Skip to main content
KavachOS can sign audit records as W3C Verifiable Credentials, giving you compliance exports that auditors and regulators can verify without trusting your reporting infrastructure.

Why this matters

A JSON or CSV export proves you have records. A Verifiable Credential proves those records were issued by a specific DID-identified system, have not been tampered with since issuance, and were created at a specific time. That gap matters under EU AI Act Article 12 and SOC 2 CC7.2.

Quick start

import { exportAuditAsVC, listAuditRecords } from 'kavachos/vc';
import { generateDidKey } from 'kavachos/did';
import { createVCVerifier } from 'kavachos/vc';

// Generate or load your issuer keypair
const keyPair = await generateDidKey();

// Fetch audit records for the period you want to export
const records = await kavach.audit.query({
  since: new Date('2025-01-01'),
  until: new Date('2025-03-31'),
});

// Export as individual JSON-LD credentials
const result = await exportAuditAsVC({
  since: new Date('2025-01-01'),
  until: new Date('2025-03-31'),
  issuerDid: keyPair.did,
  issuerConfig: {
    issuerDid: keyPair.did,
    privateKeyJwk: keyPair.privateKeyJwk,
    publicKeyJwk: keyPair.publicKeyJwk,
  },
  records,
});

console.log(`Exported ${result.count} credentials`);
console.log(JSON.stringify(result.credentials[0], null, 2));

// Verify any credential independently
const verifier = createVCVerifier({
  resolveDidKey: async () => keyPair.publicKeyJwk,
});

const verified = await verifier.verifyCredential(
  result.credentials[0],
  keyPair.publicKeyJwk,
);

console.log(verified.success); // true

Export options

Format

ldp_vc (default), JSON-LD with an embedded JsonWebSignature2020 proof. Pass the credential object to verifyCredential(). jwt_vc, JWT-encoded credential. The result.jwts array contains the compact JWT strings. Pass those to verifyCredential(). 
// JWT format
const jwtResult = await exportAuditAsVC({
  ...options,
  format: 'jwt_vc',
});

for (const jwt of jwtResult.jwts ?? []) {
  const verified = await verifier.verifyCredential(jwt, keyPair.publicKeyJwk);
  console.log(verified.success);
}

Output shape

individual (default), one credential per audit record. presentation, a single Verifiable Presentation wrapping all credentials. Useful when submitting a batch to an auditor as a single signed document. 
const vpResult = await exportAuditAsVC({
  ...options,
  output: 'presentation',
});

const vp = vpResult.presentation;
// vp.verifiableCredential contains all 20 credentials
// vp.proof is a JsonWebSignature2020 over the whole presentation

const vpVerified = await verifier.verifyPresentation(vp, keyPair.publicKeyJwk);
console.log(vpVerified.success); // true

Filtering

Pass a filter function to select a subset of records before signing. Useful for exporting only denials, or records for a specific agent. 
const denyExport = await exportAuditAsVC({
  ...options,
  filter: (r) => r.result === 'denied',
});

Credential subject schema

Each credential carries a KavachosAuditCredential type with the following subject:
FieldTypeDescription
idstringAudit record ID
agentIdstringThe agent that triggered the action
principalIdstring?The user who owns the agent
operationstringAction attempted (e.g. execute, read)
targetstringResource identifier (e.g. mcp:github:create_issue)
decision"allow" | "deny" | "approval_required"Authorization outcome
policyNamestring?Denial reason or policy reference
timestampstringISO 8601 timestamp of the original audit event
traceIdstring?Optional distributed trace ID
kavachosVersionstringSDK version that produced the export
The @context array includes both https://www.w3.org/ns/credentials/v2 and https://kavachos.com/contexts/audit/v1.jsonld. The kavachos context URL is a stable identifier for this schema, it does not need to resolve at runtime.

Compliance notes

EU AI Act Article 12 requires that high-risk AI systems allow automatic recording of events. Exporting those records as Verifiable Credentials adds a cryptographic layer: auditors can confirm the records were produced by your specific DID-identified issuer and have not been modified since export. SOC 2 CC7.2 covers evaluation of security events. A VC export gives auditors an independently verifiable audit package without needing access to your database.
  • Audit trail, how audit logging works and how to query records
  • Compliance, EU AI Act, SOC 2, and ISO 42001 alignment overview
  • DID (Decentralized Identifiers), issuer identity and key management
  • SOC 2 compliance report, coming soon
  • EU AI Act conformity assessment, coming soon
Last modified on April 18, 2026