AT-1 Verifiable analytics

Sign a query result so anyone can verify the number.

When you report an analytic result — “1,284 transactions over $10k in Q3”, a filtered extract handed to a regulator, a number on a dashboard — the recipient has to trust it really came from the stated data, unaltered. qsign runs a predicate/projection query against a queryable .at1 and emits an Ed25519-signed receiptbinding the source hash, the canonical query, and the result hash. Anyone with the public key and the source can re-run the query and verify the signature — proving the number is genuine and the source wasn't swapped or edited.

Read the docs Get the CLI
Signing a result is O(1)-ish, not O(rows)

The measured headline: the receipt cost is essentially constant regardless of how selective the query is. Whether the query matches a thousand rows or a hundred thousand, the signature stays about the same size and takes about the same time — so verifiable analytics scales with your data, not against it.

1k rows matched
~600 bytes
~0.6 s to sign
50k rows matched
~600 bytes
~0.6 s to sign
100k rows matched
~600 bytes
~0.6 s to sign

Measured figures, rounded. The receipt is flat-cost across query selectivity.

Subscription SKU
$149/ month

Verifiable analytics is licensed like AT-1's other engines — gated by a feature entitlement and metered per signed receipt against your connected account. Cancel anytime in Stripe.

Read the docs

Launch price, set live in Stripe (changeable without redeploy). Until the price is configured the button shows Contact sales — it blocks no one.

Sign the result, not the data

Run a predicate/projection query against a queryable .at1 and emit an Ed25519-signed receipt that binds the source hash, the canonical query, and the result hash — together, under one signature.

Anyone can verify

Hand over the public key and the source file; the verifier re-runs the query and checks the signature. The reported number is provably the true result of that query over that exact dataset.

Constant signing cost

The measured headline: signature cost is essentially constant no matter how selective the query is — about 600 bytes and 0.6 seconds whether it matches 1k, 50k or 100k rows. Signing a result is O(1)-ish, not O(rows).

Keep the raw data sealed

The recipient gets a verifiable answer without you ever shipping the underlying rows — pair it with scoped query grants to prove a number while the dataset stays confidential.

One command surface

Make a keypair, sign a query result into a receipt, and let anyone re-check it with just the public key and the source file.

# 1) make a signer keypair
at1 qsign keygen --out-key signer.key --out-pub signer.pub

# 2) run a query against a sealed .at1 and emit a SIGNED receipt
at1 qsign sign txns.at1 --signing-key signer.key \
  --where amount:10000:60000 --select id,amount,region --out receipt.json

# 3) anyone with the public key + the source can RE-CHECK it
at1 qsign verify receipt.json txns.at1 --pubkey signer.pub
#   -> verified: true   (tampered source / forged count / wrong key -> false)
What a receipt proves
  • Provenance — the result was computed from this exact file (the source hash is bound in).
  • Integrity — the reported rows and count match a fresh re-run (the result hash + count are bound in).
  • Authenticity — signed by the holder of the private key; pin an expected public key to prove who signed it.

Swap the source for an edited copy, forge the count in the receipt, or present a different signer, and verification fails.

A number you can re-check — and the cost stays flat.

Other ways to make a result trustworthy either leak the raw data, can't be re-checked, or grow with the match count. The qsign receipt signs the result, binds the exact source, and the signature cost stays constant.

ApproachThird-party
verifiable		Raw data
stays sealed		Flat cost vs
match count
Number on a dashboard / in a PDF
the recipient has to trust it came from the stated data, unaltered — nothing to re-check
partial
Ship the full raw extract
re-computable, but you hand over the underlying rows and still trust which file they're from
partial
Per-row Merkle inclusion proofs
verifiable, but proof size/time grows with how many rows the query matched
partial
AT-1 qsign receipt
signs the result + binds the exact source; ~600 B / ~0.6 s whether 1k or 100k rows match

Who this is for

  • Regulatory reporting — hand a regulator a number they can independently verify against the sealed source.
  • Data clean rooms — prove an agreed aggregate to a counterparty while the underlying rows stay confidential.
  • Audited dashboards & SLAs — back a headline metric with a receipt anyone downstream can re-check.
  • Data marketplaces — let buyers verify a sample query result before they ever receive the dataset.

Pairs with the rest of AT-1

This is the AT-1 verified thesis applied to analytics: not just compressed and queryable, but provable.

Confidential clean roomScoped query grants over a sealed dataset — qsign signs the answers it returns, so the result is provable while the data stays sealed.AT-1 LedgerLog each signed receipt to the hash-chained, tamper-evident event log for an append-only record of every reported number.qsign docsThe full CLI reference, the receipt format, and exactly what verification checks.

Honest scope

A receipt proves the reported result is the true output of the stated query over the bound source — it is not a zero-knowledge proof and the verifier needs the source file to re-run the query (pair it with the clean room to keep the raw rows from leaving your control). The constant signing cost is measured over predicate/projection queries: about 600 bytes and 0.6 seconds whether the query matches a thousand rows or a hundred thousand.

qsign docs The clean roomThe Ledger

Signing a receipt is metered against a connected account.