From 24437deb7822a5c95c3d7ba366c7ae5625958d1c Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 20 May 2026 18:55:37 -0500
Subject: [PATCH 1/9] initial pass

---
 src/config/sidebar.ts                         |   8 +
 .../generating-reports-single-values.mdx      |  12 +-
 .../generating-reports-structs.mdx            |   4 +-
 .../onchain-write/overview-go.mdx             |  11 +
 .../onchain-write/overview-ts.mdx             |  11 +
 .../submitting-reports-onchain.mdx            |   7 +-
 .../workflow/using-http-client/index.mdx      |  31 +-
 .../submitting-reports-http-go.mdx            |  30 +-
 .../submitting-reports-http-ts.mdx            |  30 +-
 .../verifying-reports-offchain-go.mdx         | 300 +++++++++++
 .../verifying-reports-offchain-ts.mdx         | 257 +++++++++
 src/content/cre/llms-full-go.txt              | 488 +++++++++++++++++-
 src/content/cre/llms-full-ts.txt              | 401 +++++++++++++-
 src/content/cre/reference/sdk/core-go.mdx     |  81 ++-
 src/content/cre/reference/sdk/core-ts.mdx     |  72 ++-
 .../cre/reference/sdk/http-client-go.mdx      |  19 +-
 .../cre/reference/sdk/http-client-ts.mdx      |   7 +-
 src/content/cre/reference/sdk/overview-go.mdx |   2 +-
 src/content/cre/reference/sdk/overview-ts.mdx |   2 +-
 19 files changed, 1708 insertions(+), 65 deletions(-)
 create mode 100644 src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
 create mode 100644 src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx

diff --git a/src/config/sidebar.ts b/src/config/sidebar.ts
index b541d804798..75f13155597 100644
--- a/src/config/sidebar.ts
+++ b/src/config/sidebar.ts
@@ -387,6 +387,14 @@ export const SIDEBAR: Partial<Record<Sections, SectionEntry[]>> = {
                 "cre/guides/workflow/using-http-client/submitting-reports-http-go",
               ],
             },
+            {
+              title: "Verifying CRE Reports Offchain",
+              url: "cre/guides/workflow/using-http-client/verifying-reports-offchain",
+              highlightAsCurrent: [
+                "cre/guides/workflow/using-http-client/verifying-reports-offchain-ts",
+                "cre/guides/workflow/using-http-client/verifying-reports-offchain-go",
+              ],
+            },
           ],
         },
         {
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
index ca4ca5793d8..a505db987cd 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
@@ -11,7 +11,9 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to manually generate a report containing a single value (like `uint256`, `address`, or `bool`). This is useful when you need to send a simple value onchain but don't have a struct or binding helper available.
+This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`—your encoded data plus workflow metadata and signatures. It is **not** a [Data Streams](/data-streams) report.
+
+This guide covers **creating** the report (step 2 in the sender flow). **Delivering** it is a separate step—see the table below.
 
 **Use this approach when:**
 
@@ -31,10 +33,12 @@ Manually generating a report for a single value involves two main steps:
 1. **ABI-encode the value** into bytes using the `go-ethereum/accounts/abi` package
 1. **Generate a cryptographically signed report** using `runtime.GenerateReport()`
 
-The resulting report can then be:
+| After `GenerateReport()` / `report()`        | Guide                                                                                                        | Who verifies?                                                                                                             |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
+| `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
+| `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
-- Submitted to the blockchain via `evm.Client.WriteReport()` (see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain))
-- Sent to an HTTP endpoint via `http.Client` (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http))
+See [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
 <Aside type="note" title="Have a struct in your contract's ABI?">
   If your struct appears in a public/external function's signature, you can use the simpler `WriteReportFrom<StructName>()` helper instead. See [Using WriteReportFrom Helpers](/cre/guides/workflow/using-evm-client/onchain-write/using-write-report-helpers).
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
index 27fef332933..1081c06d44d 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
@@ -11,7 +11,9 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to generate a report containing a struct with multiple fields. There are two approaches depending on whether you have generated bindings for your contract.
+This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`—not a [Data Streams](/data-streams) report. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+There are two encoding approaches depending on whether you have generated bindings for your contract.
 
 ## Choosing your approach
 
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
index 62781bfed21..4afb3f2f901 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
@@ -44,6 +44,17 @@ Here's the journey your workflow's data takes to reach the blockchain:
 
 Your workflow code handles this process using the [`evm.Client`](/cre/reference/sdk/evm-client), which manages the interaction with the Forwarder contract. Depending on your approach (covered below), this can be fully automated via generated binding helpers or done manually with direct client calls.
 
+### Where reports can go after generation
+
+The same signed report from `runtime.GenerateReport()` can be delivered in different ways:
+
+| Destination                    | Guide                                                                                                                       | Verification                                                                                                           |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
+| HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver |
+
+See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+
 {/* prettier-ignore */}
 <Aside type="caution" title="Replay attacks">
   Signed reports can be replayed on a different chain or resubmitted on the same chain after a revert. For any workflow that performs state-changing actions, you must embed protective metadata in the report payload and verify it in your consumer contract. See [Replay attacks](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts#replay-attacks) for full examples.
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
index 4381b5a9514..a2df3d92168 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
@@ -42,6 +42,17 @@ Here's the journey your workflow's data takes to reach the blockchain:
 
 In your workflow code, this process involves two steps: calling `runtime.report()` to generate the signed report, then calling `evmClient.writeReport()` to submit it to the blockchain.
 
+### Where reports can go after generation
+
+The same signed report from `runtime.report()` can be delivered in different ways:
+
+| Destination                    | Guide                                                                                                                       | Verification                                                                                                           |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
+| HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver |
+
+See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+
 ## What you need: A consumer contract
 
 Before you can write data onchain, you need a **consumer contract**. This is the smart contract that will receive your workflow's data.
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
index 7a3bc7f4758..6813d838df0 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
@@ -11,7 +11,12 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to manually submit a generated report to the blockchain using the low-level `evm.Client.WriteReport()` method.
+This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain—no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
+
+{/* prettier-ignore */}
+<Aside type="note" title="HTTP delivery instead?">
+  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+</Aside>
 
 **Use this approach when:**
 
diff --git a/src/content/cre/guides/workflow/using-http-client/index.mdx b/src/content/cre/guides/workflow/using-http-client/index.mdx
index 1d107714a27..84058dad3e4 100644
--- a/src/content/cre/guides/workflow/using-http-client/index.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/index.mdx
@@ -6,7 +6,7 @@ isIndex: true
 metadata:
   description: "Connect your workflow to external APIs: learn to make GET and POST requests with built-in consensus for secure offchain data."
   datePublished: "2025-11-04"
-  lastModified: "2026-03-17"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
@@ -25,8 +25,37 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 These guides will walk you through the common use cases for the HTTP client.
 
+## CRE reports over HTTP
+
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
+
+Most secure HTTP integrations use two roles:
+
+```mermaid
+flowchart LR
+  subgraph sender ["Sender workflow (this guide's focus)"]
+    A[Trigger] --> B[Your logic]
+    B --> C["runtime.report()"]
+    C --> D["sendReport() → HTTP POST"]
+  end
+  subgraph receiver ["Receiver (separate system)"]
+    D --> E[Your API or CRE HTTP trigger]
+    E --> F["Report.parse() before trusting data"]
+  end
+```
+
+| Step | Who                       | What happens                                                                                                                                  |
+| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
+| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
+| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
+| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
+
+You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+
 ## Guides
 
 - **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
 - **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
index 33b1f6575ef..020b911d58c 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
@@ -7,12 +7,12 @@ pageId: "guides-workflow-http-submit-reports"
 metadata:
   description: "Send verified reports to external systems in Go: learn to submit cryptographically signed workflow results via HTTP APIs."
   datePublished: "2025-11-04"
-  lastModified: "2025-11-04"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
 
-This guide shows how to send a cryptographically signed report (generated by your workflow) to an external HTTP API. You'll learn how to write a transformation function that formats the report for your specific API's requirements.
+This guide is for the **sender** side: a CRE workflow that **creates** a signed report and **POSTs** it to an HTTP endpoint.
 
 **What you'll learn:**
 
@@ -25,6 +25,24 @@ This guide shows how to send a cryptographically signed report (generated by you
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## Where this guide fits
+
+| Question                    | Answer                                                                                                                                                                     |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                        |
+| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 2–3: generate the report, then `SendReport()` to your API.                                                                                                           |
+| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+
+**Sender flow in one workflow execution:**
+
+1. Trigger fires (cron, HTTP, …).
+2. Your callback runs (API calls, encoding, etc.).
+3. `runtime.GenerateReport()` — DON produces a signed `sdk.ReportResponse`.
+4. `SendReport()` — format and POST to your URL.
+
+For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -546,15 +564,13 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 1. **Always use `CacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 1. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(RawReport)`) to detect and reject duplicate submissions
-1. **Verify signatures before processing**: Your API must verify the cryptographic signatures against DON public keys before trusting report data (see note below about signature verification)
+1. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
 1. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 1. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require your API to verify signatures** before trusting the report data.
-  
-  **Documentation coming soon**: "Verifying CRE Reports Offchain" guide.
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `cre.ParseReport()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 </Aside>
 
 ## Troubleshooting
@@ -572,6 +588,8 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)** — Receiver workflow: verify before trusting payload
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)** — Complete API reference including `SendReport` and `sdk.ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
 - **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)** — How to create reports from single values
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
index eeb286668c6..726506c3561 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
@@ -7,12 +7,12 @@ pageId: "guides-workflow-http-submit-reports"
 metadata:
   description: "Send verified reports to external systems in TypeScript: learn to submit cryptographically signed workflow results via HTTP APIs."
   datePublished: "2025-11-04"
-  lastModified: "2026-01-20"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
 
-This guide shows how to send a cryptographically signed report (generated by your workflow) to an external HTTP API. You'll learn how to write a transformation function that formats the report for your specific API's requirements.
+This guide is for the **sender** side: a CRE workflow that **creates** a signed report and **POSTs** it to an HTTP endpoint.
 
 **What you'll learn:**
 
@@ -25,6 +25,24 @@ This guide shows how to send a cryptographically signed report (generated by you
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
 </Aside>
 
+## Where this guide fits
+
+| Question                    | Answer                                                                                                                                                                     |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                                |
+| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 2–3: generate the report, then `sendReport()` to your API.                                                                                                           |
+| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+
+**Sender flow in one workflow execution:**
+
+1. Trigger fires (cron, HTTP, …).
+2. Your callback runs (API calls, encoding, etc.).
+3. `runtime.report()` — DON produces a signed `ReportResponse`.
+4. `sendReport()` — format and POST to your URL.
+
+For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -560,15 +578,13 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 1. **Always use `cacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 1. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(rawReport)`) to detect and reject duplicate submissions
-1. **Verify signatures before processing**: Your API must verify the cryptographic signatures against DON public keys before trusting report data (see note below about signature verification)
+1. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
 1. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 1. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require your API to verify signatures** before trusting the report data.
-  
-  **Documentation coming soon**: "Verifying CRE Reports Offchain" guide.
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `Report.parse()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Troubleshooting
@@ -586,6 +602,8 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 ## Learn more
 
