Xybern
Provenance Vault · Hash Chain

The Provenance Vault

The cryptographic hash chain behind every AI verification. Every entry sequenced, hashed, signed, and permanently immutable.

See How It Works Security & Compliance
Provenance Vault — Hash Chain Ledger
SHA-256 Hashing
HMAC Signatures
Chain Linking
Tamper-Evident

Cryptographic Integrity at Every Layer

Every verification anchored to an immutable hash chain.

Hash Chain

Every entry linked to the previous via SHA-256. Sequence numbers + previous_hash + entry_hash = immutable linked list.

  • Sequential ordering
  • Previous hash linking
  • Gap detection

Digital Signatures

HMAC-SHA256 signature on every entry, verified on every access. Workspace-scoped secrets ensure isolation.

  • HMAC-SHA256 per entry
  • Workspace scoped secrets
  • Automatic verification on read

Compliance Exports

JSON & HTML compliance packs with chain validation and integrity certificates. Filter by date range or entry type.

  • JSON & HTML formats
  • Date range filtering
  • Integrity hash certificates

How Entries Are Recorded

Every API verification automatically creates a signed, chain linked vault entry. No manual steps. No gaps.

01

Verification Completes

/api/v1/verify finishes with trust score, claims, and governance result.

02

Entry Hashed & Signed

Content SHA-256 hashed, linked to previous entry's hash, HMAC-signed with workspace secret.

03

Chain Extended

Appended with monotonic sequence number, chain state updated. Entry becomes permanently immutable.

How Vault Entries Are Recorded - 5 Step Process

What Gets Recorded

Every verification, decision, and audit action is permanently captured in the vault.

LLM Verifications

Every model output verified via the API

Agent Decisions

Multi-step agent chains with tool calls

Audit Events

Chain validations, exports, access events

Tamper Alerts

Automatic integrity violation detection

Vault API

Browse, validate, and export vault entries through the Sentinel Vault v2 API. Every endpoint returns cryptographic proof alongside the data.

  • Paginated entry browsing
  • Chain validation
  • Compliance pack generation
  • Merkle proofs per entry
GET /entries POST /export POST /validate GET /proof
GET /api/sentinel/vault/v2/entries/<id> 
{
  "entry_id": "ve_a1b2c3d4e5f6...",
  "entry_type": "verification_llm",
  "sequence_number": 847,
  "previous_hash": "e3b0c44298fc...",
  "content_hash": "a7f3b9c8d2e1...",
  "entry_hash": "9f86d081884c...",
  "signature": "d4735e3a265e...",
  "trust_score": 82,
  "verification_status": "verified",
  "verification": {
    "signature_valid": true,
    "hash_algorithm": "sha256",
    "signature_algorithm": "hmac-sha256"
  }
}

Chain Integrity

Every entry is cryptographically linked to the one before it. If any entry is modified after the fact, the hash chain breaks immediately.

Chain Validation

POST /validate walks the full chain verifying each hash link, signature, and sequence number.

Merkle Proofs

GET /entries/<id>/proof returns per-entry cryptographic proofs with chain context.

Tamper Detection

If any entry is modified, the hash chain breaks immediately. Content hash, entry hash, and HMAC signature all fail together.

Chain Integrity Validation - Hash Chain Verification

Every Verification. Permanently Recorded.

Request a demo to see how the Provenance Vault creates an immutable, cryptographically signed audit trail for every AI verification.

Security Overview