The canonical wire format for AAP attestation tokens. MirrorsDocumentation Index
Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt
Use this file to discover all available pages before exploring further.
mnemom-contracts/attestation-token/v1.yaml.
Envelope
JWS Compact Serialization (RFC 7515):Header
Fixed shape:| Field | Constraint |
|---|---|
alg | Always "EdDSA" (Ed25519). |
kid | Key identifier; matches a kid in /v1/.well-known/jwks.json. |
typ | Always "AAP-Attestation/v1". Mirrored in the payload for defense-in-depth. |
Payload
JSON object conforming to JSON Schema 2020-12. All required fields below;additionalProperties: false.
| Field | Type | Required | Description |
|---|---|---|---|
typ | const "AAP-Attestation/v1" | yes | Mirrors the header typ. |
iss | string (URI) | yes | Issuer — always https://mnemom.ai for production. Verifiers reject other issuers. |
sub | string | yes | Subject — the Mnemom agent_id (e.g., smolt-e2ca60ef). |
iat | integer (Unix seconds) | yes | Issued-at, UTC. Verifiers reject iat > now() + clock_skew_grace (default 60s). |
exp | integer (Unix seconds) | yes | Expiry, UTC. Default TTL is iat + 3600 (1 hour). |
content_hash | string (^[0-9a-f]{64}$) | yes | SHA-256 hex of the canonical card body at attestation time. |
version | integer (≥ 1) | yes | Monotone canonical-card version at attestation time. |
composed_at | string (date-time) | yes | ISO-8601 UTC timestamp at which the canonical card was composed. |
card_kind | enum "alignment" | "protection" | yes | Which canonical card the token attests to. |
smolt_id | string (^smolt-[a-z0-9]+$) | no | Optional convenience claim for consumers binding on smolt-id. |
historic_backfill | const true | no | Present (and only true) on tokens minted by the one-shot backfill script for canonical cards that pre-date the transparency log. |
Signature
Ed25519 signature over the byte string<base64url(header)>.<base64url(payload)>. Base64url-encoded; no padding, no whitespace, no line wrapping (per RFC 7515 §3.1).
Beyond expiry
Tokens are short-lived. Afterexp, the embedded token is no longer cryptographically valid for new use, but the transparency log preserves it indefinitely. Consumers wanting to verify a historic posture query the log via mnemom verify-card --at <ISO>; the JWS inside the log row continues to verify against the JWKS as long as the signing key remains in the JWKS (active or retired-within-window).
Editorial source
Schema authored atmnemom-contracts/attestation-token/v1.yaml. Runtime consumers:
mnemom-api/src/attestation/signer.ts— issuermnemom-api/src/attestation/verifier.ts— server-side verifiermnemom-platform/cli/src/commands/verify-card.ts— offline verifier CLI