Client approval trust
Client approval lets your own customer co-sign an action from their browser, so you can prove the end user authorized it — without HESO ever storing your customer list.
Use this when the person who should sign off is not on your team. It is your customer, inside your product. They co-sign with a key on their own device, and the co-signature lands in the receipt as proof. HESO never holds a directory of your customers or a signing key of its own.
The trust model
Three parties, three jobs.
- You vouch. You are the operator. You decide that a given action may be cleared by a customer, and you stand behind who that customer is. HESO knows your operator public key; it does not know your customers.
- The customer co-signs.Their browser holds a signing key on the device and signs the action’s exact bytes with it. The private key never leaves the browser, and HESO never sees it.
- HESO verifies. It checks both signatures against the public keys and re-derives the trust level from the signatures that actually pass. HESO signs nothing.
Because HESO only ever sees public keys and a signed receipt, there is no customer base to store. No per-customer account, no profile, no contact list. The co-signature is cryptographic evidence in the receipt, not a customer record on our side.
How this differs from internal approval
A normal human approvalassumes the approver is on your team, enrolled ahead of time, co-signing in HESO’s own console. A client approval flips that: the approver is your customer, embedded in your product, not a HESO console user. You never register each customer with us, and there may be millions of them. Both paths re-derive to L1 from the keys that pass, but the approver and the surface are different.
A receipt proves you authorized this action under your policy and that the customer you handed the gate to co-signed those same bytes. It does not prove a legal identity, and it does not prove the action succeeded downstream.