What is an attestation chain?

Short answer. An attestation chain is an ordered, signed sequence of claims that links an authorizing human, through any intermediate agents, to a final output. Each link in the chain is verifiable independently; the chain as a whole answers the regulator's question of "who was behind this."

The minimal chain

Three links is enough to be useful. Link 1: a human signs a delegation to an agent (scope, ttl, magnitude). Link 2: the agent signs a tool call against the delegation. Link 3: the tool's output is signed by the relying party with a reference to the agent's call. Verifying the chain end-to-end means walking three signatures in order.

A worked example

A clinician (link 1) signs a delegation authorizing a documentation agent to draft notes for the next 8 hours, scope chart:write. The agent (link 2) drafts a note for a specific patient and signs the draft. The EHR (link 3) accepts the draft, applies it to the chart, and emits a signed receipt. The audit trail walks: clinician → delegation → agent draft → EHR receipt. A regulator inspecting the chart can verify the chain in milliseconds.

Where chains get long

Multi-agent systems. A planner agent calls an executor agent, which calls another tool agent, which calls a tool. The chain grows: human → delegation → planner → executor → tool agent → tool. Each step requires a derived authority that is no broader than its parent. Manav's SDK handles the derivation automatically; the chain's verifier walks the signatures in order.

What a chain is not

It is not a chain of custody for the data. It is a chain of authority for the action. Different artifact, different purpose. A data chain answers "where did this byte come from"; an attestation chain answers "who allowed this action to happen." A regulator asking "did the human authorize this?" wants the attestation chain.

Where Manav anchors them

Every chain's Merkle root is anchored to the verification ledger every block. A consumer who wants to prove the chain existed at a moment can present the Merkle path and the block height. The chain becomes auditable forever, even if the company that produced it shuts down.

Common objections

The two objections we hear most: (1) this is just OAuth re-skinned, and (2) we'll wait for the standard. On the first: OAuth scoped delegations between services; this layer scopes delegations from a verified human to an agent — different actor, different audit-trail shape. On the second: the standard is being shaped by the relying parties who integrate first. Waiting is a position.

Frequently asked questions

Is the answer the same for an enterprise and an individual? The shape is the same — a signed delegation, a verifier, an audit log — but the magnitude caps and approval flows differ. Enterprises layer multi-signature for high-stakes actions; individuals usually run with a single device-bound key. Both end up with the same regulator-grade chain.

What if the agent acts before I notice? That is what magnitude caps and time-to-live exist for. A correctly scoped delegation will refuse the action at the relying party before the human's attention is required. Revocation under 200 ms catches the residual cases.

How does this compose with what we already run? It sits next to existing IAM (Okta, Auth0, Entra), not over it. Login is still the IdP's job. Manav signs the human's delegation to the agent, which the relying party verifies in addition to the IdP session. Two layers, one audit trail, no rip-and-replace.

Where to start

Start with audit trail design for the broader category map. Then read seven layers of trust for the implementation pattern. The two together compress a week of reading into thirty minutes; everything else on the site is depth on a specific layer.

What an attestation chain is not

It is not a blockchain log of every keystroke. It is not a comprehensive employer surveillance feed. It is not a public ledger of personal activity. The chain is a structure of cryptographic claims, each one signed by a specific party and bound to a specific scope. The claims sit in the user's wallet by default; the user shows them on demand. The relying party verifies the signatures, the scopes, and the timestamps — nothing more. Confusion about what attestation chains contain is the single most common objection in the regulator-engagement conversations we run. Once the regulator sees that the chain is a disclosure mechanism, not a logging mechanism, the conversation shifts from privacy alarm to procurement timeline. The technical clarity is the policy clarity: the chain reveals only what the user chose to reveal, signed by parties the verifier already trusts.

If you cannot trace the action to a human in three hops, you do not have a chain. You have an alibi.