Why our word matters less
Disputes settle
on math.
Every state change is signed the moment it happens. Pickup. Drop-off. Refund. Payout. When something's contested, we don't ask you to trust us — we hand you the chain.
Disputes settle
How the chain works
Four hops from device to public log.
01 — Sign locally
The driver's device signs each state-change envelope with HMAC-SHA256 over canonical-JSON, bound to a capability token. Never raw network.
02 — Verify + state-machine
Jobs service verifies signature, then walks the state machine. Mismatch → 401 AUTH_INVALID. Wrong transition → 409 JOB_FORBIDDEN_TRANSITION.
03 — Fan out, signed
Webhooks carry x-link-signature: t=<unix>,v1=<hex-hmac>. Replay window 5 minutes; tenants verify with the SDK's verifyWebhook.
04 — Anchor on Sigil
High-consequence events (city pause, driver suspension, multi-thousand-dollar variance) anchor on Sigil with a public Rekor URL.
The handoff itself
Every knot.
Captured.
Pickup signature, drop-off signature, photo proof, recipient name — captured the moment a driver places the box. Not a phone call. Not a memory. The chain.
What the chain changes
Three things stop being arguments.
Dispute resolution
If a tenant claims a delivery didn't happen and we have a signed link.job.delivered.v1 from the driver's device with a matching photo + signature, the dispute closes on the chain.
Driver pay
Signed events feed Bean's double-entry ledger with $0.00 variance. Drivers see their pay on every job before accepting; nothing back-charges later.
Insurance
The rideshare 3-period state machine is deterministic — 16 legal transitions, pinned by unit test. Carriers integrate against the contract, not against guesswork.
Read the contracts
We publish them. Verify for yourself.
Full Tenant API reference, canonical SPEC.md, OpenAPI 3.1 source of truth, live status with 30-day incident history.