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts)** — Receiver workflow: verify before trusting payload
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts)** — Complete API reference including `sendReport()` and `ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
 - **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain)** — Detailed guide on encoding single values, structs, and complex types using Viem
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
new file mode 100644
index 00000000000..24e90663a0f
--- /dev/null
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -0,0 +1,300 @@
+---
+section: cre
+title: "Verifying CRE Reports Offchain"
+date: Last Modified
+sdkLang: "go"
+pageId: "guides-workflow-http-verify-reports-offchain"
+metadata:
+  description: "Verify CRE report signatures offchain in Go: parse reports, validate DON signatures against the onchain registry, and read workflow metadata."
+  datePublished: "2026-05-20"
+  lastModified: "2026-05-20"
+---
+
+import { Aside } from "@components"
+
+This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+
+When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
+
+The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Not your workflow deployment registry">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), `ParseReport` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+</Aside>
+
+{/* prettier-ignore */}
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+## Where this guide fits
+
+| Question                     | Answer                                                                                                                                                                                                                        |
+| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                      |
+| What does this guide cover?  | Step 4: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                                                     |
+| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                |
+
+**Receiver flow:**
+
+1. HTTP trigger (or your API) receives the POST payload.
+2. Decode hex fields into bytes.
+3. `cre.ParseReport()` — verify signatures and read metadata.
+4. Use trusted `Body()` in your logic.
+
+For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+## What you'll learn
+
+- When to verify reports offchain vs relying on onchain forwarders
+- How `cre.ParseReport()` validates signatures and reads metadata
+- How to build a receiver workflow that accepts reports over HTTP
+- How to restrict verification to specific CRE environments or zones
+
+## Prerequisites
+
+- **SDK**: `cre-sdk-go` v1.8.0 or later (report verification support)
+- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) (report structure and JSON payload patterns)
+- For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go)
+
+## Onchain vs offchain verification
+
+| Aspect               | Offchain (`cre.ParseReport`)                                 | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ------------------------------------------------------------ | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+
+Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
+
+Default (`cre.ProductionEnvironment()`):
+
+- **Chain**: Ethereum Mainnet (chain selector `5009297550715157269`)
+- **Registry**: `0x76c9cf548b4179F8901cda1f8623568b58215E62`
+
+## How verification works
+
+1. **Parse the report header** from `rawReport` (109-byte metadata + body).
+2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
+3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
+4. **Return a `*cre.Report`** with accessors for workflow ID, owner, execution ID, body, and more.
+
+If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
+
+## Complete example: HTTP receiver workflow
+
+This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+
+```go
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+)
+
+type Config struct {
+	AuthorizedKey string `json:"authorized_key"`
+}
+
+func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
+	}, nil
+}
+
+type ParsedPayload struct {
+	Report  string   `json:"report"`
+	Context string   `json:"context"`
+	Sigs    []string `json:"signatures"`
+}
+
+func (p *ParsedPayload) Decode() (*DecodedReport, error) {
+	report := &DecodedReport{}
+	var err error
+
+	if report.Report, err = hex.DecodeString(p.Report); err != nil {
+		return nil, err
+	}
+	if report.Context, err = hex.DecodeString(p.Context); err != nil {
+		return nil, err
+	}
+
+	report.Sigs = make([][]byte, len(p.Sigs))
+	for i, sigHex := range p.Sigs {
+		report.Sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return report, nil
+}
+
+type DecodedReport struct {
+	Report  []byte
+	Context []byte
+	Sigs    [][]byte
+}
+
+func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	parsed := &ParsedPayload{}
+	if err := json.Unmarshal(payload.Input, parsed); err != nil {
+		return false, err
+	}
+
+	decoded, err := parsed.Decode()
+	if err != nil {
+		return false, err
+	}
+
+	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+	)
+
+	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
+	_ = report.Body()
+
+	return true, nil
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `Body()` safely.
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+</Aside>
+
+## Report payload format
+
+Receivers need three fields (plus optional metadata your API may add):
+
+| Field        | Description                                                        |
+| ------------ | ------------------------------------------------------------------ |
+| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
+| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
+| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+
+The `reportContext` layout used by the SDK:
+
+- Bytes 0–31: config digest
+- Bytes 32–39: sequence number (big-endian `uint64`)
+
+## API reference
+
+See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
+
+### `cre.ParseReport()`
+
+```go
+func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
+```
+
+Parses and verifies a report against the production CRE environment. Use `ParseReportWithConfig` for custom environments or zones.
+
+### `*cre.Report` accessors
+
+After a successful parse:
+
+| Method            | Description                               |
+| ----------------- | ----------------------------------------- |
+| `WorkflowID()`    | Workflow hash (`bytes32` as hex)          |
+| `WorkflowOwner()` | Deployer address (hex)                    |
+| `WorkflowName()`  | Workflow name field from metadata         |
+| `ExecutionID()`   | Unique execution identifier               |
+| `DONID()`         | DON that produced the report              |
+| `Timestamp()`     | Report timestamp (Unix seconds)           |
+| `Body()`          | Encoded payload after the 109-byte header |
+| `SeqNr()`         | Sequence number from report context       |
+| `ConfigDigest()`  | Config digest from report context         |
+
+### `cre.ReportParseConfig`
+
+```go
+config := cre.ReportParseConfig{
+    AcceptedZones: []cre.Zone{
+        cre.ZoneFromEnvironment(cre.ProductionEnvironment(), 1),
+    },
+    AcceptedEnvironments: []cre.Environment{cre.ProductionEnvironment()},
+    SkipSignatureVerification: false,
+}
+report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, config)
+```
+
+| Field                       | Description                                                                                                |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| `AcceptedEnvironments`      | Registry environments to check (defaults to production)                                                    |
+| `AcceptedZones`             | Restrict to specific DON IDs within an environment                                                         |
+| `SkipSignatureVerification` | Parse header only; call `report.VerifySignatures()` or `VerifySignaturesWithConfig()` afterward when ready |
+
+### Deferred verification
+
+If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first (for filtering), then verify:
+
+```go
+report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+    SkipSignatureVerification: true,
+})
+if err != nil {
+    return false, err
+}
+
+// Optional: inspect report.WorkflowID(), report.DONID(), etc. before registry reads
+
+if err := report.VerifySignatures(runtime); err != nil {
+    return false, err
+}
+```
+
+## Best practices
+
+1. **Verify before side effects**: Call `cre.ParseReport()` before writing to databases, chains, or external systems.
+2. **Permission on metadata**: After verification, check `WorkflowID()`, `WorkflowOwner()`, or `DONID()` match your expectations.
+3. **Deduplicate by execution ID**: Use `ExecutionID()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#understanding-cachesettings-for-reports)).
+4. **Do not skip signature verification in production** unless you have another trust path.
+
+## Troubleshooting
+
+**`ErrUnknownSigner`**
+
+- Signatures may be from a different DON or stale registry config.
+- Confirm the sender workflow used production CRE and the report was not tampered with.
+
+**`ErrWrongSignatureCount`**
+
+- At least **f+1** valid signatures are required.
+
+**`could not read from chain ...`**
+
+- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+
+**`ErrRawReportTooShort`**
+
+- `rawReport` is missing the 109-byte metadata header.
+
+## Learn more
+
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)** — Sender workflow: create and POST the report
+- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification)** — `ParseReport`, `Report`, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go)** — Trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts)** — Permissioning `onReport` with workflow metadata
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
new file mode 100644
index 00000000000..4aa4f3e519c
--- /dev/null
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -0,0 +1,257 @@
+---
+section: cre
+title: "Verifying CRE Reports Offchain"
+date: Last Modified
+sdkLang: "ts"
+pageId: "guides-workflow-http-verify-reports-offchain"
+metadata:
+  description: "Verify CRE report signatures offchain in TypeScript: parse reports, validate DON signatures against the onchain registry, and read workflow metadata."
+  datePublished: "2026-05-20"
+  lastModified: "2026-05-20"
+---
+
+import { Aside } from "@components"
+
+This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+
+When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
+
+The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Not your workflow deployment registry">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), `Report.parse` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+</Aside>
+
+{/* prettier-ignore */}
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts).
+</Aside>
+
+## Where this guide fits
+
+| Question                     | Answer                                                                                                                                                                                                                |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.report()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                              |
+| What does this guide cover?  | Step 4: `Report.parse()` before you use `body()` or take side effects.                                                                                                                                                |
+| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                        |
+
+**Receiver flow:**
+
+1. HTTP trigger (or your API) receives the POST payload.
+2. Decode hex fields into bytes.
+3. `Report.parse()` — verify signatures and read metadata.
+4. Use trusted `body()` in your logic.
+
+For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+## What you'll learn
+
+- When to verify reports offchain vs relying on onchain forwarders
+- How `Report.parse()` validates signatures and reads metadata
+- How to build a receiver workflow that accepts reports over HTTP
+- How to restrict verification to specific CRE environments or zones
+
+## Prerequisites
+
+- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (report verification support)
+- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) (report structure and JSON payload patterns)
+- For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts)
+
+## Onchain vs offchain verification
+
+| Aspect               | Offchain (`Report.parse`)                                    | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ------------------------------------------------------------ | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+
+Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
+
+Default (`productionEnvironment()`):
+
+- **Chain**: Ethereum Mainnet (chain selector `5009297550715157269`)
+- **Registry**: `0x76c9cf548b4179F8901cda1f8623568b58215E62`
+
+## How verification works
+
+1. **Parse the report header** from `rawReport` (109-byte metadata + body).
+2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
+3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
+4. **Return a `Report` object** with accessors for workflow ID, owner, execution ID, body, and more.
+
+If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
+
+## Complete example: HTTP receiver workflow
+
+This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+
+```typescript
+import {
+  HTTPCapability,
+  handler,
+  Report,
+  type HTTPPayload,
+  type Runtime,
+  type SecretsProvider,
+} from "@chainlink/cre-sdk"
+import { hexToBytes } from "viem"
+import { z } from "zod"
+
+export const configSchema = z
+  .object({
+    authorized_key: z.string(),
+  })
+  .transform((data) => ({
+    authorizedKey: data.authorized_key,
+  }))
+
+export type Config = z.infer<typeof configSchema>
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
+  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
+
+  const rawReport = hexToBytes(`0x${parsed.report}`)
+  const reportContext = hexToBytes(`0x${parsed.context}`)
+  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
+
+  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
+
+  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
+
+  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
+  void report.body()
+
+  return true
+}
+
+export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
+  const http = new HTTPCapability()
+  return [
+    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
+  ]
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `Report.parse()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `body()` safely.
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+</Aside>
+
+## Report payload format
+
+Receivers need three fields (plus optional metadata your API may add):
+
+| Field        | Description                                                        |
+| ------------ | ------------------------------------------------------------------ |
+| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
+| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
+| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+
+The `reportContext` layout used by the SDK:
+
+- Bytes 0–31: config digest
+- Bytes 32–39: sequence number (big-endian `uint64`)
+
+## API reference
+
+See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
+
+### `Report.parse()`
+
+```typescript
+Report.parse(
+  runtime: Runtime,
+  rawReport: Uint8Array,
+  signatures: Uint8Array[],
+  reportContext: Uint8Array,
+  config?: ReportParseConfig,
+): Promise<Report>
+```
+
+Parses and verifies a report. Throws if verification fails.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Description                               |
+| ----------------- | ----------------------------------------- |
+| `workflowId()`    | Workflow hash (`bytes32` as hex)          |
+| `workflowOwner()` | Deployer address (hex)                    |
+| `workflowName()`  | Workflow name field from metadata         |
+| `executionId()`   | Unique execution identifier               |
+| `donId()`         | DON that produced the report              |
+| `timestamp()`     | Report timestamp (Unix seconds)           |
+| `body()`          | Encoded payload after the 109-byte header |
+| `seqNr()`         | Sequence number from report context       |
+| `configDigest()`  | Config digest from report context         |
+
+### `ReportParseConfig`
+
+```typescript
+import { productionEnvironment, zoneFromEnvironment, type ReportParseConfig } from "@chainlink/cre-sdk"
+
+const config: ReportParseConfig = {
+  acceptedZones: [zoneFromEnvironment(productionEnvironment(), 1)],
+  acceptedEnvironments: [productionEnvironment()],
+  skipSignatureVerification: false,
+}
+```
+
+| Option                      | Description                                                                                                                                                                                                                                                               |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                   |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                        |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript—call `Report.parse()` without this flag for production verification. |
+
+Most workflows should use the default config (production environment only).
+
+## Best practices
+
+1. **Verify before side effects**: Call `Report.parse()` before writing to databases, chains, or external systems.
+2. **Permission on metadata**: After verification, check `workflowId()`, `workflowOwner()`, or `donId()` match your expectations.
+3. **Deduplicate by execution ID**: Use `executionId()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#understanding-cachesettings-for-reports)).
+4. **Do not skip signature verification in production** unless you have another trust path.
+
+## Troubleshooting
+
+**`invalid signature` / `unknown signer`**
+
+- Signatures may be from a different DON or stale registry config.
+- Confirm the sender workflow used production CRE and the report was not tampered with.
+
+**`wrong number of signatures`**
+
+- At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
+
+**`could not read from chain ...`**
+
+- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+
+**`raw report too short`**
+
+- `rawReport` is missing the 109-byte metadata header.
+
+## Learn more
+
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)** — Sender workflow: create and POST the report
+- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification)** — `Report.parse`, accessors, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts)** — Trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts)** — Onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts-ts)** — Permissioning `onReport` with workflow metadata
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index c4ba2c00ff9..311ef505e98 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -3770,7 +3770,9 @@ writePromise := reserveManager.WriteReportFromUpdateReserves(runtime, updateData
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values
 Last Updated: 2025-11-04
 
-This guide shows how to manually generate a report containing a single value (like `uint256`, `address`, or `bool`). This is useful when you need to send a simple value onchain but don't have a struct or binding helper available.
+This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`—your encoded data plus workflow metadata and signatures. It is **not** a [Data Streams](/data-streams) report.
+
+This guide covers **creating** the report (step 2 in the sender flow). **Delivering** it is a separate step—see the table below.
 
 **Use this approach when:**
 
@@ -3790,10 +3792,12 @@ Manually generating a report for a single value involves two main steps:
 1. **ABI-encode the value** into bytes using the `go-ethereum/accounts/abi` package
 2. **Generate a cryptographically signed report** using `runtime.GenerateReport()`
 
-The resulting report can then be:
+| After `GenerateReport()` / `report()`        | Guide                                                                                                        | Who verifies?                                                                                                             |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
+| `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
+| `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
-- Submitted to the blockchain via `evm.Client.WriteReport()` (see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain))
-- Sent to an HTTP endpoint via `http.Client` (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http))
+See [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
 <Aside type="note" title="Have a struct in your contract's ABI?">
   If your struct appears in a public/external function's signature, you can use the simpler `WriteReportFrom<StructName>()` helper instead. See [Using WriteReportFrom Helpers](/cre/guides/workflow/using-evm-client/onchain-write/using-write-report-helpers).
@@ -4032,7 +4036,9 @@ func main() {
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs
 Last Updated: 2025-11-04
 
-This guide shows how to generate a report containing a struct with multiple fields. There are two approaches depending on whether you have generated bindings for your contract.
+This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`—not a [Data Streams](/data-streams) report. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+There are two encoding approaches depending on whether you have generated bindings for your contract.
 
 ## Choosing your approach
 
@@ -4408,7 +4414,12 @@ func main() {
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain
 Last Updated: 2025-11-04
 
-This guide shows how to manually submit a generated report to the blockchain using the low-level `evm.Client.WriteReport()` method.
+This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain—no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
+
+
+<Aside type="note" title="HTTP delivery instead?">
+  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+</Aside>
 
 **Use this approach when:**
 
@@ -4710,7 +4721,7 @@ See the [CLI Reference](/cre/reference/cli/workflow#cre-workflow-simulate) for m
 
 # API Interactions
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client
-Last Updated: 2026-03-17
+Last Updated: 2026-05-20
 
 The CRE SDK provides an HTTP client that allows your workflows to interact with external APIs. Use it to fetch offchain data, send results to other systems, or trigger external events.
 
@@ -4726,11 +4737,40 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 These guides will walk you through the common use cases for the HTTP client.
 
+## CRE reports over HTTP
+
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
+
+Most secure HTTP integrations use two roles:
+
+```mermaid
+flowchart LR
+  subgraph sender ["Sender workflow (this guide's focus)"]
+    A[Trigger] --> B[Your logic]
+    B --> C["runtime.report()"]
+    C --> D["sendReport() → HTTP POST"]
+  end
+  subgraph receiver ["Receiver (separate system)"]
+    D --> E[Your API or CRE HTTP trigger]
+    E --> F["Report.parse() before trusting data"]
+  end
+```
+
+| Step | Who                       | What happens                                                                                                                                  |
+| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
+| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
+| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
+| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
+
+You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+
 ## Guides
 
 - **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
 - **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
 
 ---
 
@@ -14231,6 +14271,17 @@ Here's the journey your workflow's data takes to reach the blockchain:
 
 Your workflow code handles this process using the [`evm.Client`](/cre/reference/sdk/evm-client), which manages the interaction with the Forwarder contract. Depending on your approach (covered below), this can be fully automated via generated binding helpers or done manually with direct client calls.
 
+### Where reports can go after generation
+
+The same signed report from `runtime.GenerateReport()` can be delivered in different ways:
+
+| Destination                    | Guide                                                                                                                       | Verification                                                                                                           |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
+| HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver |
+
+See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+
 
 <Aside type="caution" title="Replay attacks">
   Signed reports can be replayed on a different chain or resubmitted on the same chain after a revert. For any workflow that performs state-changing actions, you must embed protective metadata in the report payload and verify it in your consumer contract. See [Replay attacks](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts#replay-attacks) for full examples.
@@ -15261,9 +15312,9 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 # Submitting Reports via HTTP
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client/submitting-reports-http-go
-Last Updated: 2025-11-04
+Last Updated: 2026-05-20
 
-This guide shows how to send a cryptographically signed report (generated by your workflow) to an external HTTP API. You'll learn how to write a transformation function that formats the report for your specific API's requirements.
+This guide is for the **sender** side: a CRE workflow that **creates** a signed report and **POSTs** it to an HTTP endpoint.
 
 **What you'll learn:**
 
@@ -15276,6 +15327,24 @@ This guide shows how to send a cryptographically signed report (generated by you
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## Where this guide fits
+
+| Question                    | Answer                                                                                                                                                                     |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                        |
+| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 2–3: generate the report, then `SendReport()` to your API.                                                                                                           |
+| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+
+**Sender flow in one workflow execution:**
+
+1. Trigger fires (cron, HTTP, …).
+2. Your callback runs (API calls, encoding, etc.).
+3. `runtime.GenerateReport()` — DON produces a signed `sdk.ReportResponse`.
+4. `SendReport()` — format and POST to your URL.
+
+For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -15797,15 +15866,13 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 1. **Always use `CacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 2. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(RawReport)`) to detect and reject duplicate submissions
-3. **Verify signatures before processing**: Your API must verify the cryptographic signatures against DON public keys before trusting report data (see note below about signature verification)
+3. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
 4. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 5. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
 
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require your API to verify signatures** before trusting the report data.
-
-  **Documentation coming soon**: "Verifying CRE Reports Offchain" guide.
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `cre.ParseReport()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 </Aside>
 
 ## Troubleshooting
@@ -15823,6 +15890,8 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)** — Receiver workflow: verify before trusting payload
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)** — Complete API reference including `SendReport` and `sdk.ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
 - **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)** — How to create reports from single values
@@ -15831,6 +15900,299 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ---
 
+# Verifying CRE Reports Offchain
+Source: https://docs.chain.link/cre/guides/workflow/using-http-client/verifying-reports-offchain-go
+Last Updated: 2026-05-20
+
+This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+
+When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
+
+The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+
+
+<Aside type="note" title="Not your workflow deployment registry">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), `ParseReport` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+</Aside>
+
+
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+## Where this guide fits
+
+| Question                     | Answer                                                                                                                                                                                                                        |
+| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                      |
+| What does this guide cover?  | Step 4: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                                                     |
+| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                |
+
+**Receiver flow:**
+
+1. HTTP trigger (or your API) receives the POST payload.
+2. Decode hex fields into bytes.
+3. `cre.ParseReport()` — verify signatures and read metadata.
+4. Use trusted `Body()` in your logic.
+
+For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+## What you'll learn
+
+- When to verify reports offchain vs relying on onchain forwarders
+- How `cre.ParseReport()` validates signatures and reads metadata
+- How to build a receiver workflow that accepts reports over HTTP
+- How to restrict verification to specific CRE environments or zones
+
+## Prerequisites
+
+- **SDK**: `cre-sdk-go` v1.8.0 or later (report verification support)
+- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) (report structure and JSON payload patterns)
+- For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go)
+
+## Onchain vs offchain verification
+
+| Aspect               | Offchain (`cre.ParseReport`)                                 | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ------------------------------------------------------------ | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+
+Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
+
+Default (`cre.ProductionEnvironment()`):
+
+- **Chain**: Ethereum Mainnet (chain selector `5009297550715157269`)
+- **Registry**: `0x76c9cf548b4179F8901cda1f8623568b58215E62`
+
+## How verification works
+
+1. **Parse the report header** from `rawReport` (109-byte metadata + body).
+2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
+3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
+4. **Return a `*cre.Report`** with accessors for workflow ID, owner, execution ID, body, and more.
+
+If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
+
+## Complete example: HTTP receiver workflow
+
+This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+
+```go
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+)
+
+type Config struct {
+	AuthorizedKey string `json:"authorized_key"`
+}
+
+func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
+	}, nil
+}
+
+type ParsedPayload struct {
+	Report  string   `json:"report"`
+	Context string   `json:"context"`
+	Sigs    []string `json:"signatures"`
+}
+
+func (p *ParsedPayload) Decode() (*DecodedReport, error) {
+	report := &DecodedReport{}
+	var err error
+
+	if report.Report, err = hex.DecodeString(p.Report); err != nil {
+		return nil, err
+	}
+	if report.Context, err = hex.DecodeString(p.Context); err != nil {
+		return nil, err
+	}
+
+	report.Sigs = make([][]byte, len(p.Sigs))
+	for i, sigHex := range p.Sigs {
+		report.Sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return report, nil
+}
+
+type DecodedReport struct {
+	Report  []byte
+	Context []byte
+	Sigs    [][]byte
+}
+
+func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	parsed := &ParsedPayload{}
+	if err := json.Unmarshal(payload.Input, parsed); err != nil {
+		return false, err
+	}
+
+	decoded, err := parsed.Decode()
+	if err != nil {
+		return false, err
+	}
+
+	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+	)
+
+	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
+	_ = report.Body()
+
+	return true, nil
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `Body()` safely.
+
+
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+</Aside>
+
+## Report payload format
+
+Receivers need three fields (plus optional metadata your API may add):
+
+| Field        | Description                                                        |
+| ------------ | ------------------------------------------------------------------ |
+| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
+| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
+| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+
+The `reportContext` layout used by the SDK:
+
+- Bytes 0–31: config digest
+- Bytes 32–39: sequence number (big-endian `uint64`)
+
+## API reference
+
+See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
+
+### `cre.ParseReport()`
+
+```go
+func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
+```
+
+Parses and verifies a report against the production CRE environment. Use `ParseReportWithConfig` for custom environments or zones.
+
+### `*cre.Report` accessors
+
+After a successful parse:
+
+| Method            | Description                               |
+| ----------------- | ----------------------------------------- |
+| `WorkflowID()`    | Workflow hash (`bytes32` as hex)          |
+| `WorkflowOwner()` | Deployer address (hex)                    |
+| `WorkflowName()`  | Workflow name field from metadata         |
+| `ExecutionID()`   | Unique execution identifier               |
+| `DONID()`         | DON that produced the report              |
+| `Timestamp()`     | Report timestamp (Unix seconds)           |
+| `Body()`          | Encoded payload after the 109-byte header |
+| `SeqNr()`         | Sequence number from report context       |
+| `ConfigDigest()`  | Config digest from report context         |
+
+### `cre.ReportParseConfig`
+
+```go
+config := cre.ReportParseConfig{
+    AcceptedZones: []cre.Zone{
+        cre.ZoneFromEnvironment(cre.ProductionEnvironment(), 1),
+    },
+    AcceptedEnvironments: []cre.Environment{cre.ProductionEnvironment()},
+    SkipSignatureVerification: false,
+}
+report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, config)
+```
+
+| Field                       | Description                                                                                                |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| `AcceptedEnvironments`      | Registry environments to check (defaults to production)                                                    |
+| `AcceptedZones`             | Restrict to specific DON IDs within an environment                                                         |
+| `SkipSignatureVerification` | Parse header only; call `report.VerifySignatures()` or `VerifySignaturesWithConfig()` afterward when ready |
+
+### Deferred verification
+
+If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first (for filtering), then verify:
+
+```go
+report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+    SkipSignatureVerification: true,
+})
+if err != nil {
+    return false, err
+}
+
+// Optional: inspect report.WorkflowID(), report.DONID(), etc. before registry reads
+
+if err := report.VerifySignatures(runtime); err != nil {
+    return false, err
+}
+```
+
+## Best practices
+
+1. **Verify before side effects**: Call `cre.ParseReport()` before writing to databases, chains, or external systems.
+2. **Permission on metadata**: After verification, check `WorkflowID()`, `WorkflowOwner()`, or `DONID()` match your expectations.
+3. **Deduplicate by execution ID**: Use `ExecutionID()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#understanding-cachesettings-for-reports)).
+4. **Do not skip signature verification in production** unless you have another trust path.
+
+## Troubleshooting
+
+**`ErrUnknownSigner`**
+
+- Signatures may be from a different DON or stale registry config.
+- Confirm the sender workflow used production CRE and the report was not tampered with.
+
+**`ErrWrongSignatureCount`**
+
+- At least **f+1** valid signatures are required.
+
+**`could not read from chain ...`**
+
+- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+
+**`ErrRawReportTooShort`**
+
+- `rawReport` is missing the 109-byte metadata header.
+
+## Learn more
+
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)** — Sender workflow: create and POST the report
+- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification)** — `ParseReport`, `Report`, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go)** — Trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts)** — Permissioning `onReport` with workflow metadata
+
+---
+
 # Cron Trigger
 Source: https://docs.chain.link/cre/guides/workflow/using-triggers/cron-trigger-go
 Last Updated: 2025-11-04
@@ -17864,7 +18226,7 @@ You can apply the `consensus_aggregation` tag to the fields of your struct.
 
