JWP Receipt Chain

Receipts ride with the stream.

Every MoQT object emits a JWP receipt. Every group seals it with a BLAKE3 Merkle root and one Ed25519 signature. Relays forward the chain byte-for-byte — never re-signed, never re-issued.

Open the explorer Read the sub-spec
Sample receipts
3
Combined joules
0.0021 J
Signing
Ed25519
G1
Receipt class
Single-object group
1 obj · 0.25 J
wai/extensions/jwp-receipts.md §2.4.1, §5.1

One WAI envelope, one Merkle leaf, one Ed25519 signature.

A live publisher emits a single WAI envelope into a fresh group. The Merkle tree is one node — the leaf itself — and the per-group signature binds (track_alias, group_id, root_hash, leaf_count, joules_total, signer_pubkey) under RFC 8032 Pure Ed25519. parent_receipt_hash is null because this is the chain head for this publisher key.

WAI envelope (the bytes content_hash commits to)
57 41 49 31                                          // "WAI1" magic (WAI SPEC.md §2)
5e 00 00 00                                          // manifest length (u32 LE)
{"wai":"1.0","media":"audio","intent":"replicate","model_requirement":{"capability":"wai.audio.opus","fallback":null},"conditioning":{"kind":"opus"}}
a0 0f 00 00                                          // payload length (u32 LE)
// 4000 B opus frame stream (20 ms frames @ 48 kHz)
JWP receipt — hover any key
(loading)
Verifier algorithm — six numbered steps (§3)
  1. 1. Parse and shape-check. Reject if sig is not 64 bytes, if signer_pubkey is not a valid Ed25519 verifying key, or if any required §2.4 field is missing.
  2. 2. Verify the Ed25519 signature over the canonical signing payload (§2.3) per RFC 8032 Pure Ed25519. On success, the receipt's root_hash becomes the verified root.
  3. 3. Check parent linkage. If a previous receipt is known for this signer_pubkey, recompute its BLAKE3 and compare to parent_receipt_hash.
  4. 4. Recompute the BLAKE3 content hash (§2.1) over the received WAI envelope bytes and compare to the object receipt's content_hash.
  5. 5. Walk the Merkle inclusion proof (§2.2 domains) and compare the resulting hash to the verified root.
  6. 6. Accept. The object's bytes are bound to signer_pubkey at (track_alias, group_id, object_id) with the publisher's declared joules_micro and origin.
G5
Receipt class
Multi-object group
5 objs · 1.21 J
wai/extensions/jwp-receipts.md §2.2, §2.4.2, §5.2

Five WAI opus frames under one signed Merkle root.

Five 20 ms opus frames in one group. The publisher folds object content hashes into a BLAKE3 Merkle tree, duplicating the trailing leaf to make pairs at the odd level. Every subscriber receives one group receipt plus five object receipts, each carrying a Merkle inclusion proof against the verified root. O(log n) verification per object; O(1) signature operations per group.

WAI envelope (the bytes content_hash commits to)
57 41 49 31                                          // "WAI1" magic (WAI SPEC.md §2)
5e 00 00 00                                          // manifest length (u32 LE)
{"wai":"1.0","media":"audio","intent":"replicate","model_requirement":{"capability":"wai.audio.opus","fallback":null},"conditioning":{"kind":"opus"}}
a0 0f 00 00                                          // payload length (u32 LE)
// 4000 B opus frame stream (20 ms frames @ 48 kHz)
JWP receipt — hover any key
(loading)
Verifier algorithm — six numbered steps (§3)
  1. 1. Parse and shape-check. Reject if sig is not 64 bytes, if signer_pubkey is not a valid Ed25519 verifying key, or if any required §2.4 field is missing.
  2. 2. Verify the Ed25519 signature over the canonical signing payload (§2.3) per RFC 8032 Pure Ed25519. On success, the receipt's root_hash becomes the verified root.
  3. 3. Check parent linkage. If a previous receipt is known for this signer_pubkey, recompute its BLAKE3 and compare to parent_receipt_hash.
  4. 4. Recompute the BLAKE3 content hash (§2.1) over the received WAI envelope bytes and compare to the object receipt's content_hash.
  5. 5. Walk the Merkle inclusion proof (§2.2 domains) and compare the resulting hash to the verified root.
  6. 6. Accept. The object's bytes are bound to signer_pubkey at (track_alias, group_id, object_id) with the publisher's declared joules_micro and origin.
Hop
Receipt class
Cross-hop chain head
2 relays · byte-equal
wai/extensions/jwp-receipts.md §4, §5.3

Chain head after two relay hops — bytes preserved end-to-end.

The publisher's third group walks through relay A → relay B → subscriber. Relays MUST forward both group and object receipt bytes byte-for-byte (§4.1) and MUST NOT re-sign or re-issue the Merkle root (§4.3). The subscriber's verifier compares the egress bytes from relay B against the BLAKE3 of the previously-verified G1 receipt to confirm the chain.

WAI envelope (the bytes content_hash commits to)
57 41 49 31                                          // "WAI1" magic (WAI SPEC.md §2)
5e 00 00 00                                          // manifest length (u32 LE)
{"wai":"1.0","media":"audio","intent":"replicate","model_requirement":{"capability":"wai.audio.opus","fallback":null},"conditioning":{"kind":"opus"}}
a0 0f 00 00                                          // payload length (u32 LE)
// 4000 B opus frame stream (20 ms frames @ 48 kHz)
JWP receipt — hover any key
(loading)
Verifier algorithm — six numbered steps (§3)
  1. 1. Parse and shape-check. Reject if sig is not 64 bytes, if signer_pubkey is not a valid Ed25519 verifying key, or if any required §2.4 field is missing.
  2. 2. Verify the Ed25519 signature over the canonical signing payload (§2.3) per RFC 8032 Pure Ed25519. On success, the receipt's root_hash becomes the verified root.
  3. 3. Check parent linkage. If a previous receipt is known for this signer_pubkey, recompute its BLAKE3 and compare to parent_receipt_hash.
  4. 4. Recompute the BLAKE3 content hash (§2.1) over the received WAI envelope bytes and compare to the object receipt's content_hash.
  5. 5. Walk the Merkle inclusion proof (§2.2 domains) and compare the resulting hash to the verified root.
  6. 6. Accept. The object's bytes are bound to signer_pubkey at (track_alias, group_id, object_id) with the publisher's declared joules_micro and origin.

The receipt-chain sub-spec

Receipts attest what was delivered.

The WAI envelope carries the bytes; the JWP receipt chain attests their delivery. One Ed25519 signature per group covers a BLAKE3 Merkle root over every object — O(log n) verification per object, O(1) signature operations per group. Relays forward the chain unaltered; the publisher is the sole authority.

Read the sub-spec ← MoQT track + MLS epoch inspector