What this guide covers
- what the SHA-256 audit hash file is
- how it connects to manifest.json
- the order to use when verifying a pack
- what the audit hash does and does not prove
This guide shows you what the audit hash means inside an exported evidence pack and how to use it as a quick integrity check. It matters because the audit hash helps you confirm that the exported pack still matches the manifest generated at export time.
Context: The export pack is more than a file download. It is a persistence-backed record with stored history, archived-evidence metadata, and an integrity layer. The audit hash helps show whether the pack still matches the manifest state created at export time.
Step 1: Find the audit file
Open the exported ZIP and look at the root of the archive. The audit file sits beside the manifest, not inside the student or attachment folders.
- 1.Open the evidence pack ZIP after the export finishes.
- 2.Find audit_hash.txt at the top level of the archive.
- 3.Keep manifest.json open as well, because the audit file is meant to be checked against that manifest data.
Sample Hash Value
a7f3b2c4d8e1f6a9b0c3d7e2f5a8b1c4d6e9f2a5b8c1d4e7f0a3b6c9d2e5f8a1How manifest.json connects to audit_hash.txt for pack verification
Step 2: Read what the hash is for
The audit hash is the pack-integrity layer. The backend creates a SHA-256 hash for the manifest and writes a human-readable verification summary into audit_hash.txt after the PDFs and attachments are assembled.
- 1.Read the recorded hash value in audit_hash.txt.
- 2.Use it as an integrity reference for the generated export pack.
- 3.Treat it as a pack-level check, not as a summary of student content or readiness by itself.
File reference
Use this table to understand what each file tells you about the export pack.
| File | What it tells you |
|---|---|
| manifest.json | Shows the export scope, reporting window, students included, evidence count, attachment mode, PDF hashes, and final pack hash. |
| audit_hash.txt | Shows the SHA-256 summary used to verify that the manifest still matches the generated pack. |
Step 3: Follow the basic verification order
The export documentation gives a practical order for checking the pack. Start with the manifest, then compare the recorded hash.
Read manifest.json
Understand what the export contains — students, dates, evidence counts, attachment mode.
Recalculate hash (optional)
For formal verification, compute the SHA-256 hash of manifest.json.
Compare with audit_hash.txt
Check that the recorded hash matches your calculated value.
Recommended verification order for checking pack integrity
- 1.Read manifest.json to understand the recorded export contents.
- 2.Recalculate the manifest hash if you need to verify integrity in a formal check.
- 3.Compare that recalculated value with the hash recorded in audit_hash.txt.
For most reviews, simply confirming the audit file exists and matches the expected pack ID is enough. Full hash recalculation is typically only needed for formal audit verification.
Common mistake
Don't skip the manifest: The most common mistake is assuming the audit hash proves every file is valid on its own. The documented verification order starts with the manifest. The audit file is there to confirm the pack-level integrity check, not replace the manifest.
What to do next
After you check the audit hash, open the summary report to confirm which students, dates, and evidence counts were included. Then review any student PDF you need in detail.
- How to export an evidence pack
- Reading the Summary Report
- Reading a student PDF
- Export history and re-downloads
Next guide
Export history and re-downloads →
Finding past exports, checking download availability, and using 24-hour instant downloads.