Learn How dokugent certify Works¶
The dokugent certify command is where your agent setup gets formally signed and verified. It bundles your plan, criteria, conventions, and metadata into a cryptographically signed .cert.json file.
What It Does¶
dokugent certify signs off on agent data that has already been validated and compiled during dokugent preview. It does not perform compilation or behavior checks.
During certification, you’ll be asked to select a signing identity and define a validity period (e.g. 6m, 1y). These are embedded into the signed certificate and used to verify authenticity and expiration.
Where It Goes¶
Certified files are saved here:
.dokugent/ops/certified/<agentName>/<agentId>.cert.json
.dokugent/ops/certified/<agentName>/<agentId>.cert.sha256
Why It Matters¶
Certification acts as a digital contract — a snapshot of your agent’s defined behavior, signed by an identity you control. Once certified:
- The plan and criteria are locked and verifiable
- Downstream systems can trust this agent based on the validated plan and metadata already compiled during preview
- Audit and trace logs can validate historical output
- The
.cert.jsonis immutably versioned based on the agent’s birthstamp - The signature allows for agent authenticity tracing
- Downstream systems can use the
.sha256file to confirm integrity
Tips Before Certifying¶
- Run
dokugent previewfirst to verify the behavior - Fill out
.dokugent/data/io/and.dokugent/data/compliance/to avoid warnings - Make sure your plan and criteria are complete — certs are immutable
💡 Tip: You can use dokugent preview to generate multiple variations or drafts of your agent setup and compare behaviors before committing to a final certified version.
After Certify¶
You can now:
- Run
dokugent compileto generate the runtime bundle - Use
dokugent traceordryrunto validate how the agent behaves under simulation - Share the
.cert.jsonas a signed record of expected behavior - Learn how to compile your agent »