The Correctness Protocol

Entitlements you can prove correct.

A protocol that defines what must be true about an entitlement — and proves it. Deterministic lifecycle. Invariant enforcement. Ledger-driven truth.

Explore the Sandbox → Read the Protocol

                Entitlement Lifecycle
                POST
            
                # Issue

                POST /v1/entitlements

                { "state": "ISSUED", "id": "ent_7k2m" }

                # Activate

                POST /v1/entitlements/ent_7k2m/activate

                { "state": "ACTIVE", "guardian": "PASS" }

                # Consume

                POST /v1/entitlements/ent_7k2m/consume

                { "state": "CONSUMED", "ledger": "evt_9k3m" }

What MintPass Is

Stripe for entitlements. Correctness-based.

Existing entitlement tools are configuration-based — feature flags, subscription managers, access control layers. You set rules and trust the provider. MintPass is correctness-based. A formal state machine with Guardian invariant enforcement that can be independently verified from first principles.

The protocol separates lifecycle (what states exist), enforcement (what the Guardian blocks), and truth (the immutable ledger). Every mutation is recorded. Every access decision is auditable. Implementations don't just claim correctness — they prove it.

A gift card is issued, partially redeemed, disputed, resolved by an external authority, and settled — every state transition deterministic, every invariant enforced, every event auditable.

The Problem

Configuration pretends. Correctness proves.

"Is this user entitled to this?" Today, that question is answered by configuration you trust — not proof you verify.

State Drift

Trial expired. Access still active.

Entitlement state scattered across billing, auth, and product. No single source of truth. Inconsistencies compound silently.

Trust-Based Access

You trust the flag. Not the proof.

Feature flags and subscription managers tell you what's configured. Not what's provably correct. When they disagree with reality, you debug.

Vendor Lock-in

Switching processors means rewriting logic

Entitlement rules tangled with provider-specific models. Every migration is a rewrite of what should have been portable.

Integration Fatigue

Three systems. No protocol.

Billing in Stripe. Access in your DB. Redemptions somewhere else. No consistent contract connecting them.

Auditability

Customer disputes. No ledger.

When someone disputes their access, there's no immutable record. Reconstructing history means querying three systems and hoping.

Build vs Buy

You own infrastructure nobody wanted

Custom access logic. Entitlement tables bolted onto billing. Engineers burning sprints on state bugs that should not exist.

Why Now

Complexity has reached a tipping point.

Products span multiple platforms. Billing runs through multiple processors. Entitlement logic scoped to one system is now asked to work across three.

Compliance and audit requirements are increasing. Entitlement state needs to be traceable. Access decisions need to be defensible. The internal stack is no longer adequate.

Cross-system complexity demands a consistent entitlement contract
Compliance requires auditable, immutable state history
Engineering cost of maintaining internal stacks is accelerating

Protocol Primitives

Six objects. One protocol.

A small set of composable primitives that model any entitlement architecture.

Protocol Object Container

id user_8821

type user

entitlements 3 active

state valid

Protocol Object Entitlement

actor user_8821

type access

authority issuer

state active

Protocol Object Actor

id act_k8m2

role subscriber

authority issuer

verified true

Protocol Object Authority

id auth_root

can_issue true

can_revoke true

scope global

Protocol Object Ledger Event

type issued

entitlement ent_7k2m

by auth_root

immutable true

Protocol Object Guardian

role enforcement

enforces invariants

blocks invalid mutations

auditable true

How It Works

State machine. Guardian enforcement. Immutable ledger.

Three guarantees that separate correctness-based entitlements from configuration-based tools.

Deterministic lifecycle

Every entitlement moves through defined states — issued, active, consumed, expired, revoked. Transitions are controlled. Invalid transitions are rejected before they execute.

Guardian invariant enforcement

The Guardian enforces protocol invariants at the mutation boundary. An entitlement can be structurally active but operationally frozen — the protocol distinguishes these without collapsing them.

Ledger-driven truth

Every mutation writes to an immutable ledger. Entitlement history is always reconstructable. Access decisions are always auditable. No state drift.

Implementation-agnostic

MintPass defines the contract, not the runtime. Replace Stripe with Adyen without rewriting entitlement logic. Portability is a protocol guarantee, not a feature flag.

Built For

Platform engineers who need proof.

Teams embedding entitlement logic via API/SDK. The domain changes. The protocol does not.

SaaS Subscriptions

Feature access and usage quotas as structured entitlements with lifecycle enforcement — not boolean columns in your product database.

Gift Cards & Stored Value

Issued value with capacity tracking, redemption rules, and expiry — every partial redemption auditable in the ledger.

Loyalty & Rewards

Points, credits, and reward units as protocol objects with controlled redemption and auditable balance history.

Event Ticketing

Access rights with enforced capacity and redemption validation. Verify once at the gate, trust everywhere inside.

Memberships

Time-bounded access with lifecycle enforcement and portable state — independent of billing provider.

Entitlement Bundles

Compose entitlements into containers. Bundle access, quotas, and redemption units under a single portable authority.

Conformance

Run it. Get PASS or FAIL.

The first artefact is a conformance scenario. See a lifecycle, see what must be true at each stage, run it against your system. Every container exposes its entitlement state through a single API call.

The ledger shows every mutation with its authority, timestamp, and resulting state. Reconstructing what happened at any point is a query, not forensics.

Explore the Sandbox → Developer Portal → Protocol Overview →

                Container State
                GET
            
                /containers/user_8821/state
                
                {

                  "container": "user_8821",

                  "entitlements": [

                    {

                      "id": "ent_7k2mXp9aQ",

                      "type": "access",

                      "resource": "premium_content",

                      "lifecycle": "active",

                      "enforcement": "none",

                      "usable": true

                    }

                  ],

                  "ledger_events": 4,

                  "last_mutation": "2026-03-13T12:45:00Z"

                }