 # SDK Reference: Core
 Source: https://docs.chain.link/cre/reference/sdk/core-go
-Last Updated: 2026-04-20
+Last Updated: 2026-05-20
 
 This page provides a reference for the core data structures and functions of the CRE Go SDK. These are the fundamental building blocks that every workflow uses, regardless of trigger types or capabilities.
 
@@ -18173,6 +18535,83 @@ func onTrigger(config *Config, runtime cre.Runtime, ...) (string, error) {
   guide](/cre/guides/workflow/secrets).
 </Aside>
 
+## Report verification
+
+Parse and verify CRE reports received over HTTP or other offchain channels. Requires **cre-sdk-go v1.8.0** or later.
+
+
+<Aside type="note" title="Guide">
+  For end-to-end examples (HTTP receiver workflow, payload format, private registry notes), see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). To **send** reports via HTTP, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go).
+</Aside>
+
+Verification runs in your callback: signatures are checked offchain, while authorized signers are loaded from the onchain **Capability Registry** (default: `cre.ProductionEnvironment()` on Ethereum Mainnet). This is not the workflow deployment registry (`private` or onchain).
+
+### `cre.ParseReport`
+
+**Signature:**
+
+```go
+func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
+```
+
+Parses a report and verifies signatures against `cre.ProductionEnvironment()`. Registry reads are cached per chain and DON.
+
+### `cre.ParseReportWithConfig`
+
+**Signature:**
+
+```go
+func ParseReportWithConfig(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte, config ReportParseConfig) (*Report, error)
+```
+
+Same as `ParseReport`, with custom accepted environments or zones. Set `SkipSignatureVerification: true` to parse metadata only; call `report.VerifySignatures()` afterward when ready.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Returns  | Description                                |
+| ----------------- | -------- | ------------------------------------------ |
+| `WorkflowID()`    | `string` | Workflow hash (hex)                        |
+| `WorkflowOwner()` | `string` | Workflow owner (hex)                       |
+| `WorkflowName()`  | `string` | Workflow name from metadata                |
+| `ExecutionID()`   | `string` | Execution identifier (hex)                 |
+| `DONID()`         | `uint32` | DON that produced the report               |
+| `Body()`          | `[]byte` | Payload after the 109-byte metadata header |
+| `SeqNr()`         | `uint64` | Sequence number                            |
+| `ConfigDigest()`  | `[]byte` | Config digest                              |
+| `ReportContext()` | `[]byte` | Full report context bytes                  |
+| `RawReport()`     | `[]byte` | Full raw report bytes                      |
+
+### `ReportParseConfig`
+
+| Field                       | Type            | Description                                           |
+| --------------------------- | --------------- | ----------------------------------------------------- |
+| `AcceptedEnvironments`      | `[]Environment` | Registry environments to try (defaults to production) |
+| `AcceptedZones`             | `[]Zone`        | Restrict verification to specific DON IDs             |
+| `SkipSignatureVerification` | `bool`          | Parse header only; call `VerifySignatures` separately |
+
+### `cre.ProductionEnvironment` and `cre.ZoneFromEnvironment`
+
+```go
+func ProductionEnvironment() Environment  // mainnet Capability Registry
+func ZoneFromEnvironment(env Environment, donId uint32) Zone
+```
+
+| `Environment` field | Type     | Description                                              |
+| ------------------- | -------- | -------------------------------------------------------- |
+| `ChainSelector`     | `uint64` | Chain selector for EVM reads (default: Ethereum Mainnet) |
+| `RegistryAddress`   | `string` | Capability Registry contract address                     |
+
+### Verification errors
+
+| Error                    | When                                         |
+| ------------------------ | -------------------------------------------- |
+| `ErrUnknownSigner`       | Recovered signer not in registry allowlist   |
+| `ErrWrongSignatureCount` | Fewer than f+1 valid signatures              |
+| `ErrRawReportTooShort`   | `rawReport` missing 109-byte metadata header |
+| `ErrDuplicateSigner`     | Same signer twice in accepted set            |
+
 ## `cre.OrderedEntries` and `cre.OrderedEntriesFunc`
 
 Go maps iterate in random order, which causes consensus failures in DON mode because different nodes process entries in different sequences. These helpers return a deterministic iterator over a map's entries, sorted by key, so all nodes process items in the same order.
@@ -18629,15 +19068,17 @@ The HTTP Client lets you make requests to external APIs from your workflow. Each
 - Fetching data from REST APIs ([GET requests](/cre/guides/workflow/using-http-client/get-request))
 - Sending data to webhooks ([POST requests](/cre/guides/workflow/using-http-client/post-request))
 - Submitting reports to offchain systems ([Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http))
+- Verifying reports received over HTTP ([Report verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go))
 
 ## Quick reference
 
-| Method                                                 | Use When                                  | Guide                                                                                                                   |
-| ------------------------------------------------------ | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
-| [`http.SendRequest`](#httpsendrequest)                 | Making HTTP calls (recommended)           | [GET](/cre/guides/workflow/using-http-client/get-request) / [POST](/cre/guides/workflow/using-http-client/post-request) |
-| [`client.SendRequest`](#clientsendrequest)             | Complex scenarios requiring fine control  | [GET](/cre/guides/workflow/using-http-client/get-request#2-the-creruninnodemode-pattern-low-level)                      |
-| [`sendRequester.SendReport`](#sendrequestersendreport) | Submitting reports via HTTP (recommended) | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http)                                     |
-| [`client.SendReport`](#clientsendreport)               | Complex report submission scenarios       | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http#advanced-low-level-pattern)          |
+| Method                                                              | Use When                                  | Guide                                                                                                                   |
+| ------------------------------------------------------------------- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
+| [`http.SendRequest`](#httpsendrequest)                              | Making HTTP calls (recommended)           | [GET](/cre/guides/workflow/using-http-client/get-request) / [POST](/cre/guides/workflow/using-http-client/post-request) |
+| [`client.SendRequest`](#clientsendrequest)                          | Complex scenarios requiring fine control  | [GET](/cre/guides/workflow/using-http-client/get-request#2-the-creruninnodemode-pattern-low-level)                      |
+| [`sendRequester.SendReport`](#sendrequestersendreport)              | Submitting reports via HTTP (recommended) | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http)                                     |
+| [`client.SendReport`](#clientsendreport)                            | Complex report submission scenarios       | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http#advanced-low-level-pattern)          |
+| [`cre.ParseReport`](/cre/reference/sdk/core-go#report-verification) | Verifying received reports (receiver)     | [Report verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)                             |
 
 ## Core types
 
@@ -19009,6 +19450,11 @@ func formatReport(r *sdk.ReportResponse) (*http.Request, error) {
 
 For complete examples of including signatures in different formats (body, headers, JSON), see the [Submitting Reports via HTTP guide](/cre/guides/workflow/using-http-client/submitting-reports-http#formatting-patterns).
 
+
+<Aside type="note" title="Receiving and verifying reports">
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`cre.ParseReport`](/cre/reference/sdk/core-go#report-verification) before trusting payload data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
+</Aside>
+
 ---
 
 # SDK Reference
@@ -19021,7 +19467,7 @@ This section provides a detailed technical reference for the public interfaces o
 
 The SDK Reference is broken down into several pages, each corresponding to a core part of the SDK's functionality:
 
-- **[Core SDK](/cre/reference/sdk/core)**: Covers the fundamental building blocks of any workflow, including `cre.Handler`, `cre.Runtime`, `cre.Promise`, and map iteration helpers `cre.OrderedEntries` / `cre.OrderedEntriesFunc`.
+- **[Core SDK](/cre/reference/sdk/core)**: Covers the fundamental building blocks of any workflow, including `cre.Handler`, `cre.Runtime`, `cre.Promise`, report verification (`cre.ParseReport`), and map iteration helpers `cre.OrderedEntries` / `cre.OrderedEntriesFunc`.
 - **[Triggers](/cre/reference/sdk/triggers)**: Details the configuration and payload structures for all available trigger types (`Cron`, `HTTP`, `EVM Log`).
 - **[EVM Client](/cre/reference/sdk/evm-client)**: Provides a reference for the `evm.Client`, the primary tool for all EVM interactions, including reads and writes.
 - **[HTTP Client](/cre/reference/sdk/http-client)**: Provides a reference for the `http.Client`, used for making offchain API requests from individual nodes.
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index f63f5974f4d..81209ecf093 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -4030,7 +4030,7 @@ if (writeResult.txStatus === TxStatus.SUCCESS) {
 
 # API Interactions
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client
-Last Updated: 2026-03-17
+Last Updated: 2026-05-20
 
 The CRE SDK provides an HTTP client that allows your workflows to interact with external APIs. Use it to fetch offchain data, send results to other systems, or trigger external events.
 
@@ -4046,11 +4046,40 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 These guides will walk you through the common use cases for the HTTP client.
 
+## CRE reports over HTTP
+
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
+
+Most secure HTTP integrations use two roles:
+
+```mermaid
+flowchart LR
+  subgraph sender ["Sender workflow (this guide's focus)"]
+    A[Trigger] --> B[Your logic]
+    B --> C["runtime.report()"]
+    C --> D["sendReport() → HTTP POST"]
+  end
+  subgraph receiver ["Receiver (separate system)"]
+    D --> E[Your API or CRE HTTP trigger]
+    E --> F["Report.parse() before trusting data"]
+  end
+```
+
+| Step | Who                       | What happens                                                                                                                                  |
+| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
+| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
+| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
+| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
+
+You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+
 ## Guides
 
 - **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
 - **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
 
 ---
 
@@ -13988,6 +14017,17 @@ Here's the journey your workflow's data takes to reach the blockchain:
 
 In your workflow code, this process involves two steps: calling `runtime.report()` to generate the signed report, then calling `evmClient.writeReport()` to submit it to the blockchain.
 
+### Where reports can go after generation
+
+The same signed report from `runtime.report()` can be delivered in different ways:
+
+| Destination                    | Guide                                                                                                                       | Verification                                                                                                           |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
+| HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver |
+
+See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+
 ## What you need: A consumer contract
 
 Before you can write data onchain, you need a **consumer contract**. This is the smart contract that will receive your workflow's data.
@@ -14977,9 +15017,9 @@ export async function main() {
 
 # Submitting Reports via HTTP
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client/submitting-reports-http-ts
-Last Updated: 2026-01-20
+Last Updated: 2026-05-20
 
-This guide shows how to send a cryptographically signed report (generated by your workflow) to an external HTTP API. You'll learn how to write a transformation function that formats the report for your specific API's requirements.
+This guide is for the **sender** side: a CRE workflow that **creates** a signed report and **POSTs** it to an HTTP endpoint.
 
 **What you'll learn:**
 
@@ -14992,6 +15032,24 @@ This guide shows how to send a cryptographically signed report (generated by you
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
 </Aside>
 
+## Where this guide fits
+
+| Question                    | Answer                                                                                                                                                                     |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                                |
+| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 2–3: generate the report, then `sendReport()` to your API.                                                                                                           |
+| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+
+**Sender flow in one workflow execution:**
+
+1. Trigger fires (cron, HTTP, …).
+2. Your callback runs (API calls, encoding, etc.).
+3. `runtime.report()` — DON produces a signed `ReportResponse`.
+4. `sendReport()` — format and POST to your URL.
+
+For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -15527,15 +15585,13 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 1. **Always use `cacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 2. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(rawReport)`) to detect and reject duplicate submissions
-3. **Verify signatures before processing**: Your API must verify the cryptographic signatures against DON public keys before trusting report data (see note below about signature verification)
+3. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
 4. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 5. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
 
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require your API to verify signatures** before trusting the report data.
-
-  **Documentation coming soon**: "Verifying CRE Reports Offchain" guide.
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `Report.parse()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Troubleshooting
@@ -15553,6 +15609,8 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 ## Learn more
 
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts)** — Receiver workflow: verify before trusting payload
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts)** — Complete API reference including `sendReport()` and `ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
 - **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain)** — Detailed guide on encoding single values, structs, and complex types using Viem
@@ -15560,6 +15618,256 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 ---
 
