<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>CloakAPI Blog</title>
    <link>https://cloakapi.io/blog</link>
    <description>Long-form posts on privacy, cryptographic receipts, and how CloakAPI ships.</description>
    <language>en-us</language>
    <managingEditor>hello@cloakapi.io (CloakAPI)</managingEditor>
    <webMaster>hello@cloakapi.io (CloakAPI)</webMaster>
    <lastBuildDate>Fri, 10 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://cloakapi.io/blog/index.xml" rel="self" type="application/rss+xml"/>

    <item>
      <title>Verifying receipts without trusting us</title>
      <link>https://cloakapi.io/blog/verifying-receipts/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/verifying-receipts/</guid>
      <pubDate>Tue, 29 Apr 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Engineering</category>
      <description><![CDATA[How ECDSA-P-256 + RFC 8785 JCS canonicalisation + a public JWKS endpoint lets your auditor verify every signed receipt offline, with no CloakAPI account required. Includes Python reference verifier walkthrough and chain-link discipline explained.]]></description>
    </item>

    <item>
      <title>Not a HIPAA Business Associate: the structural argument</title>
      <link>https://cloakapi.io/blog/structural-non-ba/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/structural-non-ba/</guid>
      <pubDate>Sat, 18 Apr 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Trust</category>
      <description><![CDATA[Why CloakAPI is outside the HIPAA BA definition (45 CFR 160.103) when PHI is tokenised pre-egress — the architectural argument, counter-arguments, practical checklist, and honest disclaimer. Not legal advice.]]></description>
    </item>

    <item>
      <title>OpenReceipt sub-tags: file-ext, streaming, router-decision</title>
      <link>https://cloakapi.io/blog/openreceipt-subtags/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/openreceipt-subtags/</guid>
      <pubDate>Fri, 10 Apr 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Spec</category>
      <description><![CDATA[The three new optional sub-tags in OpenReceipt: file_ext, streaming, and router_decision. What they record, their canonical position in the envelope, and full backwards compatibility guarantees for existing verifiers.]]></description>
    </item>

    <item>
      <title>Shamir 3-of-3 key custody: why we built our own</title>
      <link>https://cloakapi.io/blog/shamir-from-scratch/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/shamir-from-scratch/</guid>
      <pubDate>Fri, 03 Apr 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Engineering</category>
      <description><![CDATA[Why no existing PHP/Rust/JS Shamir implementation solved our cross-language byte-compatibility requirement. GF(2^8) arithmetic walkthrough, Lagrange interpolation, test vectors, on-device recovery, and honest limitations.]]></description>
    </item>

    <item>
      <title>Why we started CloakAPI</title>
      <link>https://cloakapi.io/blog/why-we-started/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/why-we-started/</guid>
      <pubDate>Sat, 28 Mar 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Company</category>
      <description><![CDATA[On the gap between "we take privacy seriously" as a marketing claim and privacy as an engineering invariant. Why we built CloakAPI to make that gap provably impossible, and why open spec and reference verifier matter.]]></description>
    </item>

    <item>
      <title>Prompt-pool privacy: what it means and what it doesn't</title>
      <link>https://cloakapi.io/blog/prompt-pool-privacy/</link>
      <guid isPermaLink="true">https://cloakapi.io/blog/prompt-pool-privacy/</guid>
      <pubDate>Fri, 20 Mar 2026 00:00:00 +0000</pubDate>
      <author>hello@cloakapi.io (CloakAPI)</author>
      <category>Trust</category>
      <description><![CDATA[The K3 cross-tenant isolation guarantee explained — what it protects against (batch co-location, cache poisoning), what it does not protect against (provider-layer batching, model memorisation, DPA violations), and how BYOK and complete-local mode mitigate residual risks.]]></description>
    </item>

  </channel>
</rss>
