🦞
PQSafe · SpendEnvelope Verifier

Verify a SpendEnvelope.

Paste a PQSafe SpendEnvelope JSON below. Verification runs entirely in your browser — nothing is sent to PQSafe servers. ECDSA P-256 + ML-DSA-65 (FIPS 204) dual-signature. RFC 8785 JCS canonicalization.

How this works

  1. 1. Canonicalize. Mandate fields (without signature) are serialized via RFC 8785 JCS — a deterministic JSON canonical form.
  2. 2. Fingerprint. SHA-256 of the canonical bytes produces a 32-byte fingerprint.
  3. 3. Dual-sign. The fingerprint is signed twice: ECDSA P-256 (~71 bytes DER) and ML-DSA-65 (3309 bytes per FIPS 204) using the issuer's keys.
  4. 4. Verify. Anyone with the public keys can verify both signatures against the recomputed fingerprint. Tampering any field invalidates both.
Spec: NIST FIPS 204 · RFC 8785 JCS · AP2 Post-Quantum Profile (RFC · open letter to FIDO Payments TWG)

Tamper Explorer

Click any field below to load TC1, mutate that field, and re-verify automatically. Every mandate change rejects both signatures because the canonical JCS bytes change → fingerprint changes → ECDSA & ML-DSA-65 both fail. Mutating one signature alone shows the other still passing.

Mutate a mandate field
Mutate one signature only

For SaaS receivers

The same verification runs server-side via the PQSafe Verifier API. Integrate once; reject agent payments that arrive without a valid SpendEnvelope. 

curl -X POST https://api.pqsafe.xyz/v1/verify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"envelope_jws": "...", "expected_amount": 50.00, "expected_currency": "HKD"}'

Verifier API docs →