+# Verifying CRE Reports Offchain
+Source: https://docs.chain.link/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts
+Last Updated: 2026-05-20
+
+This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+
+When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
+
+The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+
+
+<Aside type="note" title="Not your workflow deployment registry">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), `Report.parse` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+</Aside>
+
+
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts).
+</Aside>
+
+## Where this guide fits
+
+| Question                     | Answer                                                                                                                                                                                                                |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.report()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                              |
+| What does this guide cover?  | Step 4: `Report.parse()` before you use `body()` or take side effects.                                                                                                                                                |
+| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                        |
+
+**Receiver flow:**
+
+1. HTTP trigger (or your API) receives the POST payload.
+2. Decode hex fields into bytes.
+3. `Report.parse()` — verify signatures and read metadata.
+4. Use trusted `body()` in your logic.
+
+For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+
+## What you'll learn
+
+- When to verify reports offchain vs relying on onchain forwarders
+- How `Report.parse()` validates signatures and reads metadata
+- How to build a receiver workflow that accepts reports over HTTP
+- How to restrict verification to specific CRE environments or zones
+
+## Prerequisites
+
+- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (report verification support)
+- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) (report structure and JSON payload patterns)
+- For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts)
+
+## Onchain vs offchain verification
+
+| Aspect               | Offchain (`Report.parse`)                                    | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ------------------------------------------------------------ | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+
+Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
+
+Default (`productionEnvironment()`):
+
+- **Chain**: Ethereum Mainnet (chain selector `5009297550715157269`)
+- **Registry**: `0x76c9cf548b4179F8901cda1f8623568b58215E62`
+
+## How verification works
+
+1. **Parse the report header** from `rawReport` (109-byte metadata + body).
+2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
+3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
+4. **Return a `Report` object** with accessors for workflow ID, owner, execution ID, body, and more.
+
+If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
+
+## Complete example: HTTP receiver workflow
+
+This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+
+```typescript
+import {
+  HTTPCapability,
+  handler,
+  Report,
+  type HTTPPayload,
+  type Runtime,
+  type SecretsProvider,
+} from "@chainlink/cre-sdk"
+import { hexToBytes } from "viem"
+import { z } from "zod"
+
+export const configSchema = z
+  .object({
+    authorized_key: z.string(),
+  })
+  .transform((data) => ({
+    authorizedKey: data.authorized_key,
+  }))
+
+export type Config = z.infer<typeof configSchema>
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
+  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
+
+  const rawReport = hexToBytes(`0x${parsed.report}`)
+  const reportContext = hexToBytes(`0x${parsed.context}`)
+  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
+
+  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
+
+  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
+
+  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
+  void report.body()
+
+  return true
+}
+
+export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
+  const http = new HTTPCapability()
+  return [
+    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
+  ]
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `Report.parse()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `body()` safely.
+
+
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+</Aside>
+
+## Report payload format
+
+Receivers need three fields (plus optional metadata your API may add):
+
+| Field        | Description                                                        |
+| ------------ | ------------------------------------------------------------------ |
+| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
+| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
+| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+
+The `reportContext` layout used by the SDK:
+
+- Bytes 0–31: config digest
+- Bytes 32–39: sequence number (big-endian `uint64`)
+
+## API reference
+
+See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
+
+### `Report.parse()`
+
+```typescript
+Report.parse(
+  runtime: Runtime,
+  rawReport: Uint8Array,
+  signatures: Uint8Array[],
+  reportContext: Uint8Array,
+  config?: ReportParseConfig,
+): Promise<Report>
+```
+
+Parses and verifies a report. Throws if verification fails.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Description                               |
+| ----------------- | ----------------------------------------- |
+| `workflowId()`    | Workflow hash (`bytes32` as hex)          |
+| `workflowOwner()` | Deployer address (hex)                    |
+| `workflowName()`  | Workflow name field from metadata         |
+| `executionId()`   | Unique execution identifier               |
+| `donId()`         | DON that produced the report              |
+| `timestamp()`     | Report timestamp (Unix seconds)           |
+| `body()`          | Encoded payload after the 109-byte header |
+| `seqNr()`         | Sequence number from report context       |
+| `configDigest()`  | Config digest from report context         |
+
+### `ReportParseConfig`
+
+```typescript
+import { productionEnvironment, zoneFromEnvironment, type ReportParseConfig } from "@chainlink/cre-sdk"
+
+const config: ReportParseConfig = {
+  acceptedZones: [zoneFromEnvironment(productionEnvironment(), 1)],
+  acceptedEnvironments: [productionEnvironment()],
+  skipSignatureVerification: false,
+}
+```
+
+| Option                      | Description                                                                                                                                                                                                                                                               |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                   |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                        |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript—call `Report.parse()` without this flag for production verification. |
+
+Most workflows should use the default config (production environment only).
+
+## Best practices
+
+1. **Verify before side effects**: Call `Report.parse()` before writing to databases, chains, or external systems.
+2. **Permission on metadata**: After verification, check `workflowId()`, `workflowOwner()`, or `donId()` match your expectations.
+3. **Deduplicate by execution ID**: Use `executionId()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#understanding-cachesettings-for-reports)).
+4. **Do not skip signature verification in production** unless you have another trust path.
+
+## Troubleshooting
+
+**`invalid signature` / `unknown signer`**
+
+- Signatures may be from a different DON or stale registry config.
+- Confirm the sender workflow used production CRE and the report was not tampered with.
+
+**`wrong number of signatures`**
+
+- At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
+
+**`could not read from chain ...`**
+
+- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+
+**`raw report too short`**
+
+- `rawReport` is missing the 109-byte metadata header.
+
+## Learn more
+
+- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)** — Sender workflow: create and POST the report
+- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification)** — `Report.parse`, accessors, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts)** — Trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts)** — Onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts-ts)** — Permissioning `onReport` with workflow metadata
+
+---
+
 # Cron Trigger
 Source: https://docs.chain.link/cre/guides/workflow/using-triggers/cron-trigger-ts
 Last Updated: 2026-01-20
@@ -17868,7 +18176,7 @@ If all nodes fail or consensus cannot be reached, the default value (`0n` in thi
 
 # SDK Reference: Core
 Source: https://docs.chain.link/cre/reference/sdk/core-ts
-Last Updated: 2026-01-20
+Last Updated: 2026-05-20
 
 This page provides a reference for the core data structures and functions of the CRE TypeScript SDK. These are the fundamental building blocks that every workflow uses, regardless of trigger types or capabilities.
 
@@ -17965,7 +18273,7 @@ Both `Runtime` and `NodeRuntime` provide:
 
 - **`runInNodeMode(...)`**: Execute code on individual nodes with consensus aggregation
 - **`getSecret(...)`**: Access to workflow secrets
-- **`report(...)`**: Generate cryptographically signed reports
+- **`report(...)`**: Generate cryptographically signed reports. To verify received reports, use [`Report.parse()`](#report-verification).
 
 ### Logging
 
@@ -18400,6 +18708,72 @@ const onTrigger = (runtime: Runtime<Config>): string => {
   For a complete walkthrough on creating, storing, and using secrets, see the [Secrets guide](/cre/guides/workflow/secrets).
 </Aside>
 
+## Report verification
+
+Parse and verify CRE reports received over HTTP or other offchain channels. Requires **`@chainlink/cre-sdk` v1.8.0** or later.
+
+
+<Aside type="note" title="Guide">
+  For end-to-end examples (HTTP receiver workflow, payload format, private registry notes), see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). To **send** reports via HTTP, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts).
+</Aside>
+
+Verification runs in your callback: signatures are checked offchain, while authorized signers are loaded from the onchain **Capability Registry** (default: `productionEnvironment()` on Ethereum Mainnet). This is not the workflow deployment registry (`private` or onchain).
+
+Import from `@chainlink/cre-sdk`: `Report`, `productionEnvironment`, `zoneFromEnvironment`, and `ReportParseConfig`.
+
+### `Report.parse()`
+
+**Signature:**
+
+```typescript
+Report.parse(
+  runtime: Runtime,
+  rawReport: Uint8Array,
+  signatures: Uint8Array[],
+  reportContext: Uint8Array,
+  config?: ReportParseConfig,
+): Promise<Report>
+```
+
+Parses a report and verifies signatures. Throws on failure. Registry reads are cached per chain and DON.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Returns      | Description                                |
+| ----------------- | ------------ | ------------------------------------------ |
+| `workflowId()`    | `string`     | Workflow hash (hex)                        |
+| `workflowOwner()` | `string`     | Workflow owner (hex)                       |
+| `workflowName()`  | `string`     | Workflow name from metadata                |
+| `executionId()`   | `string`     | Execution identifier (hex)                 |
+| `donId()`         | `number`     | DON that produced the report               |
+| `body()`          | `Uint8Array` | Payload after the 109-byte metadata header |
+| `seqNr()`         | `bigint`     | Sequence number                            |
+| `configDigest()`  | `Uint8Array` | Config digest                              |
+| `reportContext()` | `Uint8Array` | Full report context bytes                  |
+| `rawReport()`     | `Uint8Array` | Full raw report bytes                      |
+
+### `ReportParseConfig`
+
+| Field                       | Type            | Description                                                        |
+| --------------------------- | --------------- | ------------------------------------------------------------------ |
+| `acceptedEnvironments`      | `Environment[]` | Registry environments to try (defaults to production)              |
+| `acceptedZones`             | `Zone[]`        | Restrict verification to specific DON IDs                          |
+| `skipSignatureVerification` | `boolean`       | Parse metadata only; not for production without another trust path |
+
+### `productionEnvironment()` and `zoneFromEnvironment()`
+
+```typescript
+function productionEnvironment(): Environment
+function zoneFromEnvironment(environment: Environment, donID: number): Zone
+```
+
+| `Environment` field | Type     | Description                                              |
+| ------------------- | -------- | -------------------------------------------------------- |
+| `chainSelector`     | `bigint` | Chain selector for EVM reads (default: Ethereum Mainnet) |
+| `registryAddress`   | `string` | Capability Registry contract address                     |
+
 ---
 
 # SDK Reference: EVM Client
@@ -19374,7 +19748,7 @@ Because it operates at the node level, all HTTP requests are wrapped in a consen
 - **[High-level (recommended)](#high-level-sendrequest-recommended):** Automatically wraps your request in the `runtime.runInNodeMode()` pattern with consensus aggregation.
 - **[Low-level](#low-level-sendrequest):** Requires manual wrapping in a `runtime.runInNodeMode()` block for complex scenarios.
 
-For complete step-by-step examples, see the [GET requests](/cre/guides/workflow/using-http-client/get-request) and [POST requests](/cre/guides/workflow/using-http-client/post-request) guides.
+For complete step-by-step examples, see the [GET requests](/cre/guides/workflow/using-http-client/get-request) and [POST requests](/cre/guides/workflow/using-http-client/post-request) guides. To **submit** signed reports, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts). To **verify** received reports, see [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) and [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 
 ## High-level `sendRequest()` (recommended)
 
@@ -19510,6 +19884,11 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): string
 }
 ```
 
+
+<Aside type="note" title="Receiving and verifying reports">
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data—not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+</Aside>
+
 ## Low-level `sendRequest()`
 
 The low-level `sendRequest()` method requires manual wrapping in a `runtime.runInNodeMode()` block. It provides more flexibility for complex scenarios but requires more boilerplate code.
@@ -20016,7 +20395,7 @@ This section provides a detailed technical reference for the public interfaces o
 
 The SDK Reference is broken down into several pages, each corresponding to a core part of the SDK's functionality:
 
-- **[Core SDK](/cre/reference/sdk/core-ts)**: Covers the fundamental building blocks of any workflow, including `handler`, `Runtime`, and the `.result()` pattern for promise resolution.
+- **[Core SDK](/cre/reference/sdk/core-ts)**: Covers the fundamental building blocks of any workflow, including `handler`, `Runtime`, report verification (`Report.parse`), and the `.result()` pattern for promise resolution.
 - **[Triggers](/cre/reference/sdk/triggers/overview-ts)**: Details the configuration and payload structures for all available trigger types (`Cron`, `HTTP`, `EVM Log`).
 - **[EVM Client](/cre/reference/sdk/evm-client-ts)**: Provides a reference for the `EVMClient`, the primary tool for all EVM interactions, including reads and writes.
 - **[HTTP Client](/cre/reference/sdk/http-client-ts)**: Provides a reference for the `HTTPClient`, used for making offchain API requests from individual nodes.
diff --git a/src/content/cre/reference/sdk/core-go.mdx b/src/content/cre/reference/sdk/core-go.mdx
index 8e324138bee..df48dc5c80e 100644
--- a/src/content/cre/reference/sdk/core-go.mdx
+++ b/src/content/cre/reference/sdk/core-go.mdx
@@ -5,9 +5,9 @@ date: Last Modified
 sdkLang: "go"
 pageId: "reference-sdk-core"
 metadata:
-  description: "Reference for core Go SDK: Workflow, Handler, Runtime, NodeRuntime, and essential functions every CRE workflow uses."
+  description: "Reference for core Go SDK: Workflow, Handler, Runtime, NodeRuntime, report verification (ParseReport), and essential functions every CRE workflow uses."
   datePublished: "2025-11-04"
-  lastModified: "2026-04-20"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
@@ -321,6 +321,83 @@ func onTrigger(config *Config, runtime cre.Runtime, ...) (string, error) {
   guide](/cre/guides/workflow/secrets).
 </Aside>
 
+## Report verification
+
+Parse and verify CRE reports received over HTTP or other offchain channels. Requires **cre-sdk-go v1.8.0** or later.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Guide">
+  For end-to-end examples (HTTP receiver workflow, payload format, private registry notes), see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). To **send** reports via HTTP, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go).
+</Aside>
+
+Verification runs in your callback: signatures are checked offchain, while authorized signers are loaded from the onchain **Capability Registry** (default: `cre.ProductionEnvironment()` on Ethereum Mainnet). This is not the workflow deployment registry (`private` or onchain).
+
+### `cre.ParseReport`
+
+**Signature:**
+
+```go
+func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
+```
+
+Parses a report and verifies signatures against `cre.ProductionEnvironment()`. Registry reads are cached per chain and DON.
+
+### `cre.ParseReportWithConfig`
+
+**Signature:**
+
+```go
+func ParseReportWithConfig(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte, config ReportParseConfig) (*Report, error)
+```
+
+Same as `ParseReport`, with custom accepted environments or zones. Set `SkipSignatureVerification: true` to parse metadata only; call `report.VerifySignatures()` afterward when ready.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Returns  | Description                                |
+| ----------------- | -------- | ------------------------------------------ |
+| `WorkflowID()`    | `string` | Workflow hash (hex)                        |
+| `WorkflowOwner()` | `string` | Workflow owner (hex)                       |
+| `WorkflowName()`  | `string` | Workflow name from metadata                |
+| `ExecutionID()`   | `string` | Execution identifier (hex)                 |
+| `DONID()`         | `uint32` | DON that produced the report               |
+| `Body()`          | `[]byte` | Payload after the 109-byte metadata header |
+| `SeqNr()`         | `uint64` | Sequence number                            |
+| `ConfigDigest()`  | `[]byte` | Config digest                              |
+| `ReportContext()` | `[]byte` | Full report context bytes                  |
+| `RawReport()`     | `[]byte` | Full raw report bytes                      |
+
+### `ReportParseConfig`
+
+| Field                       | Type            | Description                                           |
+| --------------------------- | --------------- | ----------------------------------------------------- |
+| `AcceptedEnvironments`      | `[]Environment` | Registry environments to try (defaults to production) |
+| `AcceptedZones`             | `[]Zone`        | Restrict verification to specific DON IDs             |
+| `SkipSignatureVerification` | `bool`          | Parse header only; call `VerifySignatures` separately |
+
+### `cre.ProductionEnvironment` and `cre.ZoneFromEnvironment`
+
+```go
+func ProductionEnvironment() Environment  // mainnet Capability Registry
+func ZoneFromEnvironment(env Environment, donId uint32) Zone
+```
+
+| `Environment` field | Type     | Description                                              |
+| ------------------- | -------- | -------------------------------------------------------- |
+| `ChainSelector`     | `uint64` | Chain selector for EVM reads (default: Ethereum Mainnet) |
+| `RegistryAddress`   | `string` | Capability Registry contract address                     |
+
+### Verification errors
+
+| Error                    | When                                         |
+| ------------------------ | -------------------------------------------- |
+| `ErrUnknownSigner`       | Recovered signer not in registry allowlist   |
+| `ErrWrongSignatureCount` | Fewer than f+1 valid signatures              |
+| `ErrRawReportTooShort`   | `rawReport` missing 109-byte metadata header |
+| `ErrDuplicateSigner`     | Same signer twice in accepted set            |
+
 ## `cre.OrderedEntries` and `cre.OrderedEntriesFunc`
 
 Go maps iterate in random order, which causes consensus failures in DON mode because different nodes process entries in different sequences. These helpers return a deterministic iterator over a map's entries, sorted by key, so all nodes process items in the same order.
diff --git a/src/content/cre/reference/sdk/core-ts.mdx b/src/content/cre/reference/sdk/core-ts.mdx
index 5b7cb3edeff..51e4ae7a929 100644
--- a/src/content/cre/reference/sdk/core-ts.mdx
+++ b/src/content/cre/reference/sdk/core-ts.mdx
@@ -5,9 +5,9 @@ date: Last Modified
 sdkLang: "ts"
 pageId: "reference-sdk-core"
 metadata:
-  description: "Reference for core TypeScript SDK: Workflow, Handler, Runtime, and essential functions every CRE workflow uses."
+  description: "Reference for core TypeScript SDK: Workflow, Handler, Runtime, report verification (Report.parse), and essential functions every CRE workflow uses."
   datePublished: "2025-11-04"
-  lastModified: "2026-01-20"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
@@ -107,7 +107,7 @@ Both `Runtime` and `NodeRuntime` provide:
 
 - **`runInNodeMode(...)`**: Execute code on individual nodes with consensus aggregation
 - **`getSecret(...)`**: Access to workflow secrets
-- **`report(...)`**: Generate cryptographically signed reports
+- **`report(...)`**: Generate cryptographically signed reports. To verify received reports, use [`Report.parse()`](#report-verification).
 
 ### Logging
 
@@ -542,3 +542,69 @@ const onTrigger = (runtime: Runtime<Config>): string => {
 <Aside type="note" title="Secrets guide">
   For a complete walkthrough on creating, storing, and using secrets, see the [Secrets guide](/cre/guides/workflow/secrets).
 </Aside>
+
+## Report verification
+
+Parse and verify CRE reports received over HTTP or other offchain channels. Requires **`@chainlink/cre-sdk` v1.8.0** or later.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Guide">
+  For end-to-end examples (HTTP receiver workflow, payload format, private registry notes), see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). To **send** reports via HTTP, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts).
+</Aside>
+
+Verification runs in your callback: signatures are checked offchain, while authorized signers are loaded from the onchain **Capability Registry** (default: `productionEnvironment()` on Ethereum Mainnet). This is not the workflow deployment registry (`private` or onchain).
+
+Import from `@chainlink/cre-sdk`: `Report`, `productionEnvironment`, `zoneFromEnvironment`, and `ReportParseConfig`.
+
+### `Report.parse()`
+
+**Signature:**
+
+```typescript
+Report.parse(
+  runtime: Runtime,
+  rawReport: Uint8Array,
+  signatures: Uint8Array[],
+  reportContext: Uint8Array,
+  config?: ReportParseConfig,
+): Promise<Report>
+```
+
+Parses a report and verifies signatures. Throws on failure. Registry reads are cached per chain and DON.
+
+### `Report` accessors
+
+After a successful parse:
+
+| Method            | Returns      | Description                                |
+| ----------------- | ------------ | ------------------------------------------ |
+| `workflowId()`    | `string`     | Workflow hash (hex)                        |
+| `workflowOwner()` | `string`     | Workflow owner (hex)                       |
+| `workflowName()`  | `string`     | Workflow name from metadata                |
+| `executionId()`   | `string`     | Execution identifier (hex)                 |
+| `donId()`         | `number`     | DON that produced the report               |
+| `body()`          | `Uint8Array` | Payload after the 109-byte metadata header |
+| `seqNr()`         | `bigint`     | Sequence number                            |
+| `configDigest()`  | `Uint8Array` | Config digest                              |
+| `reportContext()` | `Uint8Array` | Full report context bytes                  |
+| `rawReport()`     | `Uint8Array` | Full raw report bytes                      |
+
+### `ReportParseConfig`
+
+| Field                       | Type            | Description                                                        |
+| --------------------------- | --------------- | ------------------------------------------------------------------ |
+| `acceptedEnvironments`      | `Environment[]` | Registry environments to try (defaults to production)              |
+| `acceptedZones`             | `Zone[]`        | Restrict verification to specific DON IDs                          |
+| `skipSignatureVerification` | `boolean`       | Parse metadata only; not for production without another trust path |
+
+### `productionEnvironment()` and `zoneFromEnvironment()`
+
+```typescript
+function productionEnvironment(): Environment
+function zoneFromEnvironment(environment: Environment, donID: number): Zone
+```
+
+| `Environment` field | Type     | Description                                              |
+| ------------------- | -------- | -------------------------------------------------------- |
+| `chainSelector`     | `bigint` | Chain selector for EVM reads (default: Ethereum Mainnet) |
+| `registryAddress`   | `string` | Capability Registry contract address                     |
diff --git a/src/content/cre/reference/sdk/http-client-go.mdx b/src/content/cre/reference/sdk/http-client-go.mdx
index 2db1b44cf90..4e46e4be51a 100644
--- a/src/content/cre/reference/sdk/http-client-go.mdx
+++ b/src/content/cre/reference/sdk/http-client-go.mdx
@@ -19,15 +19,17 @@ The HTTP Client lets you make requests to external APIs from your workflow. Each
 - Fetching data from REST APIs ([GET requests](/cre/guides/workflow/using-http-client/get-request))
 - Sending data to webhooks ([POST requests](/cre/guides/workflow/using-http-client/post-request))
 - Submitting reports to offchain systems ([Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http))
+- Verifying reports received over HTTP ([Report verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go))
 
 ## Quick reference
 
-| Method                                                 | Use When                                  | Guide                                                                                                                   |
-| ------------------------------------------------------ | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
-| [`http.SendRequest`](#httpsendrequest)                 | Making HTTP calls (recommended)           | [GET](/cre/guides/workflow/using-http-client/get-request) / [POST](/cre/guides/workflow/using-http-client/post-request) |
-| [`client.SendRequest`](#clientsendrequest)             | Complex scenarios requiring fine control  | [GET](/cre/guides/workflow/using-http-client/get-request#2-the-creruninnodemode-pattern-low-level)                      |
-| [`sendRequester.SendReport`](#sendrequestersendreport) | Submitting reports via HTTP (recommended) | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http)                                     |
-| [`client.SendReport`](#clientsendreport)               | Complex report submission scenarios       | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http#advanced-low-level-pattern)          |
+| Method                                                              | Use When                                  | Guide                                                                                                                   |
+| ------------------------------------------------------------------- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
+| [`http.SendRequest`](#httpsendrequest)                              | Making HTTP calls (recommended)           | [GET](/cre/guides/workflow/using-http-client/get-request) / [POST](/cre/guides/workflow/using-http-client/post-request) |
+| [`client.SendRequest`](#clientsendrequest)                          | Complex scenarios requiring fine control  | [GET](/cre/guides/workflow/using-http-client/get-request#2-the-creruninnodemode-pattern-low-level)                      |
+| [`sendRequester.SendReport`](#sendrequestersendreport)              | Submitting reports via HTTP (recommended) | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http)                                     |
+| [`client.SendReport`](#clientsendreport)                            | Complex report submission scenarios       | [Report submission](/cre/guides/workflow/using-http-client/submitting-reports-http#advanced-low-level-pattern)          |
+| [`cre.ParseReport`](/cre/reference/sdk/core-go#report-verification) | Verifying received reports (receiver)     | [Report verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)                             |
 
 ## Core types
 
@@ -397,3 +399,8 @@ func formatReport(r *sdk.ReportResponse) (*http.Request, error) {
 ```
 
