That an external timestamp authority was used. That nothing outside the protected record influenced the broader business decision. Those are different layers. The system is about execution integrity and evidence, not universal truth claims. That discipline keeps the evidence model credible. Why this matters In most AI systems today, verification still means trusting the provider. Trust their logs. Trust their backend. Trust their screenshots. Trust their claims about what happened. A CER changes that. It gives you a record whose integrity can be checked, whose attestation can be validated, and whose trust material can be examined separately from the originating system's own assertions. That is the difference between "our system says this happened" and "here is a record you can verify yourself." That difference becomes much more important once AI systems are used in workflows that matter later: customer disputes, regulated reviews, procurement scrutiny, internal investigations, high-value automation, multi-step agent workflows. Closing A system you have to trust blindly is not really a verification system. It may be useful. It may even be well engineered. But it is still a closed loop. A Certified Execution Record is different. It turns execution into something portable, mathematically checkable, and less dependent on the provider's own say-so. That does not solve every accountability problem in AI. But it does solve a foundational one: can someone outside the system verify what happened without having to trust the system that produced it? That is the standard serious AI systems will increasingly need to meet.