Proof

Proof is not a log.
It is a receipt.

A log tells you what happened after it happened. A receipt proves — cryptographically, before execution takes effect — that what happened was authorized.

These are not equivalent. One is a description. The other is proof. Paste a receipt below and verify it without trusting Keon.

No system access needed

Verification uses only the receipt and a public key. Keon infrastructure is not involved.

Policy-bound at issuance

The exact policy version active at execution is permanently bound into the receipt hash.

Pre-execution authorization

The receipt exists because governance happened before the action — not as documentation after it.

/ canonical receipt — keon_rcpt_7f3a9b2c
ExecutionReceipt
receipt_id:keon_rcpt_7f3a9b2c…
outcome:AUTHORIZED
policy_hash:sha256:9f72c41a…
merkle_root:0x8f9c4b2a…
spine_ref:spn_00041872_canon
timestamp_utc:2026-03-05T16:00:00Z
signature:ed25519:7f3a9b2c…
Policy hashverified
Merkle rootverified
Spine anchorverified
Ed25519 sigverified
/proof — verification terminal
[ INPUT ]
[ VERIFICATION ]
Decision → Receipt → Spine → Signature
Policy hash matches canonical policy state
status: pending
Merkle root recomputed and matched
status: pending
Spine anchor located and matched
status: pending
Signature validated against public key
status: pending
[ INSPECTION ]
Verification performed without system trust. All artifacts independently validated.
Logs vs Receipts

This is not a feature comparison. It is a question of what’s provable.

Question
Log
Receipt

Does it prove the action was authorized?

No. A log records what happened. It does not prove it was permitted.

Yes. A receipt is issued before the action takes effect — authorization is structural, not inferred.

Can it be independently verified?

No. Verification requires access to the original system to confirm the log is authentic.

Yes. Verification requires only the receipt and a public key. No Keon infrastructure needed.

Is it tamper-evident?

No. Logs are mutable. A modified log is indistinguishable from an original without external controls.

Yes. Ed25519 signature binding makes any modification immediately detectable.

Does it bind to a specific policy version?

No. A log entry cannot prove which policy version was active at execution time.

Yes. PolicyHash is permanently bound to the receipt at issuance. The exact policy is provable.

Can it answer "what would have happened with different inputs?"

No. Logs record what did happen — they cannot answer counterfactual audit questions.

Yes. Deterministic policy evaluation means the same inputs under the same policy always produce the same decision.

“When an auditor asks who authorized this — a log answers with a timestamp. A receipt answers with a signed, policy-bound decision that existed before the action took effect. Only one of them is proof.”

What comes next

The verification tool above uses a canonical receipt. In production, every Keon execution produces receipts with the same cryptographic guarantees — against your policy, verified independently, without calling home.

Request Access →Read the Standard →