 For complete examples of including signatures in different formats (body, headers, JSON), see the [Submitting Reports via HTTP guide](/cre/guides/workflow/using-http-client/submitting-reports-http#formatting-patterns).
+
+{/* prettier-ignore */}
+<Aside type="note" title="Receiving and verifying reports">
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`cre.ParseReport`](/cre/reference/sdk/core-go#report-verification) before trusting payload data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
+</Aside>
diff --git a/src/content/cre/reference/sdk/http-client-ts.mdx b/src/content/cre/reference/sdk/http-client-ts.mdx
index 1506ca5bfe9..5a61a390f7b 100644
--- a/src/content/cre/reference/sdk/http-client-ts.mdx
+++ b/src/content/cre/reference/sdk/http-client-ts.mdx
@@ -19,7 +19,7 @@ Because it operates at the node level, all HTTP requests are wrapped in a consen
 - **[High-level (recommended)](#high-level-sendrequest-recommended):** Automatically wraps your request in the `runtime.runInNodeMode()` pattern with consensus aggregation.
 - **[Low-level](#low-level-sendrequest):** Requires manual wrapping in a `runtime.runInNodeMode()` block for complex scenarios.
 
-For complete step-by-step examples, see the [GET requests](/cre/guides/workflow/using-http-client/get-request) and [POST requests](/cre/guides/workflow/using-http-client/post-request) guides.
+For complete step-by-step examples, see the [GET requests](/cre/guides/workflow/using-http-client/get-request) and [POST requests](/cre/guides/workflow/using-http-client/post-request) guides. To **submit** signed reports, see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts). To **verify** received reports, see [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) and [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 
 ## High-level `sendRequest()` (recommended)
 
@@ -155,6 +155,11 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): string
 }
 ```
 
+{/* prettier-ignore */}
+<Aside type="note" title="Receiving and verifying reports">
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data—not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+</Aside>
+
 ## Low-level `sendRequest()`
 
 The low-level `sendRequest()` method requires manual wrapping in a `runtime.runInNodeMode()` block. It provides more flexibility for complex scenarios but requires more boilerplate code.
diff --git a/src/content/cre/reference/sdk/overview-go.mdx b/src/content/cre/reference/sdk/overview-go.mdx
index 10fcf432b8b..faa00b9dc36 100644
--- a/src/content/cre/reference/sdk/overview-go.mdx
+++ b/src/content/cre/reference/sdk/overview-go.mdx
@@ -18,7 +18,7 @@ This section provides a detailed technical reference for the public interfaces o
 
 The SDK Reference is broken down into several pages, each corresponding to a core part of the SDK's functionality:
 
-- **[Core SDK](/cre/reference/sdk/core)**: Covers the fundamental building blocks of any workflow, including `cre.Handler`, `cre.Runtime`, `cre.Promise`, and map iteration helpers `cre.OrderedEntries` / `cre.OrderedEntriesFunc`.
+- **[Core SDK](/cre/reference/sdk/core)**: Covers the fundamental building blocks of any workflow, including `cre.Handler`, `cre.Runtime`, `cre.Promise`, report verification (`cre.ParseReport`), and map iteration helpers `cre.OrderedEntries` / `cre.OrderedEntriesFunc`.
 - **[Triggers](/cre/reference/sdk/triggers)**: Details the configuration and payload structures for all available trigger types (`Cron`, `HTTP`, `EVM Log`).
 - **[EVM Client](/cre/reference/sdk/evm-client)**: Provides a reference for the `evm.Client`, the primary tool for all EVM interactions, including reads and writes.
 - **[HTTP Client](/cre/reference/sdk/http-client)**: Provides a reference for the `http.Client`, used for making offchain API requests from individual nodes.
diff --git a/src/content/cre/reference/sdk/overview-ts.mdx b/src/content/cre/reference/sdk/overview-ts.mdx
index ee95f7e9685..a1881db3db6 100644
--- a/src/content/cre/reference/sdk/overview-ts.mdx
+++ b/src/content/cre/reference/sdk/overview-ts.mdx
@@ -18,7 +18,7 @@ This section provides a detailed technical reference for the public interfaces o
 
 The SDK Reference is broken down into several pages, each corresponding to a core part of the SDK's functionality:
 
-- **[Core SDK](/cre/reference/sdk/core-ts)**: Covers the fundamental building blocks of any workflow, including `handler`, `Runtime`, and the `.result()` pattern for promise resolution.
+- **[Core SDK](/cre/reference/sdk/core-ts)**: Covers the fundamental building blocks of any workflow, including `handler`, `Runtime`, report verification (`Report.parse`), and the `.result()` pattern for promise resolution.
 - **[Triggers](/cre/reference/sdk/triggers/overview-ts)**: Details the configuration and payload structures for all available trigger types (`Cron`, `HTTP`, `EVM Log`).
 - **[EVM Client](/cre/reference/sdk/evm-client-ts)**: Provides a reference for the `EVMClient`, the primary tool for all EVM interactions, including reads and writes.
 - **[HTTP Client](/cre/reference/sdk/http-client-ts)**: Provides a reference for the `HTTPClient`, used for making offchain API requests from individual nodes.

From 57caa9367a30d0d4f6cf0145355e95ce5111c249 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 20 May 2026 19:14:32 -0500
Subject: [PATCH 2/9] cleanup

---
 .../generating-reports-single-values.mdx      |   6 +-
 .../generating-reports-structs.mdx            |   2 +-
 .../onchain-write/overview-go.mdx             |   2 +-
 .../onchain-write/overview-ts.mdx             |   2 +-
 .../submitting-reports-onchain.mdx            |   4 +-
 .../workflow/using-http-client/index.mdx      |  40 +++----
 .../submitting-reports-http-go.mdx            |  34 +++---
 .../submitting-reports-http-ts.mdx            |  32 ++---
 .../verifying-reports-offchain-go.mdx         |  30 ++---
 .../verifying-reports-offchain-ts.mdx         |  42 +++----
 src/content/cre/llms-full-go.txt              | 110 ++++++++----------
 src/content/cre/llms-full-ts.txt              | 110 ++++++++----------
 .../cre/reference/sdk/http-client-ts.mdx      |   2 +-
 13 files changed, 193 insertions(+), 223 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
index a505db987cd..ac36c54224b 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
@@ -11,9 +11,9 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`—your encoded data plus workflow metadata and signatures. It is **not** a [Data Streams](/data-streams) report.
+This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`: your encoded data plus workflow metadata and signatures.
 
-This guide covers **creating** the report (step 2 in the sender flow). **Delivering** it is a separate step—see the table below.
+This guide covers **creating** the signed report (`GenerateReport()` / `runtime.report()`). **Delivering** it is a separate step: see the table below.
 
 **Use this approach when:**
 
@@ -38,7 +38,7 @@ Manually generating a report for a single value involves two main steps:
 | `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
 | `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
-See [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
 <Aside type="note" title="Have a struct in your contract's ABI?">
   If your struct appears in a public/external function's signature, you can use the simpler `WriteReportFrom<StructName>()` helper instead. See [Using WriteReportFrom Helpers](/cre/guides/workflow/using-evm-client/onchain-write/using-write-report-helpers).
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
index 1081c06d44d..68dce8ba63f 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
@@ -11,7 +11,7 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`—not a [Data Streams](/data-streams) report. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 There are two encoding approaches depending on whether you have generated bindings for your contract.
 
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
index 4afb3f2f901..78c176a1fda 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-go.mdx
@@ -53,7 +53,7 @@ The same signed report from `runtime.GenerateReport()` can be delivered in diffe
 | Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
 | HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver |
 
-See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow.
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Replay attacks">
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
index a2df3d92168..1a80146decf 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/overview-ts.mdx
@@ -51,7 +51,7 @@ The same signed report from `runtime.report()` can be delivered in different way
 | Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
 | HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver |
 
-See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow.
 
 ## What you need: A consumer contract
 
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
index 6813d838df0..c3abac6dada 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain.mdx
@@ -11,11 +11,11 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain—no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
+This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain: no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
 
 {/* prettier-ignore */}
 <Aside type="note" title="HTTP delivery instead?">
-  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 </Aside>
 
 **Use this approach when:**
diff --git a/src/content/cre/guides/workflow/using-http-client/index.mdx b/src/content/cre/guides/workflow/using-http-client/index.mdx
index 84058dad3e4..37a2205ac76 100644
--- a/src/content/cre/guides/workflow/using-http-client/index.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/index.mdx
@@ -27,31 +27,21 @@ These guides will walk you through the common use cases for the HTTP client.
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
-
-Most secure HTTP integrations use two roles:
-
-```mermaid
-flowchart LR
-  subgraph sender ["Sender workflow (this guide's focus)"]
-    A[Trigger] --> B[Your logic]
-    B --> C["runtime.report()"]
-    C --> D["sendReport() → HTTP POST"]
-  end
-  subgraph receiver ["Receiver (separate system)"]
-    D --> E[Your API or CRE HTTP trigger]
-    E --> F["Report.parse() before trusting data"]
-  end
-```
-
-| Step | Who                       | What happens                                                                                                                                  |
-| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
-| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
-| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
-| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
-
-You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
+
+Most secure HTTP integrations involve two parties:
+
+**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
+
+1. Run business logic and encode your payload.
+2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
+3. Call `sendReport()` to POST the report to your URL.
+
+**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
+
+4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
+
+The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
 
 ## Guides
 
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
index 020b911d58c..b1623ea0062 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
@@ -27,21 +27,21 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                     |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                        |
-| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 2–3: generate the report, then `SendReport()` to your API.                                                                                                           |
-| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+| Question                    | Answer                                                                                                                                                                      |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                    |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 3–4 below: `GenerateReport()`, then `SendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.GenerateReport()` — DON produces a signed `sdk.ReportResponse`.
-4. `SendReport()` — format and POST to your URL.
+3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
+4. `SendReport()`: format and POST to your URL.
 
-For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## Prerequisites
 
@@ -564,7 +564,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 1. **Always use `CacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 1. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(RawReport)`) to detect and reject duplicate submissions
-1. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
+1. **Verify on the receiver**: The sender does not validate the report; your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
 1. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 1. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
@@ -588,10 +588,10 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)** — Receiver workflow: verify before trusting payload
-- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)** — Complete API reference including `SendReport` and `sdk.ReportResponse`
-- **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
-- **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)** — How to create reports from single values
-- **[Generating Reports: Structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)** — How to create reports from struct data
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Alternative: Submit reports to smart contracts instead of HTTP
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** receiver workflow; verify before trusting payload
+- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client):** complete API reference including `SendReport` and `sdk.ReportResponse`
+- **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
+- **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values):** create reports from single values
+- **[Generating Reports: Structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs):** create reports from struct data
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** submit reports to smart contracts instead of HTTP
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
index 726506c3561..bea10b2d3f8 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
@@ -27,21 +27,21 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                     |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                                |
-| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 2–3: generate the report, then `sendReport()` to your API.                                                                                                           |
-| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+| Question                    | Answer                                                                                                                                                                      |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                            |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 3–4 below: `runtime.report()`, then `sendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.report()` — DON produces a signed `ReportResponse`.
-4. `sendReport()` — format and POST to your URL.
+3. `runtime.report()`: DON produces a signed `ReportResponse`.
+4. `sendReport()`: format and POST to your URL.
 
-For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## Prerequisites
 
@@ -578,7 +578,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 1. **Always use `cacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 1. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(rawReport)`) to detect and reject duplicate submissions
-1. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
+1. **Verify on the receiver**: The sender does not validate the report; your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
 1. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 1. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
@@ -602,9 +602,9 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts)** — Receiver workflow: verify before trusting payload
-- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts)** — Complete API reference including `sendReport()` and `ReportResponse`
-- **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
-- **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain)** — Detailed guide on encoding single values, structs, and complex types using Viem
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Alternative: Submit reports to smart contracts instead of HTTP
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** receiver workflow; verify before trusting payload
+- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts):** complete API reference including `sendReport()` and `ReportResponse`
+- **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
+- **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain):** encoding single values, structs, and complex types using Viem
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** submit reports to smart contracts instead of HTTP
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index 24e90663a0f..bb3c57448e2 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -30,21 +30,21 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                                                        |
-| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                      |
-| What does this guide cover?  | Step 4: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                                                     |
-| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                |
+| Question                     | Answer                                                                                                                                                                                              |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                            |
+| What does this guide cover?  | Step 3 below: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                     |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                     |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `cre.ParseReport()` — verify signatures and read metadata.
+3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## What you'll learn
 
@@ -200,7 +200,7 @@ The `reportContext` layout used by the SDK:
 
 ## API reference
 
-See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
+See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
 
 ### `cre.ParseReport()`
 
@@ -292,9 +292,9 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)** — Sender workflow: create and POST the report
-- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification)** — `ParseReport`, `Report`, and `ReportParseConfig`
-- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go)** — Trigger deployed receiver workflows
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Onchain forwarder verification path
-- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts)** — Permissioning `onReport` with workflow metadata
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go):** sender workflow; create and POST the report
+- **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification):** `ParseReport`, `Report`, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go):** trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts):** permissioning `onReport` with workflow metadata
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index 4aa4f3e519c..527b62c849b 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -25,26 +25,26 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 
 {/* prettier-ignore */}
 <Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts).
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                                                |
-| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.report()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                              |
-| What does this guide cover?  | Step 4: `Report.parse()` before you use `body()` or take side effects.                                                                                                                                                |
-| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                        |
+| Question                     | Answer                                                                                                                                                                                      |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.report()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                    |
+| What does this guide cover?  | Step 3 below: `Report.parse()` before you use `body()` or take side effects.                                                                                                                |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                             |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `Report.parse()` — verify signatures and read metadata.
+3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## What you'll learn
 
@@ -169,7 +169,7 @@ The `reportContext` layout used by the SDK:
 
 ## API reference
 
-See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
+See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
 
 ### `Report.parse()`
 
@@ -213,11 +213,11 @@ const config: ReportParseConfig = {
 }
 ```
 
-| Option                      | Description                                                                                                                                                                                                                                                               |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                   |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                        |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript—call `Report.parse()` without this flag for production verification. |
+| Option                      | Description                                                                                                                                                                                                                                                                |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                    |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                         |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call `Report.parse()` without this flag for production verification. |
 
 Most workflows should use the default config (production environment only).
 
