DRM3
All Products
FoundationPublic Alpha

Provenance SDK

Attested provenance. Sign, chain, verify. Every language, every granularity.

Who it's for
Developers building applications that need cryptographic proof of data origin and transformation.
Get started
Download the WASM SDK and sign your first receipt in under 5 minutes.
Download SDK

The attested provenance layer beneath every DRM3 product. Ed25519 signing, chainable receipts, Merkle rollups, and a verifier that lets any third party confirm a receipt without trusting anyone in the chain. Available as a Rust crate, WASM package for Cloudflare Workers and browsers, and Elixir NIF.

Receipts are chainable. Every receipt can point to its parent, forming a provenance chain from raw source through every transformation to the final output. Walk backward from any output to verify the full lineage.

Three granularity levels. Row-level gives you a signed receipt on every individual data point. Merkle rollups batch row receipts into a single tree root for efficiency. Session-level signs over the entire batch with query context. You choose the granularity: fine-grained internally for audit readiness, coarser-grained for data leaving your system.

Deterministic key derivation. Each product gets its own Ed25519 signing key at a unique path. Connor signs DNS scans, Signals signs data fetches, Cashew signs price snapshots. 34 signer records published at status.drm3.network; 28 currently anchored on-chain.

Capabilities

Ed25519 signing and verification

Chainable receipts (provenance DAGs)

Three granularity levels: row, Merkle, session

Merkle tree rollups for batch attestation

Canonical JSON (NFC Unicode, sorted keys, deterministic hashing)

Compatible with Rust, Elixir, TypeScript, WASM, browsers

Deterministic key derivation per product

34 signer records, 28 anchored on-chain

On-chain anchoring (optional)

How It Works

Say you have a workflow that fetches three search results, summarizes them with an AI prompt, then stores the output in a database. Each step signs over its inputs and outputs. The receipt from step 1 becomes the parent of step 2. The receipt from step 2 becomes the parent of step 3. A consumer who reads the database gets the final receipt and can walk the chain backward to verify every step.

Step 1: Fetch
const fetchKey = SigningKey.load('myapp/fetch');

const receipt = Receipt.create('search.fetch')
  .inputs({ query: 'morpheus AI inference', sources: 3 })
  .outputs({ results, _meta: { service: 'myapp', signer: 'myapp/fetch' } })
  .sign(fetchKey);
// receipt.id → rcpt_a1b2c3...
Step 2: Summarize (chains to step 1)
const aiKey = SigningKey.load('myapp/ai');

const summary = Receipt.create('ai.summarize')
  .inputs({ model: 'llama-3.3-70b', prompt_hash: '...' })
  .outputs({ summary: text, tokens: 847, _meta: { ... } })
  .parent(receipt.id())   // ← chains to the fetch receipt
  .sign(aiKey);
Step 3: Store (chains to step 2)
const storeKey = SigningKey.load('myapp/store');

const stored = Receipt.create('db.insert')
  .inputs({ table: 'summaries', row_id: 'sum_001' })
  .outputs({ row_hash: '...', _meta: { ... } })
  .parent(summary.id())  // ← chains to the AI receipt
  .sign(storeKey);

Three steps, three receipts, one chain. A consumer who reads the stored summary gets stored and can walk backward: store → summarize → fetch. Every step independently verifiable. The data stays with you. The receipts travel with it.

Merkle Rollup

When you sign thousands of entities (Open Signals signs 500+ per NASDAQ fetch), row-level receipts roll up into a Merkle tree. One tree root proves the entire batch. Prove any single entity without revealing the others.

// Build Merkle tree from row receipts
let chain = Chain.create();
for (const r of rowReceipts) {
  chain = chain.add(Receipt.fromJson(r));
}
const tree = chain.build();
const root = tree.merkleRoot();  // sha256:7a1f3e...

// Prove entity #42 is in the batch
const proof = tree.merkleProof(42);
proof.verify(rowReceipts[42].hash(), root);  // ✓

Verify Against the Registry

Every DRM3 signer is published. Fetch the public key registry, match the receipt's public_key to a known signer, verify the Ed25519 signature. No trust required.

// Fetch the signer registry
const keys = await fetch('https://status.drm3.network/.well-known/drm3-keys.json');
const registry = await keys.json();

// Find the signer
const signer = registry.keys.find(k => k.public_key === receipt.public_key);
// → { path: "connor/worker", product: "Connor", algorithm: "Ed25519" }

// Verify the signature
const valid = Receipt.fromJson(receiptJson).verify();  // ✓ or throws
Download WASM SDKPublic Key RegistryData Licenses
See all products

Essential cookies only. No tracking. Privacy