Proof of Payment

Verifying a PoP

Verify a PoP end to end without trusting Tekmerion: signature, then the chain.

A PoP is designed to be verified independently. You do not need to call a Tekmerion API, hold a shared secret, or trust a Tekmerion-reported status. Verification rests on two independent checks: the signature proves who issued the artifact, and the chain proves the facts it claims. This guide walks both.

What you need

  • The PoP JSON artifact.
  • The ability to fetch the JWKS endpoint (see Signing and key discovery).
  • Access to the relevant chain — your own node or a block explorer.

Step 1 — Parse the envelope

Read kid, alg, schema_version, data, and signature from the artifact. Confirm alg is ES256. Keep the data object exactly as received — you will canonicalize it in Step 3, and any re-serialization before that point can change the bytes the signature was computed over.

Step 2 — Discover the key

Fetch the JWKS endpoint and locate the JWK whose kid matches the artifact's kid. If no entry matches, stop: the artifact is unverifiable. A missing kid means the key was retired or revoked, and you MUST NOT trust an artifact you cannot match to a published key.

Step 3 — Verify the signature

Canonicalize data under RFC 8785 (JSON Canonicalization Scheme), then verify the base64url-encoded signature against that canonical serialization using the public key from Step 2 and ES256. If verification fails, reject the artifact. A passing signature proves the artifact was issued by the holder of that key version and has not been altered.

If you cached the JWKS response and verification fails unexpectedly, re-fetch it — a recent revocation may not be reflected in your cache.

Step 4 — Cross-check the facts on-chain

A valid signature proves origin, not reality. Confirm the claims in data against the chain yourself:

  • Locate the settlement transaction by its hash on the chain_id named in data.
  • Confirm it moved the stated amount from the deposit address to the destination recorded in the artifact.
  • Confirm the transaction is confirmed to the network's finality threshold. Per-chain confirmation depths are in Supported chains and tokens.

Trust what the chain shows, not what the artifact asserts. The PoP's value is that every fact in it is one you can re-derive from public on-chain data.

Step 5 — Confirm the schema version

Interpret data under the schema_version the artifact names — not the latest schema. Field meanings are pinned per artifact by that version; see Schema versioning.

Result

A PoP that passes Step 3 and matches on-chain reality in Step 4 is proof of payment that holds independently of Tekmerion. If the signature verifies but the on-chain facts do not match, treat the artifact as not proven and reconcile against the chain — the chain is the source of truth, and the PoP is only as good as its agreement with it.

Signing and key discovery

The PoP signing envelope, the ES256 signature, key discovery via JWKS, and rotation vs revocation.

Schema versioning

How PoP schemas evolve and how every artifact stays interpretable under its own version.

On this page

What you needStep 1 — Parse the envelopeStep 2 — Discover the keyStep 3 — Verify the signatureStep 4 — Cross-check the facts on-chainStep 5 — Confirm the schema versionResult