A signed decision receipt is a single-use, HMAC-signed proof of what oakallow decided about a tool call.
Every permission check on an approved tool returns a receipt inline, in the same call — for every verdict, not just allowed. There is no separate step: the check that resolves the decision also signs it. The signature binds the verdict and the exact request (tool, tenant, resource, method, parameters), and the receipt carries a nonce that can only be used once, preventing replay.
- oakallow evaluated this exact request and what it decided (allowed, requires_approval, or disabled)
- The specific tool and parameters were bound to the decision
- The receipt was not reused from a previous call
A disabled receipt is just as real as an allowed one: it is the proof oakallow blocked the action.
(The standalone /v1/tokens/mint endpoint still exists for integrations built before inline signing, but it is no longer required — the permission check signs every decision on its own.)