Manav signed the canonical JSON below with its server secret. Hash the JSON with HMAC-SHA256 using the MANAV_SERVER_SIGNING_SECRET and compare - if it matches, this proof is authentic.
Canonical proof JSON
{"actionPayloadHash":"31708283904ace6ab55ad1e6f584843faaf3693b29a0289f1f98bdc17fa9f372","actionTitle":"Face verification · arivu","actionType":"verify_identity","actorHandle":"arivu","externalReference":null,"organizationSlug":null,"signatureSlug":"mnav_sig_zLPdotGmVB8P","signedAt":"2026-06-03 15:32:34"}
Action payload hash · SHA-256 of the canonical action payload
31708283904ace6ab55ad1e6f584843faaf3693b29a0289f1f98bdc17fa9f372
Server signature · HMAC-SHA256 over canonical JSON above
f5259d4bb949be3fe7210fdd0a8110db9680b83b467ecd19014ee0134ae83e7b
Recompute it yourself
$ printf '%s' '{"actionPayloadHash":"31708283904ace6ab55ad1e6f584843faaf3693b29a0289f1f98bdc17fa9f372","actionTitle":"Face verification · arivu","actionType":"verify_identity","actorHandle":"arivu","externalReference":null,"organizationSlug":null,"signatureSlug":"mnav_sig_zLPdotGmVB8P","signedAt":"2026-06-03 15:32:34"}' \
| openssl dgst -sha256 -hmac "$MANAV_SERVER_SIGNING_SECRET" -hex
$ # expected: f5259d4bb949be3fe7210fdd0a8110db9680b83b467ecd19014ee0134ae83e7b