Verifying Workflows
Workflow verification ensures the integrity and authenticity of your workflows across deployment, onchain execution, and third-party auditing. This guide explains how workflow IDs are computed, how to verify workflows in consumer contracts, and how to enable independent verification by third parties.
Workflow ID
The workflow ID is a unique hash that serves as the primary identifier for your workflow throughout its lifecycle. It is computed locally during cre workflow deploy from the following inputs:
- workflowOwner: The deployer's address
- workflowName: The name specified in your workflow
- Compiled workflow binary: The WASM binary produced from your workflow code
- Config file contents: The contents of your workflow's config file
- Secrets hash: An empty string placeholder for secrets
Because the workflow ID is derived from these inputs, it deterministically represents a specific version of your workflow code and configuration.
Use cre workflow hash to inspect the workflow ID before deploying. This lets you preview the ID without submitting an onchain transaction.
For more details on deployment and updates, see Deploying Workflows and Updating Deployed Workflows.
Verifying workflows onchain
When a workflow writes onchain, the consumer contract receives both the report data and metadata through the onReport callback. The metadata contains information you can use to verify the source of the report:
workflowId(bytes32): The unique workflow hashworkflowName(bytes10): The workflow name, hash-encodedworkflowOwner(address): The address that deployed the workflow
See Building Consumer Contracts for the full IReceiver interface and metadata structure.
Workflow name encoding
The workflowName in metadata is not stored as a plain string. It is a SHA256 hash of the workflow name, truncated to bytes10. See how workflow names are encoded for the full encoding process.
Security best practices
Follow these practices to ensure only authorized workflows can interact with your consumer contract:
- Verify
msg.sender: Always check thatmsg.senderis the expected forwarder address. See the Forwarder Directory for addresses by network. - Permission on workflow ID: Use
setExpectedWorkflowIdfromReceiverTemplateto restrict which workflow can call your contract.
Third-party verification
Third-party verification allows customers or auditors to independently confirm that a deployed workflow matches its source code. The deployer shares the workflow source, and the verifier uses the CRE CLI to compute the workflow hash and compare it against the onchain workflow ID.
Steps for the workflow developer
-
Add a
.env.publicfile to your workflow folder withGOTOOLCHAINset to the Go toolchain version you use to build the workflow. Pinning that version helps reproducible builds across machines and environments. Add this file before runningcre workflow deploy.Example (replace with your own version—the tag below is not prescriptive):
GOTOOLCHAIN=go1.23.0Use the same toolchain string you build with;
go versionreports it (for examplego1.23.0 linux/amd64→ usego1.23.0). -
Share your workflow source with the customer. Provide a zip archive or repository link that includes all workflow files, including
.env.public. Exclude.envfiles that contain private keys or secrets.
Steps for the verifier
-
Install the CRE CLI. No login or deploy access is required for hash verification.
-
Unzip or clone the shared workflow repository.
-
Run
cre workflow hashto compute the workflow hash:cre workflow hash ./workflow-folder --public_key=0xYourDeployerAddressReplace
./workflow-folderwith the path to the workflow source and0xYourDeployerAddresswith the deployer's public address. -
Compare the output with the workflow ID observed onchain. The
Workflow hashvalue in the output corresponds to the onchain workflow ID:Binary hash: 0dcbb19de3c22edfe61605a970eb6d42199df91ac3e992cd3f2e33cb13efbb4c Config hash: 3bdaebcc2f639d77cb248242c1d01c8651f540cdbf423d26fe3128516fd225b6 Workflow hash: 004fff5bb1ae05cc16e453f8ad564f5e8b0eae1945ec22f3d0adfc0339954d56If the workflow hash matches the onchain workflow ID, the deployed workflow matches the shared source code.