Vault & Audit

Every entropy draw generates a signed provenance record. Records form a cryptographic hash chain and are persisted to R2 for replay-ready retention.

Provenance Record Schema

One record per draw. The same record is written to the operational layer (KV, 90-day TTL) and the persistent layer (R2 JSONL, 7-year retention).

{
  "provenance_id": "prov_2026_06_23_abc123",
  "issued_at": "2026-06-23T14:22:08.117Z",
  "api_key_id": "qsg_live_…",
  "source_id": "qrng-hardware-001",
  "source_class": "hardware-derived-premium",
  "entropy_score": 0.999,
  "size_bytes": 32,
  "entropy_hash": "sha256:…",
  "key_exchange": "X25519+ML-KEM-1024",
  "health_check": {
    "rct_passed": true,
    "apt_passed": true
  },
  "fallback": {
    "is_fallback": false,
    "reason": null,
    "original_source": null
  },
  "prev_hash": "sha256:…",
  "signature": "ml-dsa-65:…"
}

Every record carries the cryptographic linkage to the prior record (prev_hash) and the ML-DSA-65 signature over the full payload.

Chain Integrity

The hash chain makes retroactive tampering detectable. A replay procedure can be run against the full R2 JSONL stream to verify every record in sequence.

  1. 1. Hash record payload

    SHA-256 over the canonicalized JSON of every field except prev_hash and signature.

  2. 2. Link to prior record

    prev_hash is set to the hash of the immediately preceding record's payload. Any modification of any prior record breaks the chain from that point forward.

  3. 3. Sign record

    The hash-linked payload is signed with ML-DSA-65. The signature is stored alongside the record and can be verified by anyone with the verification public key.

  4. 4. Replay procedure

    For a given window, the replay procedure reads records from R2, recomputes the hash chain, and verifies each signature. Mismatches are flagged with the record index and the offending field.

Verified and Enterprise tiers can run the replay procedure on demand via POST /v1/verify.

Dual-Layer Retention

Records live in two places with the same provenance_id. The two layers serve different operational needs.

Operational Layer

Cloudflare KV · 90-day rolling TTL

  • High-speed read/write for telemetry
  • Per-key rate-limit counters
  • Metering hooks for billing
  • Immediate gateway observability
  • Designed for the operational dashboard

Persistent Layer

Cloudflare R2 JSONL · 7-year retention

  • Cryptographic compliance handoff
  • Full-batch provenance and signatures
  • Deep historical forensics
  • Region-pinned for data-residency
  • Replay-ready for regulator review

Record Lookup

GET /v1/audit/:id
{
  "provenance_id": "prov_2026_06_23_abc123",
  "issued_at": "2026-06-23T14:22:08.117Z",
  "source_id": "qrng-hardware-001",
  "source_class": "hardware-derived-premium",
  "entropy_score": 0.999,
  "size_bytes": 32,
  "entropy_hash": "sha256:…",
  "key_exchange": "X25519+ML-KEM-1024",
  "health_check": { "rct_passed": true, "apt_passed": true },
  "fallback": { "is_fallback": false, "reason": null, "original_source": null },
  "prev_hash": "sha256:…",
  "signature": "ml-dsa-65:…"
}

Available on Verified and Enterprise tiers. Lookup latency < 50 ms P95 globally.

Compliance Hand-off

For regulated customers, a Compliance Pack is available under NDA. The pack contains: full schema reference, replay procedure documentation, retention policy, cryptographic posture, and pen-test summary.

Request: [email protected]

Audit your draws

Verified and Enterprise tiers unlock the lookup endpoint and on-demand replay.