Verify a Botrite Observe receipt

1. Install the verifier

lattiq-verify is a small Python CLI. Install it from PyPI:

On Windows or in environments where multiple Python interpreters are present, use:

v0.1 is the supported verifier contract for the merkle workflow shown below. If your package manager currently resolves lattiq-verify to 0.0.1, wait for the v0.1 release before relying on the merkle command.

2. Run the recipe

From a working directory of your choice, save the receipt JSON returned by POST /v1/observe to a file (the POST response body is the receipt JSON), then run these three commands:

A few practical notes:

• The --date argument is the UTC date prefix of the receipt’s observed_at field — the first 10 characters of the timestamp.
• --merkle-mirror . tells the verifier to read the published merkle data from the current working directory; you are inside the cloned observe-merkle-log directory after running the second command.
• --key-fingerprints ../KEY_FINGERPRINTS.txt points back to the parent directory because that is where you saved the trust-anchor file before changing into the cloned repo.

3. Cross-check the trust anchor

After downloading KEY_FINGERPRINTS.txt, compute its SHA-256 locally and compare it against the published value below. If those hashes do not match, stop and refresh the file before continuing.

The value above updates whenever the trust-anchor file is regenerated. If the file you downloaded does not match this hash, refresh it from https://botrite.lattiq.ai/keys/KEY_FINGERPRINTS.txt.

Brand-stack

The tool is lattiq-verify, the repo is Botrite/observe-merkle-log, both are operated by Botrite Operations LLC under Lattiq, LLC.

Where to learn more

For the full Botrite Observe API contract — receipt schema, field semantics, error envelopes, and the trust model — see the documentation:

Open docs security.txt