Audit Chain
Every consent receipt is linked to the previous one via an HMAC chain. This makes it cryptographically detectable if any receipt in the sequence has been altered or deleted.
How the chain works
Each receipt contains:
- Its own
hmac— computed over the receipt's contents - A
previous_receipt_id— reference to the prior receipt for this visitor
The HMAC is computed as:
hmac = HMAC-SHA256(
key: tenant_signing_key,
message: receipt_id + timestamp + choices_json + policy_version + previous_receipt_id
)
To verify a receipt hasn't been tampered with, recompute the HMAC with the same inputs and compare.
Verifying the chain
ConsentForge provides a verification endpoint:
POST /api/v1/receipts/verify
Authorization: Bearer YOUR_API_TOKEN
{
"receipt_id": "rec_01HXYZ123456"
}
Response:
{
"valid": true,
"chain_intact": true,
"receipts_verified": 3
}
chain_intact: true means every receipt in the chain back to the first decision is unaltered.
What auditors need
For a GDPR audit, provide:
- The receipt ID(s) for the user in question
- The verification result (API response above)
- The policy version document that was active at the time
All of this is available in Dashboard → Evidence → Export.
Signing key rotation
The signing key can be rotated in Account → Security → Signing Keys. After rotation:
- New receipts are signed with the new key
- Old receipts remain valid — the old key is retained for verification purposes
Rotated keys are never deleted. The audit chain remains verifiable indefinitely.