@@ -249,9 +249,9 @@ Most workflows should use the default config (production environment only).
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)** — Sender workflow: create and POST the report
-- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification)** — `Report.parse`, accessors, and `ReportParseConfig`
-- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts)** — Trigger deployed receiver workflows
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts)** — Onchain forwarder verification path
-- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts-ts)** — Permissioning `onReport` with workflow metadata
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts):** sender workflow; create and POST the report
+- **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification):** `Report.parse`, accessors, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts):** trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts):** permissioning `onReport` with workflow metadata
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 311ef505e98..6cf2d2d57a0 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -3770,9 +3770,9 @@ writePromise := reserveManager.WriteReportFromUpdateReserves(runtime, updateData
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values
 Last Updated: 2025-11-04
 
-This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`—your encoded data plus workflow metadata and signatures. It is **not** a [Data Streams](/data-streams) report.
+This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`: your encoded data plus workflow metadata and signatures.
 
-This guide covers **creating** the report (step 2 in the sender flow). **Delivering** it is a separate step—see the table below.
+This guide covers **creating** the signed report (`GenerateReport()` / `runtime.report()`). **Delivering** it is a separate step: see the table below.
 
 **Use this approach when:**
 
@@ -3797,7 +3797,7 @@ Manually generating a report for a single value involves two main steps:
 | `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
 | `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
-See [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
 <Aside type="note" title="Have a struct in your contract's ABI?">
   If your struct appears in a public/external function's signature, you can use the simpler `WriteReportFrom<StructName>()` helper instead. See [Using WriteReportFrom Helpers](/cre/guides/workflow/using-evm-client/onchain-write/using-write-report-helpers).
@@ -4036,7 +4036,7 @@ func main() {
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs
 Last Updated: 2025-11-04
 
-This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`—not a [Data Streams](/data-streams) report. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 There are two encoding approaches depending on whether you have generated bindings for your contract.
 
@@ -4414,11 +4414,11 @@ func main() {
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain
 Last Updated: 2025-11-04
 
-This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain—no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
+This guide shows how to manually submit a generated **CRE report** to the blockchain using the low-level `evm.Client.WriteReport()` method. The forwarder verifies signatures onchain: no separate [offchain verification](/cre/guides/workflow/using-http-client/verifying-reports-offchain) step.
 
 
 <Aside type="note" title="HTTP delivery instead?">
-  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+  If you need to POST the report to an API rather than a contract, generate the report the same way ([single values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) or [structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)), then follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 </Aside>
 
 **Use this approach when:**
@@ -4739,31 +4739,21 @@ These guides will walk you through the common use cases for the HTTP client.
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
 
-Most secure HTTP integrations use two roles:
+Most secure HTTP integrations involve two parties:
 
-```mermaid
-flowchart LR
-  subgraph sender ["Sender workflow (this guide's focus)"]
-    A[Trigger] --> B[Your logic]
-    B --> C["runtime.report()"]
-    C --> D["sendReport() → HTTP POST"]
-  end
-  subgraph receiver ["Receiver (separate system)"]
-    D --> E[Your API or CRE HTTP trigger]
-    E --> F["Report.parse() before trusting data"]
-  end
-```
+**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
+
+1. Run business logic and encode your payload.
+2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
+3. Call `sendReport()` to POST the report to your URL.
+
+**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
 
-| Step | Who                       | What happens                                                                                                                                  |
-| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
-| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
-| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
-| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
+4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
 
-You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
 
 ## Guides
 
@@ -14280,7 +14270,7 @@ The same signed report from `runtime.GenerateReport()` can be delivered in diffe
 | Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
 | HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver |
 
-See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow.
 
 
 <Aside type="caution" title="Replay attacks">
@@ -15329,21 +15319,21 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                     |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                        |
-| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 2–3: generate the report, then `SendReport()` to your API.                                                                                                           |
-| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+| Question                    | Answer                                                                                                                                                                      |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                    |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 3–4 below: `GenerateReport()`, then `SendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.GenerateReport()` — DON produces a signed `sdk.ReportResponse`.
-4. `SendReport()` — format and POST to your URL.
+3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
+4. `SendReport()`: format and POST to your URL.
 
-For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## Prerequisites
 
@@ -15866,7 +15856,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 1. **Always use `CacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 2. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(RawReport)`) to detect and reject duplicate submissions
-3. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
+3. **Verify on the receiver**: The sender does not validate the report; your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) must verify before trusting payload data
 4. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 5. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
@@ -15890,13 +15880,13 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go)** — Receiver workflow: verify before trusting payload
-- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client)** — Complete API reference including `SendReport` and `sdk.ReportResponse`
-- **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
-- **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)** — How to create reports from single values
-- **[Generating Reports: Structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs)** — How to create reports from struct data
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Alternative: Submit reports to smart contracts instead of HTTP
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** receiver workflow; verify before trusting payload
+- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client):** complete API reference including `SendReport` and `sdk.ReportResponse`
+- **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
+- **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values):** create reports from single values
+- **[Generating Reports: Structs](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs):** create reports from struct data
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** submit reports to smart contracts instead of HTTP
 
 ---
 
@@ -15922,21 +15912,21 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                                                        |
-| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                      |
-| What does this guide cover?  | Step 4: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                                                     |
-| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                |
+| Question                     | Answer                                                                                                                                                                                              |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                            |
+| What does this guide cover?  | Step 3 below: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                     |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                     |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `cre.ParseReport()` — verify signatures and read metadata.
+3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## What you'll learn
 
@@ -16092,7 +16082,7 @@ The `reportContext` layout used by the SDK:
 
 ## API reference
 
-See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
+See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
 
 ### `cre.ParseReport()`
 
@@ -16184,12 +16174,12 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go)** — Sender workflow: create and POST the report
-- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-go#report-verification)** — `ParseReport`, `Report`, and `ReportParseConfig`
-- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go)** — Trigger deployed receiver workflows
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Onchain forwarder verification path
-- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts)** — Permissioning `onReport` with workflow metadata
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go):** sender workflow; create and POST the report
+- **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification):** `ParseReport`, `Report`, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go):** trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts):** permissioning `onReport` with workflow metadata
 
 ---
 
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 81209ecf093..ad43a88111f 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -4048,31 +4048,21 @@ These guides will walk you through the common use cases for the HTTP client.
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures. It is **not** a [Data Streams](/data-streams) report—those come from a different product.
+A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
 
-Most secure HTTP integrations use two roles:
+Most secure HTTP integrations involve two parties:
 
-```mermaid
-flowchart LR
-  subgraph sender ["Sender workflow (this guide's focus)"]
-    A[Trigger] --> B[Your logic]
-    B --> C["runtime.report()"]
-    C --> D["sendReport() → HTTP POST"]
-  end
-  subgraph receiver ["Receiver (separate system)"]
-    D --> E[Your API or CRE HTTP trigger]
-    E --> F["Report.parse() before trusting data"]
-  end
-```
+**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
+
+1. Run business logic and encode your payload.
+2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
+3. Call `sendReport()` to POST the report to your URL.
+
+**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
 
-| Step | Who                       | What happens                                                                                                                                  |
-| ---- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 1    | **Sender** (CRE workflow) | Run business logic, encode payload                                                                                                            |
-| 2    | **Sender**                | `runtime.report()` — DON agrees and signs                                                                                                     |
-| 3    | **Sender**                | `sendReport()` — POST report bytes to your URL                                                                                                |
-| 4    | **Receiver**              | Verify signatures, then use payload — see [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) |
+4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
 
-You do **not** download a report from elsewhere before submitting. The sender workflow **creates** it in step 2. Validation always happens on the **receiver** side (CRE workflow, your API, or an onchain forwarder).
+The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
 
 ## Guides
 
@@ -14026,7 +14016,7 @@ The same signed report from `runtime.report()` can be delivered in different way
 | Smart contract (via Forwarder) | This section + [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | Onchain in `KeystoneForwarder`                                                                                         |
 | HTTP API                       | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)                            | [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver |
 
-See [CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow. CRE reports are not [Data Streams](/data-streams) reports.
+See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver flow.
 
 ## What you need: A consumer contract
 
@@ -15034,21 +15024,21 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                     |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures. Not a Data Streams report.                                |
-| Where does it come from?    | **Inside this workflow**—after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 2–3: generate the report, then `sendReport()` to your API.                                                                                                           |
-| Who verifies it?            | The **receiver**—your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+| Question                    | Answer                                                                                                                                                                      |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                            |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
+| What does this guide cover? | Steps 3–4 below: `runtime.report()`, then `sendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.report()` — DON produces a signed `ReportResponse`.
-4. `sendReport()` — format and POST to your URL.
+3. `runtime.report()`: DON produces a signed `ReportResponse`.
+4. `sendReport()`: format and POST to your URL.
 
-For a conceptual overview and diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## Prerequisites
 
@@ -15585,7 +15575,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 1. **Always use `cacheSettings`**: Include caching in every transformation function to prevent worst-case duplicate submission scenarios
 2. **Implement API-side deduplication**: Your receiving API must implement deduplication using the **hash of the report** (`keccak256(rawReport)`) to detect and reject duplicate submissions
-3. **Verify on the receiver**: The sender does not validate the report—your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
+3. **Verify on the receiver**: The sender does not validate the report; your API or a [receiver CRE workflow](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) must verify before trusting payload data
 4. **Match your API's format exactly**: Study your API's documentation to understand the expected format (binary, JSON, headers, etc.)
 5. **Handle errors gracefully**: Check HTTP status codes and provide meaningful error messages
 
@@ -15609,12 +15599,12 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts)** — Receiver workflow: verify before trusting payload
-- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts)** — Complete API reference including `sendReport()` and `ReportResponse`
-- **[POST Requests](/cre/guides/workflow/using-http-client/post-request)** — Learn about HTTP request patterns and caching
-- **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain)** — Detailed guide on encoding single values, structs, and complex types using Viem
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain)** — Alternative: Submit reports to smart contracts instead of HTTP
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** receiver workflow; verify before trusting payload
+- **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts):** complete API reference including `sendReport()` and `ReportResponse`
+- **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
+- **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain):** encoding single values, structs, and complex types using Viem
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** submit reports to smart contracts instead of HTTP
 
 ---
 
@@ -15635,26 +15625,26 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 
 
 <Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts).
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                                                |
-| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.report()`—not a Data Streams report. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                              |
-| What does this guide cover?  | Step 4: `Report.parse()` before you use `body()` or take side effects.                                                                                                                                                |
-| Same workflow as the sender? | Often **no**—common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                        |
+| Question                     | Answer                                                                                                                                                                                      |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?          | Same CRE report the **sender** created with `runtime.report()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                    |
+| What does this guide cover?  | Step 3 below: `Report.parse()` before you use `body()` or take side effects.                                                                                                                |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                             |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `Report.parse()` — verify signatures and read metadata.
+3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-For the full sender → receiver diagram, see [API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 ## What you'll learn
 
@@ -15779,7 +15769,7 @@ The `reportContext` layout used by the SDK:
 
 ## API reference
 
-See [SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
+See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
 
 ### `Report.parse()`
 
@@ -15823,11 +15813,11 @@ const config: ReportParseConfig = {
 }
 ```
 
-| Option                      | Description                                                                                                                                                                                                                                                               |
-| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                   |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                        |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript—call `Report.parse()` without this flag for production verification. |
+| Option                      | Description                                                                                                                                                                                                                                                                |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                    |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                         |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call `Report.parse()` without this flag for production verification. |
 
 Most workflows should use the default config (production environment only).
 
@@ -15859,12 +15849,12 @@ Most workflows should use the default config (production environment only).
 
 ## Learn more
 
-- **[API Interactions — CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http)** — Sender → receiver overview
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts)** — Sender workflow: create and POST the report
-- **[SDK Reference: Core — Report verification](/cre/reference/sdk/core-ts#report-verification)** — `Report.parse`, accessors, and `ReportParseConfig`
-- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts)** — Trigger deployed receiver workflows
-- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain-ts)** — Onchain forwarder verification path
-- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts-ts)** — Permissioning `onReport` with workflow metadata
+- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts):** sender workflow; create and POST the report
+- **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification):** `Report.parse`, accessors, and `ReportParseConfig`
+- **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts):** trigger deployed receiver workflows
+- **[Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain):** onchain forwarder verification path
+- **[Building Consumer Contracts](/cre/guides/workflow/using-evm-client/onchain-write/building-consumer-contracts):** permissioning `onReport` with workflow metadata
 
 ---
 
@@ -19886,7 +19876,7 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): string
 
 
 <Aside type="note" title="Receiving and verifying reports">
-  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data—not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data, not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Low-level `sendRequest()`
diff --git a/src/content/cre/reference/sdk/http-client-ts.mdx b/src/content/cre/reference/sdk/http-client-ts.mdx
index 5a61a390f7b..17c5401733d 100644
--- a/src/content/cre/reference/sdk/http-client-ts.mdx
+++ b/src/content/cre/reference/sdk/http-client-ts.mdx
@@ -157,7 +157,7 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): string
 
 {/* prettier-ignore */}
 <Aside type="note" title="Receiving and verifying reports">
-  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data—not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+  If your workflow **receives** reports (for example via an HTTP trigger), use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before trusting payload data, not `sendReport()`. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Low-level `sendRequest()`

From 939a748fa53f93cade15887608939933d88faf3e Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 20 May 2026 22:04:03 -0500
Subject: [PATCH 3/9] update after testing verification for both go and ts

---
 .../workflow/using-http-client/index.mdx      |  31 +-
 .../submitting-reports-http-go.mdx            | 130 ++++--
 .../submitting-reports-http-ts.mdx            | 212 ++++++---
 .../verifying-reports-offchain-go.mdx         | 165 ++++++-
 .../verifying-reports-offchain-ts.mdx         | 161 ++++++-
 src/content/cre/llms-full-go.txt              | 326 +++++++++++---
 src/content/cre/llms-full-ts.txt              | 404 ++++++++++++++----
 7 files changed, 1149 insertions(+), 280 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-http-client/index.mdx b/src/content/cre/guides/workflow/using-http-client/index.mdx
index 37a2205ac76..e49ebb2c766 100644
--- a/src/content/cre/guides/workflow/using-http-client/index.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/index.mdx
@@ -20,32 +20,23 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Parse responses before aggregation">
-  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value — never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
+  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value: never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
 </Aside>
 
-These guides will walk you through the common use cases for the HTTP client.
+## Guides
+
+- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
+- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
 
 ## CRE reports over HTTP
 
 A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
 
-Most secure HTTP integrations involve two parties:
-
-**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
-
-1. Run business logic and encode your payload.
-2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
-3. Call `sendReport()` to POST the report to your URL.
+A typical secure integration uses two parties:
 
-**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
+1. **Sender:** a CRE workflow that runs your logic, signs a report, and POSTs it to a URL. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http).
+2. **Receiver:** your API or another CRE workflow that verifies the report before using the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
 
-4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
-
-The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
-
-## Guides
-
-- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
-- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
+The sender creates the report inside the workflow; the receiver must verify signatures before trusting the payload.
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
index b1623ea0062..728ce6242ae 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
@@ -41,8 +41,6 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
 4. `SendReport()`: format and POST to your URL.
 
-For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
-
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -54,9 +52,21 @@ For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/gu
   HTTP requests to URLs that return redirects (3xx status codes) will fail. Ensure the URL you provide is the final destination and does not redirect to another URL.
 </Aside>
 
-## Quick start: Minimal example
+## Payload contract (if you verify offchain)
+
+Receivers using [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) expect JSON with hex fields **without** `0x`. Use JSON key `context` for `reportContext`:
+
+| JSON field   | SDK field on `ReportResponse` |
+| ------------ | ----------------------------- |
+| `report`     | `RawReport`                   |
+| `context`    | `ReportContext`               |
+| `signatures` | per-node signatures in `Sigs` |
+
+## Quick start: Minimal example (binary only)
 
-Here's the simplest possible workflow that generates and submits a report via HTTP:
+Posts **raw `RawReport` bytes** only. Not compatible with the verify guide’s JSON receiver. For local testing, use the [complete working example](#complete-working-example) or [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex).
+
+Here's the simplest workflow that generates and submits a report via HTTP:
 
