PostQ Ledger
A per-organization, append-only, hash-chained, hybrid-signed Merkle log of every cryptographic event in your stack — key creation, rotation, signatures, policy changes. Verifiable offline by anyone, in any language, with the bundle and a public key.
Auditors don’t want logs. They want proofs.
Application logs are easy to edit. Database rows are easy to backdate. PostQ Ledger gives you a structure where retroactively changing a single byte invalidates every hash and every signed tree head issued since — the same architecture that powers Certificate Transparency, Sigstore Rekor, and Git itself.
Every entry stores prev_hash and entry_hash = SHA-256(prev || canonical_json(payload)). Splice an entry in the middle and every downstream hash changes.
On demand or on schedule, PostQ computes an RFC 6962 Merkle root over the entry hashes and signs the (treeSize, root, time) STH with your org's hybrid ML-DSA + Ed25519 ledger key.
Download a single JSON bundle and run postq ledger verify. Pure stdlib Go, no PostQ runtime required, exits non-zero on any tampering.
Every Vault operation, automatically
The moment you ship a Vault key, sign with it, rotate it, or change a setting, the ledger gets an entry — before the user even sees the response.
| event_type | when |
|---|---|
| key.created | POST /v1/keys |
| key.rotated | POST /v1/keys/:id/rotate |
| key.revoked | DELETE /v1/keys/:id |
| signature.issued | POST /v1/sign |
| signature.verified | POST /v1/verify |
| vault.settings_changed | PUT/DELETE /v1/vault/settings |
| custom.event | POST /v1/ledger/entries (UI or API) |
Three lines to prove a key was never silently rotated
# 1. download a verifiable bundle
curl -H "Authorization: Bearer $POSTQ_API_KEY" \
https://api.postq.dev/v1/ledger/bundle | jq .data > bundle.json
# 2. verify it offline (pure Go stdlib, no network)
postq ledger verify bundle.json
# ✓ hash chain intact (1842 entries)
# ✓ all 17 checkpoints' merkle roots match the entry chain
# 3. for any single entry, get a 32-byte * log2(n) inclusion proof
curl -H "Authorization: Bearer $POSTQ_API_KEY" \
https://api.postq.dev/v1/ledger/proof/<entry_id>Ship audit-grade signing in an afternoon
Ledger is included with every PostQ org — no extra integration. Open the dashboard, click Seal now, download the bundle.