{ "$schema": "https://schemas.identity.txt/v1/verification.json", "version": "1.0", "lastUpdated": "2026-05-17", "entity": { "name": "PuraTrust", "url": "https://puratrust.id" }, "verificationMethods": [ { "id": "licensing-registration", "name": "Licensing and registration", "description": "State pharmacy boards, federal compounding registries, import licenses, and corporate filings, pulled from the public record, normalized, and source-linked. A missing license is not a flag on its own; a misrepresented license is.", "evidence": [ "state pharmacy board registrations", "federal compounding registry entries", "import licenses", "corporate filings" ], "reverificationCycle": "Quarterly recheck of public registries." }, { "id": "iso-17025-laboratory-partnership", "name": "ISO 17025 laboratory partnership", "description": "Direct attestation from the issuing laboratory confirming the partnership, the methods used, and the period covered. Self-claimed partnerships without lab confirmation stay at pending.", "evidence": [ "direct attestation from the issuing laboratory", "methods used by the laboratory", "period covered by the partnership" ], "reverificationCycle": "Partnership re-confirmed quarterly. Attestations expire on the laboratory's two-year ISO accreditation cycle." }, { "id": "coa-cross-referencing", "name": "Certificate of analysis cross-referencing", "description": "For each supplier a recent lot is sampled and the issued certificate of analysis is requested. The content hash of the supplier's published COA is compared against the lab-issued document. On hash mismatch the entry becomes flagged and the mismatch is public record.", "evidence": [ "supplier's published certificate of analysis", "lab-issued certificate of analysis", "SHA-256 content hash comparison" ], "reverificationCycle": "Re-sampled at each verified-status renewal and whenever a supplier publishes a new lot." }, { "id": "policy-review", "name": "Policy review", "description": "Refund language, ship-to disclosures, and stated chain-of-custody text are indexed so policy drift is visible in the audit trail. A policy that contradicts a vendor's actions becomes part of the supplier's incident history.", "evidence": [ "published refund policy text", "published ship-to disclosures", "published chain-of-custody text" ], "reverificationCycle": "Policy drift watched in a 24-month rolling window." }, { "id": "customer-evidence-aggregation", "name": "Customer evidence aggregation", "description": "Forum threads, marketplace reviews, and direct submissions through the registry are deduplicated and bot-filtered. Customer evidence is never amplified and never paid for. Volume and pattern matter; individual reviews do not move status on their own.", "evidence": [ "forum threads", "marketplace reviews", "direct registry submissions" ], "reverificationCycle": "Continuous aggregation; pattern review at each editorial pass." }, { "id": "provenance-and-incidents", "name": "Provenance and incidents", "description": "Registrar history, TLS certificate chain, and a 24-month rolling incident window. A new domain behind a privacy proxy is a context flag, not a verdict. An open incident with unresolved claims keeps the entry at pending.", "evidence": [ "registrar history", "TLS certificate chain", "24-month rolling incident window" ], "reverificationCycle": "Incident window rolls continuously; provenance re-checked at each verified-status renewal." }, { "id": "domain-control", "name": "Domain control", "description": "Suppliers prove control of a domain via DNS TXT record _puratrust-verify.{domain} or a meta tag on the apex page.", "evidence": [ "DNS TXT record at _puratrust-verify.{domain}", "meta tag on the apex page of the claimed domain" ], "reverificationCycle": "Re-checked quarterly. 30-day grace before hard revocation on failure." } ], "trustAnchor": { "operator": "AU-SVRN", "charter": "Editorial independence is governed under the AU-SVRN charter", "url": "https://puratrust.id" }, "attestationFormat": { "type": "audit-log-row", "fields": [ "witness_id (UUIDv7; display 0xXXXX...XXXX FNV-1a)", "timestamp (ISO 8601 UTC)", "subject_record_id", "state_change (verified | pending | flagged | shadow | revoked)", "evidence_pointer", "prev_hash (SHA-256)", "row_hash (SHA-256)" ], "chain": "SHA-256 hash chain; row N hash = SHA-256(row N body || row N-1 hash)" }, "revocation": { "policy": "Re-verification quarterly across all evidence types; 30-day grace before hard revocation on domain-control failure; flagged records persist on the public record with attached supplier response (append-only).", "auditSnapshot": "Daily snapshot exported outside the primary database to a separate credential boundary." }, "publicLookup": { "free": true, "accountRequired": false, "appendOnly": true, "url": "https://puratrust.id/registry/{LOTID}", "urlPattern": "https://puratrust.id/registry/{LOTID}", "browseUrl": "https://puratrust.id/registry", "phase": "Lookup pattern locked 2026-05-17. Registry browse interface ships with Phase 2 (public beta, Q3 2026); the URL pattern is stable and citable now." }, "trustAnchorSigningKey": { "issuer": "AU-SVRN LLC", "keyId": "au-svrn-signing-2026-001", "algorithm": "Ed25519", "publicKey": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAE0I1U7SRh0+JDFR8ZSUezGN5XVvlWqsa2wdVt6d/ixc=\n-----END PUBLIC KEY-----", "fingerprint": "sha256:5bDt3P0PoptW0XMpPkXEVvqt0U6CDmxXV6tFB6mkTbg", "endpoint": "https://puratrust.id/.well-known/au-svrn-signing-key.pem", "canonicalEndpoint": "https://ausvrn.com/.well-known/au-svrn-signing-key.pem", "issued": "2026-05-17", "purpose": "Verifying AU-SVRN-issued institutional signatures (methodology revisions, refusal records, discoverability file integrity). Distinct from per-lot lab attestations and per-creator Pulse Signature keys." }, "contact": "support@puratrust.id" }