MEOK Attestation Verifier

HMAC + Ed25519. Auditable. Offline-verifiable.

Verify any MEOK-issued compliance certificate with curl. No login, no SDK, no trust required. We give you the public key, the canonical message, the signature — and you decide whether to believe it.

Open API reference → Get the public key

How to verify (5 steps, 2 minutes)

1. Get the cert

Every MEOK certificate has a verify_url. Example: https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN

2. curl the endpoint

Returns JSON with signature, issued_at, issuer, and Ed25519 public key fingerprint.

3. Verify Ed25519 offline

Decode the signature with any Ed25519 lib + the public key at /publickey.

4. Verify HMAC online

POST the cert_id to /api/verify — get the HMAC-SHA256 over the canonical message, recomputed.

5. Trust no one (including us)

Rotation events are signed by the prior key. The full rotation history is at /publickey.

Quick curl

curl -sS 'https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN' | jq .

Returns the canonical JSON with both signatures. Audit it with:

curl -sS 'https://meok.ai/verify?cert=MEOK-EUAIAC-MAIN' \
  | jq -r '.signature' | base64 -d > /tmp/sig.bin
# Verify with any Ed25519 lib:
python3 -c "
import nacl.signing, base64
vk = nacl.signing.VerifyKey(base64.b64decode('<pubkey>'))
vk.verify(open('/tmp/canonical_message.txt','rb').read(),
          open('/tmp/sig.bin','rb').read())
print('Valid')
"

Live signed attestations

8 frameworks. All HMAC-signed. All Ed25519-counter-signed. All auditor-verifiable.

EU AI Act: MEOK-EUAIAC-MAIN — Articles 4, 6, 9, 10, 14, 26(9), 43, 50, 72
DORA: MEOK-DORA-MAIN — Operational resilience, 3rd-party register
NIS2: MEOK-NIS2-MAIN — 10 governance domains, 9 member-state transpositions
GDPR: MEOK-GDPR-MAIN — DPIA + Art 35(7) checklist, FRIA bridge
ISO 42001: MEOK-ISO42001-MAIN — AIMS controls + ISO 42005 impact assessment
ISO 19650: MEOK-ISO19650-MAIN — BIM information management
CRA: MEOK-CRA-MAIN — Cyber Resilience Act Annex I + SBOM
SOC 2 (AI): MEOK-SOC2-MAIN — Trust service criteria + AI overlay

Why both HMAC AND Ed25519? HMAC is fast, online, recoverable. Ed25519 is asymmetric, offline-verifiable. The signing key never leaves MEOK. The verifying key is public. Both signatures are over the same canonical JSON. If either fails, the cert is invalid.

Trust center

Read the full MEOK methodology (what we count, what we don't, our fail rules) or jump to the public key to start verifying offline.