The Village Governance API — governance as a service

Early access · on application

AI agents now propose actions all day: send this, pay that, publish, delete, commit. The hard question was never whether the agent can act — it’s who decided it should, and what record exists of that decision afterwards.

The Village Governance API answers both. Your system submits a proposed action; you get back a verdictallow, gate (a human must decide), or deny — and a signed receipt you can verify yourself, offline, without asking us. Behind each verdict sits a tamper-evident, customer-owned record of the whole deliberation, exportable as a self-verifying dossier.

It is an interface, deliberately narrow. What you send and what you get back is the entire surface. How a verdict is reached never crosses the wire.

The record is the product

Most audit trails record that something was approved. Boards, regulators and counsel want to see how — what AI was used, what it produced, how a person actually engaged with it, and what they decided.

The API captures that as a structured kōrero — the deliberation itself:

AI output and human reasoning are kept structurally separate, and the API never fills in the reasons for you. A record that says “a director read the AI’s summary and challenged two figures, and here is what they wrote at the time” is a different class of evidence from a tick in a box. That separation is the point.

Verify it without us

Every receipt is Ed25519-signed with your tenant’s own key, published in your tenant’s DID document. Verification takes a receipt, that public document, and about forty lines of code — no call to us, no account with us, no trust in our word. The client SDK ships the verifier; the algorithm is documented so you can re-implement it in any language.

Export the full record and the dossier carries the receipts, the proof chain and the deliberation together. A third party can check all of it years later, whether or not we still exist.

Integrity on your terms

By default the record is tamper-evident: a signed, append-only proof chain in which any alteration is detectable and provable. We hold that a record whose tampering can be demonstrated is stronger evidence than one that simply claims to be unchangeable — the case is made in full in Tamper-Evident Governance on this site. Tenants whose obligations require it can instead switch on write-once mode, which refuses all amendment after the fact.

Signing is configurable the same way: a single tenant key, or per-director signing, where each participant’s engagement carries an individually attributable signature.

Custody and control by design

What we do not claim

The record is tamper-evident and signed. We do not market it as tamper-proof or court-defensible — whether it satisfies a legal duty is a matter for your counsel and, where it comes to it, a court. What we give you is the strongest contemporaneous, self-verifiable record of how a decision was made. Where a customer enables the write-once toggle, the record can no longer be amended at all; that hardens the record, but not the claim — even then it is evidence of how a decision was made, not proof that any legal duty is met.

Availability

The API is built, tested and security-reviewed internally. We are opening it in stages, and we would rather stage it carefully than expose it early:

  1. Now — the full interface documentation and client SDK are public (below). You can design and build your integration today; the contract is versioned and additive-only within v1.
  2. On application — sandbox access: once an independent external security review of the API itself completes, approved applicants receive a tenant-scoped key against a live sandbox. Applying is light — who you are, what you intend to build, and agreement to the terms; enough to keep bad actors out, no more.
  3. Production keys follow counsel-reviewed terms and a data processing agreement — no production key is issued before both exist.
Request early access

Documentation

OpenAPI specification (v1) User guide Versioning & deprecation policy Client SDK + verifier

Pricing

The Governance API is an add-on to a Village subscription — every tenant is a Village, and the records live there, so there is no standalone API plan. Indicative pricing — a Village subscription plus a metered governance add-on, in your currency — is published at pricing page. All figures are indicative until general availability; assurance-level engagements are priced by conversation.


The Village Governance API is a product of My Digital Sovereignty Ltd (NZ), built on the governance architecture documented on this site. Questions: governance-api@mysovereignty.digital.