 ```go
 func formatReportSimple(r *sdk.ReportResponse) (*http.Request, error) {
@@ -293,6 +303,51 @@ func formatReportAsJSON(r *sdk.ReportResponse) (*http.Request, error) {
 }
 ```
 
+### Pattern 4 for offchain verification (hex)
+
+Use when testing [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). The verify examples decode **hex without `0x`** in JSON. Base64 Pattern 4 above does not match unless you change the receiver.
+
+```go
+import (
+	"encoding/hex"
+	"encoding/json"
+)
+
+type ReportPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func formatReportAsJSONHex(config *Config) func(r *sdk.ReportResponse) (*http.Request, error) {
+	return func(r *sdk.ReportResponse) (*http.Request, error) {
+		sigs := make([]string, len(r.Sigs))
+		for i, sig := range r.Sigs {
+			sigs[i] = hex.EncodeToString(sig.Signature)
+		}
+		payload := ReportPayload{
+			Report:     hex.EncodeToString(r.RawReport),
+			Context:    hex.EncodeToString(r.ReportContext),
+			Signatures: sigs,
+		}
+		body, err := json.Marshal(payload)
+		if err != nil {
+			return nil, err
+		}
+		return &http.Request{
+			Url:    config.ApiUrl,
+			Method: "POST",
+			Body:   body,
+			Headers: map[string]string{"Content-Type": "application/json"},
+			CacheSettings: &http.CacheSettings{
+				Store:  true,
+				MaxAge: durationpb.New(60 * time.Second),
+			},
+		}, nil
+	}
+}
+```
+
 ### Understanding `CacheSettings` for reports
 
 You'll notice that all the patterns above include `CacheSettings`. This is critical for report submissions, just like it is for [POST requests](/cre/guides/workflow/using-http-client/post-request).
@@ -368,8 +423,8 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 This example shows a workflow that:
 
 1. Generates a report from a single value
-1. Submits it to an HTTP API
-1. Uses the simple "report in body" format
+1. Submits it via **Pattern 4 JSON with hex fields** (compatible with the verify guide sim loop)
+1. Uses `config.ApiUrl` from your target config
 
 ```go
 //go:build wasip1
@@ -377,10 +432,11 @@ This example shows a workflow that:
 package main
 
 import (
+	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"math/big"
-	"time"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/smartcontractkit/chainlink-protos/cre/go/sdk"
@@ -408,28 +464,47 @@ func InitWorkflow(config *Config, logger *slog.Logger, secretsProvider cre.Secre
 	}, nil
 }
 
-// Transformation function: defines how the API expects the report
-func formatReportForMyAPI(r *sdk.ReportResponse) (*http.Request, error) {
-	return &http.Request{
-		Url:    "https://webhook.site/your-unique-id",  // Replace with your API
-		Method: "POST",
-		Body:   r.RawReport,
-		Headers: map[string]string{
-			"Content-Type": "application/octet-stream",
-			"X-Report-SeqNr": fmt.Sprintf("%d", r.SeqNr),
-		},
-		CacheSettings: &http.CacheSettings{
-			Store:  true,                             // Prevent duplicate submissions
-			MaxAge: durationpb.New(60 * time.Second), // Accept cached responses up to 60 seconds old
-		},
-	}, nil
+type reportPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func formatReportForMyAPI(config *Config) func(r *sdk.ReportResponse) (*http.Request, error) {
+	return func(r *sdk.ReportResponse) (*http.Request, error) {
+		sigs := make([]string, len(r.Sigs))
+		for i, sig := range r.Sigs {
+			sigs[i] = hex.EncodeToString(sig.Signature)
+		}
+		body, err := json.Marshal(reportPayload{
+			Report:     hex.EncodeToString(r.RawReport),
+			Context:    hex.EncodeToString(r.ReportContext),
+			Signatures: sigs,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &http.Request{
+			Url:    config.ApiUrl,
+			Method: "POST",
+			Body:   body,
+			Headers: map[string]string{
+				"Content-Type":   "application/json",
+				"X-Report-SeqNr": fmt.Sprintf("%d", r.SeqNr),
+			},
+			CacheSettings: &http.CacheSettings{
+				Store:  true,
+				MaxAge: durationpb.New(60 * time.Second),
+			},
+		}, nil
+	}
 }
 
 // Function that submits the report via HTTP
 func submitReportViaHTTP(config *Config, logger *slog.Logger, sendRequester *http.SendRequester, report *cre.Report) (*SubmitResponse, error) {
 	logger.Info("Submitting report to API", "url", config.ApiUrl)
 
-	resp, err := sendRequester.SendReport(*report, formatReportForMyAPI).Await()
+	resp, err := sendRequester.SendReport(*report, formatReportForMyAPI(config)).Await()
 	if err != nil {
 		return nil, fmt.Errorf("failed to send report: %w", err)
 	}
@@ -521,7 +596,11 @@ func main() {
    ```bash
    cre workflow simulate my-workflow --target staging-settings
    ```
-1. Check webhook.site to see the report data received
+1. On webhook.site, open **Content** and confirm JSON with `report`, `context`, and `signatures` (hex). Use that JSON to test a receiver workflow in [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go#testing-locally-with-simulation).
+
+## Next step: verify on the receiver
+
+The sender does not validate the report for the receiver. After submission, the ingesting side must verify signatures before trusting the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 
 ## Advanced: Low-level pattern
 
@@ -588,8 +667,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** receiver workflow; verify before trusting payload
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** verify signatures on the receiver before trusting payload data
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client):** complete API reference including `SendReport` and `sdk.ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
 - **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values):** create reports from single values
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
index bea10b2d3f8..13dda9c9fc9 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
@@ -41,24 +41,42 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 3. `runtime.report()`: DON produces a signed `ReportResponse`.
 4. `sendReport()`: format and POST to your URL.
 
-For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
-
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
 - Familiarity with `runtime.report()` (covered [below](#generating-reports-for-http-submission))
+- **`viem`** as a direct dependency in the workflow `package.json` (for ABI encoding in examples)
+- Protobuf HTTP/report types from **`@chainlink/cre-sdk/pb`** (`SDK_PB.ReportResponse`, `HTTP_CLIENT_PB.RequestJson`), not the main `@chainlink/cre-sdk` entry
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Redirects are not supported">
   HTTP requests to URLs that return redirects (3xx status codes) will fail. Ensure the URL you provide is the final destination and does not redirect to another URL.
 </Aside>
 
-## Quick start: Minimal example
+## Payload contract (if you verify offchain)
+
+If a receiver uses [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts), your HTTP body must expose three fields. The verify guide expects **hex without `0x` in JSON** (field name `context`, not `reportContext`):
+
+| Your JSON field | SDK field on `ReportResponse` |
+| --------------- | ----------------------------- |
+| `report`        | `rawReport`                   |
+| `context`       | `reportContext`               |
+| `signatures`    | `sigs[].signature`            |
+
+Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) or the [complete working example](#complete-working-example). Other patterns are for APIs with different formats, not the default verify examples.
+
+## Quick start: Minimal example (binary only)
+
+This example POSTs **raw report bytes** (`application/octet-stream`). It is **not** compatible with the verify guide’s JSON receiver without changes. For sender → verify local testing, skip to the [complete working example](#complete-working-example).
 
-Here's the simplest possible workflow that generates and submits a report via HTTP:
+Here's the simplest workflow that generates and submits a report via HTTP:
 
 ```typescript
-import { ok, type ReportResponse, type RequestJson, type HTTPSendRequester } from "@chainlink/cre-sdk"
+import { ok, type HTTPSendRequester, type Report } from "@chainlink/cre-sdk"
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
 
 const formatReportSimple = (r: ReportResponse): RequestJson => {
   return {
@@ -69,8 +87,8 @@ const formatReportSimple = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -144,6 +162,15 @@ The transformation function gives you complete control over the format.
 
 Here are common patterns for formatting reports. Choose the one that matches your API's requirements.
 
+All patterns below use protobuf types and caching settings:
+
+```typescript
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
+```
+
 ### Choosing the right pattern
 
 | Pattern                                                                                                 | When to use                                               |
@@ -158,8 +185,6 @@ Here are common patterns for formatting reports. Choose the one that matches you
 Use this when your API accepts raw binary data:
 
 ```typescript
-import type { ReportResponse, RequestJson } from "@chainlink/cre-sdk"
-
 const formatReportSimple = (r: ReportResponse): RequestJson => {
   return {
     url: "https://api.example.com/reports",
@@ -169,8 +194,8 @@ const formatReportSimple = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true, // Enable caching
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -216,8 +241,8 @@ const formatReportWithSignatures = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -248,8 +273,8 @@ const formatReportWithHeaderSigs = (r: ReportResponse): RequestJson => {
     body: Buffer.from(r.rawReport).toString("base64"),
     headers,
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -291,13 +316,53 @@ const formatReportAsJSON = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/json",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
 ```
 
+### Pattern 4 for offchain verification (hex)
+
+Use this variant when testing the [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) receiver in simulation. The verify examples decode **hex without a `0x` prefix**; the receiver adds `0x` when calling `hexToBytes`.
+
+Pattern 4 in the block above uses **base64** fields. Base64 sender output does **not** match the verify guide’s hex decoder without changes.
+
+```typescript
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+import { bytesToHex } from "viem"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
+
+const formatReportAsJSONHex =
+  (config: { apiUrl: string }) =>
+  (r: ReportResponse): RequestJson => {
+    const payload = {
+      report: bytesToHex(r.rawReport).slice(2),
+      context: bytesToHex(r.reportContext).slice(2),
+      signatures: r.sigs.map((sig) => bytesToHex(sig.signature).slice(2)),
+    }
+    const bodyBytes = new TextEncoder().encode(JSON.stringify(payload))
+
+    return {
+      url: config.apiUrl,
+      method: "POST",
+      body: Buffer.from(bodyBytes).toString("base64"),
+      headers: {
+        "Content-Type": "application/json",
+      },
+      cacheSettings: {
+        store: true,
+        maxAge: "60s",
+      },
+    }
+  }
+```
+
+The `body` field is the UTF-8 JSON string, base64-encoded for the protobuf `bytes` field (same pattern as other JSON POST bodies in TypeScript workflows).
+
 ### Understanding `cacheSettings` for reports
 
 You'll notice that all the patterns above include `cacheSettings`. This is critical for report submissions, just like it is for [POST requests](/cre/guides/workflow/using-http-client/post-request).
@@ -374,7 +439,11 @@ interface SubmitResponse {
   success: boolean
 }
 
-const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report): SubmitResponse => {
+const submitReportViaHTTP = (
+  runtime: Runtime<Config>,
+  sendRequester: HTTPSendRequester,
+  report: Report
+): SubmitResponse => {
   const response = sendRequester.sendReport(report, formatReportSimple).result()
 
   if (!ok(response)) {
@@ -395,7 +464,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
   const result = httpClient
     .sendRequest(
       runtime,
-      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(sendRequester, report),
+      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(runtime, sendRequester, report),
       consensusIdenticalAggregation<SubmitResponse>()
     )()
     .result()
@@ -409,25 +478,30 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 This example shows a workflow that:
 
 1. Generates a report from a single value
-1. Submits it to an HTTP API
-1. Uses the simple "report in body" format
+1. Submits it to an HTTP API as **Pattern 4 JSON with hex fields** (compatible with the verify guide’s receiver sim loop)
+1. Uses `config.apiUrl` from your target config file
+
+Add **`viem`** to `package.json`. Register handlers with `handler()` from `@chainlink/cre-sdk` (not `cron.handler()`).
 
 ```typescript
 import {
   CronCapability,
   HTTPClient,
   Runner,
+  handler,
   consensusIdenticalAggregation,
   hexToBase64,
   ok,
   type Runtime,
-  type Report,
   type CronPayload,
   type HTTPSendRequester,
-  type ReportResponse,
-  type RequestJson,
+  type Report,
 } from "@chainlink/cre-sdk"
-import { encodeAbiParameters, parseAbiParameters } from "viem"
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+import { encodeAbiParameters, parseAbiParameters, bytesToHex } from "viem"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
 
 interface Config {
   apiUrl: string
@@ -442,32 +516,43 @@ type MyResult = Record<string, never>
 
 const initWorkflow = (config: Config) => {
   const cron = new CronCapability()
-
-  return [cron.handler(cron.trigger({ schedule: config.schedule }), onCronTrigger)]
+  return [handler(cron.trigger({ schedule: config.schedule }), onCronTrigger)]
 }
 
-// Transformation function: defines how the API expects the report
-const formatReportForMyAPI = (r: ReportResponse): RequestJson => {
-  return {
-    url: "https://webhook.site/your-unique-id", // Replace with your API
-    method: "POST",
-    body: Buffer.from(r.rawReport).toString("base64"),
-    headers: {
-      "Content-Type": "application/octet-stream",
-      "X-Report-SeqNr": r.seqNr.toString(),
-    },
-    cacheSettings: {
-      readFromCache: true, // Prevent duplicate submissions
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
-    },
+const formatReportForMyAPI =
+  (config: Config) =>
+  (r: ReportResponse): RequestJson => {
+    const payload = {
+      report: bytesToHex(r.rawReport).slice(2),
+      context: bytesToHex(r.reportContext).slice(2),
+      signatures: r.sigs.map((sig) => bytesToHex(sig.signature).slice(2)),
+    }
+    const bodyBytes = new TextEncoder().encode(JSON.stringify(payload))
+
+    return {
+      url: config.apiUrl,
+      method: "POST",
+      body: Buffer.from(bodyBytes).toString("base64"),
+      headers: {
+        "Content-Type": "application/json",
+        "X-Report-SeqNr": r.seqNr.toString(), // optional metadata for your API
+      },
+      cacheSettings: {
+        store: true,
+        maxAge: "60s",
+      },
+    }
   }
-}
 
-// Function that submits the report via HTTP
-const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report): SubmitResponse => {
-  runtime.log("Submitting report to API")
+const submitReportViaHTTP = (
+  runtime: Runtime<Config>,
+  sendRequester: HTTPSendRequester,
+  report: Report,
+  config: Config
+): SubmitResponse => {
+  runtime.log(`Submitting report to API: ${config.apiUrl}`)
 
-  const response = sendRequester.sendReport(report, formatReportForMyAPI).result()
+  const response = sendRequester.sendReport(report, formatReportForMyAPI(config)).result()
 
   runtime.log(`Report submitted - status: ${response.statusCode}, bodyLength: ${response.body.length}`)
 
@@ -479,16 +564,13 @@ const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report):
   return { success: true }
 }
 
-const onCronTrigger = (runtime: Runtime<Config>, payload: CronPayload): MyResult => {
-  // Step 1: Generate a report (example: a single uint256 value)
+const onCronTrigger = (runtime: Runtime<Config>, _payload: CronPayload): MyResult => {
   const myValue = 123456789n
   runtime.log(`Generating report with value: ${myValue}`)
 
-  // Encode the value using Viem
   const encodedValue = encodeAbiParameters(parseAbiParameters("uint256 value"), [myValue])
 
-  // Generate the report
-  const reportResponse = runtime
+  const report = runtime
     .report({
       encodedPayload: hexToBase64(encodedValue),
       encoderName: "evm",
@@ -499,13 +581,12 @@ const onCronTrigger = (runtime: Runtime<Config>, payload: CronPayload): MyResult
 
   runtime.log("Report generated successfully")
 
-  // Step 2: Submit the report via HTTP
   const httpClient = new HTTPClient()
 
   const submitResult = httpClient
     .sendRequest(
       runtime,
-      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(sendRequester, reportResponse),
+      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(runtime, sendRequester, report, runtime.config),
       consensusIdenticalAggregation<SubmitResponse>()
     )()
     .result()
@@ -532,12 +613,21 @@ export async function main() {
 ### Testing with webhook.site
 
 1. Go to [webhook.site](https://webhook.site/) and get a unique URL
-1. Update `config.json` with your webhook URL
-1. Run the simulation:
+1. Update `config.json` (or `config.staging.json`) with your webhook URL in `apiUrl`
+1. From the **CRE project root**, run the simulation:
    ```bash
    cre workflow simulate my-workflow --target staging-settings
    ```
-1. Check webhook.site to see the report data received
+1. On webhook.site, open the request **Content** tab. You should see JSON with `report`, `context`, and `signatures` (hex strings). Use that JSON to test a receiver workflow in [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts#testing-locally-with-simulation).
+
+{/* prettier-ignore */}
+<Aside type="note" title="Binary vs JSON for verify testing">
+  If you post **raw binary** (`application/octet-stream`) instead of Pattern 4 JSON, webhook.site shows unreadable bytes and you cannot paste the body into the verify receiver without reformatting. Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) for the sender → copy payload → receiver sim checklist.
+</Aside>
+
+## Next step: verify on the receiver
+
+The sender does not validate the report for the receiver. After submission, the ingesting side must verify signatures before trusting the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 
 ## Advanced: Low-level pattern
 
@@ -600,10 +690,16 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 - Your report format likely doesn't match what your API expects
 - Check if your API expects base64 encoding, JSON wrapping, or specific headers
 
+**TypeScript compile errors on the complete example**
+
+- Use `handler(cron.trigger(...), fn)` from `@chainlink/cre-sdk`, not `cron.handler()`
+- Import `ReportResponse` / `RequestJson` from `@chainlink/cre-sdk/pb`
+- Pass `runtime` from the trigger callback into helper functions (no global `runtime`)
+- Add `viem` as a direct workflow dependency
+
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** receiver workflow; verify before trusting payload
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** verify signatures on the receiver before trusting payload data
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts):** complete API reference including `sendReport()` and `ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
 - **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain):** encoding single values, structs, and complex types using Viem
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index bb3c57448e2..bb019bb7c83 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -44,7 +44,7 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
 
 ## What you'll learn
 
@@ -84,11 +84,15 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Complete example: HTTP receiver workflow
+## Complete example: HTTP receiver workflow (deploy)
 
-This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) first. This deploy example uses `AuthorizedKeys`.
+
+It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
 
 ```go
+//go:build wasip1
+
 package main
 
 import (
@@ -98,6 +102,7 @@ import (
 
 	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
 	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
 )
 
 type Config struct {
@@ -105,6 +110,7 @@ type Config struct {
 }
 
 func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	// For local simulation, use http.Trigger(&http.Config{}) — see Testing locally with simulation below.
 	return cre.Workflow[*Config]{
 		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
 	}, nil
@@ -170,6 +176,10 @@ func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
 
 	return true, nil
 }
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
 ```
 
