We prove our logins like we prove our answers
StatVault is a relying party of the Obelisk identity plane. Accounts, passkeys, and sessions live at the identity provider — StatVault itself stores no passwords and no credential secrets. Every meaningful auth event (sign-up, sign-in, sign-out, privilege change) is designed to land in an append-only, hash-chained receipt ledger, the same discipline we apply to Knox's answers.
Passkey-first login is built and env-gated; activation is one founder action.
Ledger storage not connected in this environment.
Appears with the first receipt.
How it works
No credentials held. Sign-in happens at the Obelisk Gate identity provider with WebAuthn passkeys; StatVault only ever receives a short-lived session token, which it verifies server-to-server.
Append-only ledger.Auth receipts are hash-chained: each one commits to the previous receipt's hash, so history can't be silently rewritten. The database table rejects updates and deletes outright.
Redaction by construction. Receipts carry only a whitelist of non-secret fields — never emails, tokens, passwords, or IPs. A secret-shaped payload throws before any write.
Related: Merkle history · Trust pulse · Security