// Product / QHx Notary
Proof outlives the credential.
QHx Notary converts short-lived workload identity into longer-lived signed receipts for selected HTTP request and response pairs.
// What gets proven
Logs describe. Receipts verify.
SPIFFE SVIDs are intentionally short-lived. The notary preserves evidence after that credential expires, including workload identity, request context, response context, timestamp, and signature.
- Non-repudiationThe receipt cryptographically binds workload identity, request, and response to a point in time. The issuing workload cannot deny having made the request. The processing workload cannot deny having responded.
- Offline verificationVerifiers do not need access to the live PKI. The receipt is self-contained and verifiable against the trust bundle snapshot at the time of issuance.
- AI and ML provenanceWhich model, running as which workload identity, processed which input, and returned which output. A decision the model produced can be reconstructed and challenged later — including by a party who was not present when it ran.
- Notarization levelsWorkload-only, logRequest, or signRequest, depending on the trade-off between performance, content capture, and verification strength.
A log says what someone claims happened. A receipt is something a third party can check.