Open Standard · YAC/1.0

Yebo Authorization Certificate

An open cryptographic standard for proving that a specific human authorized a specific AI action. hardware-bound cryptography signed, hardware-attested, independently verifiable.

Download Schema (JSON Schema Draft 2020-12) →Developer Docs

hardware-bound cryptography

Signature Curve

SHA-256

Canonical Digest

12 Fields

Signed in Proof

YAC/1.0

Protocol Version

What is a Yebo Authorization Certificate?

A YAC is a cryptographically signed receipt that proves a specific human authorized a specific AI action under a specific enterprise policy. It is produced at the end of every successful Yebo authorization pipeline.

The certificate is signed with hardware-bound cryptography by the Yebo gateway using a key you can verify independently. The 12 signed fields are canonicalized, SHA-256 hashed, and the signature covers that hash, making any tampering immediately detectable.

YACs are designed to be the compliance artifact for AI governance: the evidence a regulator, auditor, or legal team needs to answer "did a human authorize this?"

🔐

Hardware-attested

The PAI inside the YAC was signed in a Secure Enclave, not a server

⛓️

Policy-bound

Embeds the cryptographic hash of the active policy

🌐

Independently verifiable

Anyone with the public key can verify, no Yebo account required

♾️

Tamper-evident

Any field change invalidates the ECDSA signature

YAC/1.0, example certificate

{
  "receipt_id":           "yac_7f3a2b9c-1234-5678-abcd-ef01",
  "mandate_id":           "MND-7F3A2B9C1234ABCDEF012345",
  "pai_token":            "PAI.MND-7F3A2B9C.n_8k2mXp.3045...",
  "authorized_by":        "did:yebo:sha256:a4f2c8b3d1e9f0...",
  "agent_id":             "agent_claude_enterprise_acme",
  "capability":           "payment",
  "intent":               "Q1 vendor invoice, Acme Corp",
  "amount":               5000.00,
  "policy_hash":          "a4f2c8b3d1e9f0a1b2c3d4e5f6a7b8...",
  "execution_status":     "executed",
  "authorization_status": "authorized",
  "integrity_score":      87,
  "integrity_tier":       "trusted",
  "timestamp":            "2026-03-26T10:05:32.000Z",
  "protocol_version":     "YAC/1.0",
  "signer_public_key":    "MFkwEwYHKoZIzj0CAQYIKoZIzj0...",
  "key_id":               "yebo_signer_2026_q1",
  "signature":            "3045022100a4f2c8b3d1e9f0a1..."
}

Certificate Schema

Full JSON Schema at yebo.dev/schema/yac/v1.json

Field	Type	Required	Description
`receipt_id`	string	required	Unique YAC identifier. Format: yac_{uuid}
`mandate_id`	string	required	The AP2 Mandate this certificate covers. Format: MND-{hex24}
`pai_token`	string	optional	Proof of Authorized Intent token, hardware-bound cryptographic signature from Secure Enclave
`authorized_by`	string	required	Identity of the human who approved. SHA-256 of their device public key.
`agent_id`	string	optional	The AI agent that proposed the action (absent if user-initiated)
`capability`	enum	required	Action type: payment \| approval \| data_access \| healthcare \| procurement \| ...
`policy_hash`	string	required	cryptographic hash of the active policy. Any policy change invalidates future mandates.
`execution_status`	enum	required	executed \| failed \| pending \| blocked
`authorization_status`	enum	required	authorized \| denied \| expired \| revoked
`integrity_score`	number	optional	Yebo Trust Score of the authorizing identity (0–100) at time of authorization
`timestamp`	datetime	required	ISO 8601 timestamp of certificate issuance
`protocol_version`	string	required	Always YAC/1.0
`signer_public_key`	string	required	Base64-encoded hardware-bound cryptography public key of the Yebo gateway signer
`key_id`	string	required	Signing key identifier (for key rotation)
`signature`	string	required	hardware-bound cryptographic signature over canonical SHA-256 digest of all signed fields

Fields included in the ECDSA signature

receipt_idmandate_idpai_tokenauthorized_byagent_idcapabilitypolicy_hashexecution_statustimestampprotocol_versionkey_idauthorization_status

Signing process: fields extracted → sorted keys → JSON.stringify → SHA-256 → hardware-bound cryptography sign. Any change to any signed field invalidates the signature.

Verify a Certificate

YACs can be verified by anyone, no Yebo account, no API key, no SDK. All you need is the certificate and the signer public key.

Via API (easiest)

POST /authorization-receipt/verify

// Verify a YAC independently, no Yebo account needed
const res = await fetch('https://gateway.yebo.dev/authorization-receipt/verify', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ receipt: yac })
});
// → { valid: true, mandate_id, authorized_by, capability, checked_at }

Full bundle (for auditors)

GET /authorization-receipt/:mandate_id/bundle

// Fetch the full verification bundle for a mandate
GET https://gateway.yebo.dev/authorization-receipt/{mandate_id}/bundle

// → {
//     yac: { ...full certificate... },
//     mandate: { ...AP2 Mandate... },
//     sentinel_checks: [ ...12 invariant results... ],
//     audit_chain: [ ...hash-linked ledger entries... ]
//   }

GET /authorization-receipt/keys

Fetch all current Yebo signer public keys. Use the key_id from the certificate to select the correct key for verification.

Multi-agent compliance →Yebo Trust Score →Developer docs →

Start issuing YACs today

Every authorization through the Yebo gateway generates a signed YAC automatically.

Download JSON Schema Book Enterprise Demo