 **What's happening:**
@@ -180,18 +190,135 @@ func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
 </Aside>
 
+## Testing locally with simulation
+
+After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+
+1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
+2. Register `http.Trigger(&http.Config{})` (empty config) for simulation.
+3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+
+### Minimal receiver for simulation
+
+Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to `ParseReportWithConfig`). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
+
+`config.staging.json`:
+
+```json
+{
+  "skipSignatureVerification": true
+}
+```
+
+```go
+//go:build wasip1
+
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+)
+
+type Config struct {
+	SkipSignatureVerification bool `json:"skipSignatureVerification"`
+}
+
+type parsedPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{}), run),
+	}, nil
+}
+
+func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	var parsed parsedPayload
+	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
+		return false, err
+	}
+
+	rawReport, err := hex.DecodeString(parsed.Report)
+	if err != nil {
+		return false, err
+	}
+	reportContext, err := hex.DecodeString(parsed.Context)
+	if err != nil {
+		return false, err
+	}
+	sigs := make([][]byte, len(parsed.Signatures))
+	for i, sigHex := range parsed.Signatures {
+		sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+		SkipSignatureVerification: cfg.SkipSignatureVerification,
+	})
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+		"donId", report.DONID(),
+	)
+
+	_ = report.Body()
+	return true, nil
+}
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
+```
+
+### Sim wiring vs full verify
+
+| Mode                   | Config                                                       | What it validates                                                                             |
+| ---------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `SkipSignatureVerification: true` in `ParseReportWithConfig` | JSON + hex decode, metadata accessors, `Body()`                                               |
+| **Full crypto verify** | Default `cre.ParseReport()` (production registry)            | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
+
+```bash
+cre workflow simulate verify-report-receiver \
+  --target staging-settings \
+  --non-interactive \
+  --trigger-index 0 \
+  --http-payload verify-report-receiver/test-report-payload.json
+```
+
+**Pass criteria**
+
+- **Sim wiring:** `SkipSignatureVerification: true` in `ParseReportWithConfig`: logs show metadata and a successful handler return.
+- **Full crypto verify:** default `ParseReport` with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+
+`project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
+
 ## Report payload format
 
-Receivers need three fields (plus optional metadata your API may add):
+Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
 
-| Field        | Description                                                        |
-| ------------ | ------------------------------------------------------------------ |
-| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
-| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
-| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+| JSON field   | SDK field       | Description                                                     |
+| ------------ | --------------- | --------------------------------------------------------------- |
+| `report`     | `RawReport`     | Hex-encoded bytes (metadata header + workflow payload), no `0x` |
+| `context`    | `ReportContext` | Hex-encoded config digest + sequence number                     |
+| `signatures` | `Sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
 The `reportContext` layout used by the SDK:
 
@@ -273,18 +400,31 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Troubleshooting
 
-**`ErrUnknownSigner`**
+**`ErrUnknownSigner` / `invalid signature` in sim with fresh webhook JSON**
+
+- **Expected** when using default `ParseReport` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- For local wiring tests, use `SkipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
+
+**`ErrUnknownSigner` (deployed)**
 
 - Signatures may be from a different DON or stale registry config.
 - Confirm the sender workflow used production CRE and the report was not tampered with.
 
+**Wrong `--http-payload` path**
+
+- Invoke `cre` from the **project root**. Use `verify-report-receiver/test-report-payload.json`, not a bare filename unless your cwd matches.
+
+**Receiver JSON / hex decode error**
+
+- You copied a **binary** webhook body instead of Pattern 4 JSON with hex fields.
+
 **`ErrWrongSignatureCount`**
 
 - At least **f+1** valid signatures are required.
 
 **`could not read from chain ...`**
 
-- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim).
 
 **`ErrRawReportTooShort`**
 
@@ -292,7 +432,6 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go):** sender workflow; create and POST the report
 - **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification):** `ParseReport`, `Report`, and `ReportParseConfig`
 - **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go):** trigger deployed receiver workflows
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index 527b62c849b..37576a76951 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -44,7 +44,7 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
 
 ## What you'll learn
 
@@ -84,9 +84,11 @@ Default (`productionEnvironment()`):
 
 If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Complete example: HTTP receiver workflow
+## Complete example: HTTP receiver workflow (deploy)
 
-This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+This workflow is for **deployed** receivers with `authorizedKeys`. For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) instead.
+
+It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
 
 ```typescript
 import {
@@ -135,6 +137,7 @@ export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promi
 
 export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
   const http = new HTTPCapability()
+  // For local simulation, use handler(http.trigger({}), run) — see Testing locally with simulation above.
   return [
     handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
   ]
@@ -149,18 +152,133 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
 </Aside>
 
+## Testing locally with simulation
+
+After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+
+1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
+2. Use the minimal receiver below with an **empty HTTP trigger config** (no `authorizedKeys` until deploy).
+3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+
+### Sim wiring vs full verify
+
+| Mode                   | Config                                              | What it validates                                                                                                                                                                      |
+| ---------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `skipSignatureVerification: true` in staging config | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                |
+| **Full crypto verify** | Default `Report.parse()` (production registry)      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; `Report.parse()` checks the mainnet Capability Registry. |
+
+### Minimal receiver for simulation
+
+Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call `Report.parse()` from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
+
+`config.staging.json`:
+
+```json
+{
+  "skipSignatureVerification": true
+}
+```
+
+```typescript
+import {
+  decodeJson,
+  handler,
+  hexToBytes,
+  HTTPCapability,
+  Report,
+  Runner,
+  type HTTPPayload,
+  type Runtime,
+} from "@chainlink/cre-sdk"
+
+interface Config {
+  skipSignatureVerification?: boolean
+}
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+/** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
+const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
+
+/** AggregateError from Report.parse often has an empty .message in sim output. */
+const formatError = (err: unknown): string => {
+  if (err instanceof AggregateError) {
+    const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
+    return parts.join("; ") || "report verification failed"
+  }
+  if (err instanceof Error) return err.message
+  return String(err)
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> {
+  try {
+    const parsed = decodeJson(payload.input) as ParsedPayload
+
+    const rawReport = fromHexNoPrefix(parsed.report)
+    const reportContext = fromHexNoPrefix(parsed.context)
+    const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
+
+    runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
+
+    const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
+      skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
+    })
+
+    runtime.log(
+      `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
+    )
+    report.body()
+    return { verified: true }
+  } catch (err) {
+    const msg = formatError(err)
+    runtime.log(`Report verification failed: ${msg}`)
+    throw new Error(msg)
+  }
+}
+
+export const initWorkflow = () => {
+  const http = new HTTPCapability()
+  // Simulation: http.trigger({}). Deploy: add authorizedKeys — see complete example below.
+  return [handler(http.trigger({}), run)]
+}
+
+export async function main() {
+  const runner = await Runner.newRunner<Config>()
+  await runner.run(initWorkflow)
+}
+```
+
+Save webhook JSON as `verify-report-receiver/test-report-payload.json`. From the **CRE project root**:
+
+```bash
+cre workflow simulate verify-report-receiver \
+  --target staging-settings \
+  --non-interactive \
+  --trigger-index 0 \
+  --http-payload verify-report-receiver/test-report-payload.json
+```
+
+**Pass criteria**
+
+- **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
+- **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+
 ## Report payload format
 
-Receivers need three fields (plus optional metadata your API may add):
+Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
 
-| Field        | Description                                                        |
-| ------------ | ------------------------------------------------------------------ |
-| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
-| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
-| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+| JSON field   | SDK field       | Description                                                     |
+| ------------ | --------------- | --------------------------------------------------------------- |
+| `report`     | `rawReport`     | Hex-encoded bytes (metadata header + workflow payload), no `0x` |
+| `context`    | `reportContext` | Hex-encoded config digest + sequence number                     |
+| `signatures` | `sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
 The `reportContext` layout used by the SDK:
 
@@ -230,18 +348,36 @@ Most workflows should use the default config (production environment only).
 
 ## Troubleshooting
 
-**`invalid signature` / `unknown signer`**
+**Empty error after verify sim**
+
+- `Report.parse()` may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
+- Format errors in your handler before rethrowing (see the simulation example above).
+
+**`invalid signature` / `unknown signer` in sim with fresh webhook JSON**
+
+- **Expected** when using default `Report.parse()` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- For local wiring tests, set `skipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
+
+**`invalid signature` / `unknown signer` (deployed)**
 
 - Signatures may be from a different DON or stale registry config.
 - Confirm the sender workflow used production CRE and the report was not tampered with.
 
+**`unexpected token: 'test'` on simulate**
+
+- Wrong `--http-payload` path. Invoke `cre` from the **project root** and use a path such as `verify-report-receiver/test-report-payload.json`.
+
+**Receiver JSON parse error**
+
+- You copied a **binary/octet-stream** webhook body instead of Pattern 4 JSON. Use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex).
+
 **`wrong number of signatures`**
 
 - At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
 
 **`could not read from chain ...`**
 
-- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim). Sepolia-only RPC is not sufficient for default `Report.parse()`.
 
 **`raw report too short`**
 
@@ -249,7 +385,6 @@ Most workflows should use the default config (production environment only).
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts):** sender workflow; create and POST the report
 - **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification):** `Report.parse`, accessors, and `ReportParseConfig`
 - **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts):** trigger deployed receiver workflows
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 6cf2d2d57a0..bdfdd806116 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -4732,35 +4732,26 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 
 <Aside type="caution" title="Parse responses before aggregation">
-  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value — never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
+  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value: never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
 </Aside>
 
-These guides will walk you through the common use cases for the HTTP client.
+## Guides
+
+- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
+- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
 
 ## CRE reports over HTTP
 
 A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
 
-Most secure HTTP integrations involve two parties:
+A typical secure integration uses two parties:
 
-**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
+1. **Sender:** a CRE workflow that runs your logic, signs a report, and POSTs it to a URL. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http).
+2. **Receiver:** your API or another CRE workflow that verifies the report before using the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
 
-1. Run business logic and encode your payload.
-2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
-3. Call `sendReport()` to POST the report to your URL.
-
-**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
-
-4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
-
-The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
-
-## Guides
-
-- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
-- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
+The sender creates the report inside the workflow; the receiver must verify signatures before trusting the payload.
 
 ---
 
@@ -15333,8 +15324,6 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
 4. `SendReport()`: format and POST to your URL.
 
-For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
-
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
@@ -15346,9 +15335,21 @@ For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/gu
   HTTP requests to URLs that return redirects (3xx status codes) will fail. Ensure the URL you provide is the final destination and does not redirect to another URL.
 </Aside>
 
-## Quick start: Minimal example
+## Payload contract (if you verify offchain)
+
+Receivers using [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) expect JSON with hex fields **without** `0x`. Use JSON key `context` for `reportContext`:
+
+| JSON field   | SDK field on `ReportResponse` |
+| ------------ | ----------------------------- |
+| `report`     | `RawReport`                   |
+| `context`    | `ReportContext`               |
+| `signatures` | per-node signatures in `Sigs` |
+
+## Quick start: Minimal example (binary only)
+
+Posts **raw `RawReport` bytes** only. Not compatible with the verify guide’s JSON receiver. For local testing, use the [complete working example](#complete-working-example) or [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex).
 
-Here's the simplest possible workflow that generates and submits a report via HTTP:
+Here's the simplest workflow that generates and submits a report via HTTP:
 
 ```go
 func formatReportSimple(r *sdk.ReportResponse) (*http.Request, error) {
@@ -15585,6 +15586,51 @@ func formatReportAsJSON(r *sdk.ReportResponse) (*http.Request, error) {
 }
 ```
 
+### Pattern 4 for offchain verification (hex)
+
+Use when testing [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). The verify examples decode **hex without `0x`** in JSON. Base64 Pattern 4 above does not match unless you change the receiver.
+
+```go
+import (
+	"encoding/hex"
+	"encoding/json"
+)
+
+type ReportPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func formatReportAsJSONHex(config *Config) func(r *sdk.ReportResponse) (*http.Request, error) {
+	return func(r *sdk.ReportResponse) (*http.Request, error) {
+		sigs := make([]string, len(r.Sigs))
+		for i, sig := range r.Sigs {
+			sigs[i] = hex.EncodeToString(sig.Signature)
+		}
+		payload := ReportPayload{
+			Report:     hex.EncodeToString(r.RawReport),
+			Context:    hex.EncodeToString(r.ReportContext),
+			Signatures: sigs,
+		}
+		body, err := json.Marshal(payload)
+		if err != nil {
+			return nil, err
+		}
+		return &http.Request{
+			Url:    config.ApiUrl,
+			Method: "POST",
+			Body:   body,
+			Headers: map[string]string{"Content-Type": "application/json"},
+			CacheSettings: &http.CacheSettings{
+				Store:  true,
+				MaxAge: durationpb.New(60 * time.Second),
+			},
+		}, nil
+	}
+}
+```
+
 ### Understanding `CacheSettings` for reports
 
 You'll notice that all the patterns above include `CacheSettings`. This is critical for report submissions, just like it is for [POST requests](/cre/guides/workflow/using-http-client/post-request).
@@ -15660,8 +15706,8 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 This example shows a workflow that:
 
 1. Generates a report from a single value
-2. Submits it to an HTTP API
-3. Uses the simple "report in body" format
+2. Submits it via **Pattern 4 JSON with hex fields** (compatible with the verify guide sim loop)
+3. Uses `config.ApiUrl` from your target config
 
 ```go
 //go:build wasip1
@@ -15669,10 +15715,11 @@ This example shows a workflow that:
 package main
 
 import (
+	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"math/big"
-	"time"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/smartcontractkit/chainlink-protos/cre/go/sdk"
@@ -15700,28 +15747,47 @@ func InitWorkflow(config *Config, logger *slog.Logger, secretsProvider cre.Secre
 	}, nil
 }
 
-// Transformation function: defines how the API expects the report
-func formatReportForMyAPI(r *sdk.ReportResponse) (*http.Request, error) {
-	return &http.Request{
-		Url:    "https://webhook.site/your-unique-id",  // Replace with your API
-		Method: "POST",
-		Body:   r.RawReport,
-		Headers: map[string]string{
-			"Content-Type": "application/octet-stream",
-			"X-Report-SeqNr": fmt.Sprintf("%d", r.SeqNr),
-		},
-		CacheSettings: &http.CacheSettings{
-			Store:  true,                             // Prevent duplicate submissions
-			MaxAge: durationpb.New(60 * time.Second), // Accept cached responses up to 60 seconds old
-		},
-	}, nil
+type reportPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func formatReportForMyAPI(config *Config) func(r *sdk.ReportResponse) (*http.Request, error) {
+	return func(r *sdk.ReportResponse) (*http.Request, error) {
+		sigs := make([]string, len(r.Sigs))
+		for i, sig := range r.Sigs {
+			sigs[i] = hex.EncodeToString(sig.Signature)
+		}
+		body, err := json.Marshal(reportPayload{
+			Report:     hex.EncodeToString(r.RawReport),
+			Context:    hex.EncodeToString(r.ReportContext),
+			Signatures: sigs,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &http.Request{
+			Url:    config.ApiUrl,
+			Method: "POST",
+			Body:   body,
+			Headers: map[string]string{
+				"Content-Type":   "application/json",
+				"X-Report-SeqNr": fmt.Sprintf("%d", r.SeqNr),
+			},
+			CacheSettings: &http.CacheSettings{
+				Store:  true,
+				MaxAge: durationpb.New(60 * time.Second),
+			},
+		}, nil
+	}
 }
 
 // Function that submits the report via HTTP
 func submitReportViaHTTP(config *Config, logger *slog.Logger, sendRequester *http.SendRequester, report *cre.Report) (*SubmitResponse, error) {
 	logger.Info("Submitting report to API", "url", config.ApiUrl)
 
-	resp, err := sendRequester.SendReport(*report, formatReportForMyAPI).Await()
+	resp, err := sendRequester.SendReport(*report, formatReportForMyAPI(config)).Await()
 	if err != nil {
 		return nil, fmt.Errorf("failed to send report: %w", err)
 	}
@@ -15813,7 +15879,11 @@ func main() {
    ```bash
    cre workflow simulate my-workflow --target staging-settings
    ```
-4. Check webhook.site to see the report data received
+4. On webhook.site, open **Content** and confirm JSON with `report`, `context`, and `signatures` (hex). Use that JSON to test a receiver workflow in [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go#testing-locally-with-simulation).
+
+## Next step: verify on the receiver
+
+The sender does not validate the report for the receiver. After submission, the ingesting side must verify signatures before trusting the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 
 ## Advanced: Low-level pattern
 
@@ -15880,8 +15950,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** receiver workflow; verify before trusting payload
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go):** verify signatures on the receiver before trusting payload data
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client):** complete API reference including `SendReport` and `sdk.ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
 - **[Generating Reports: Single Values](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values):** create reports from single values
@@ -15926,7 +15995,7 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
 
 ## What you'll learn
 
@@ -15966,11 +16035,15 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Complete example: HTTP receiver workflow
+## Complete example: HTTP receiver workflow (deploy)
+
+For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) first. This deploy example uses `AuthorizedKeys`.
 
-This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
 
 ```go
+//go:build wasip1
+
 package main
 
 import (
@@ -15980,6 +16053,7 @@ import (
 
 	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
 	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
 )
 
 type Config struct {
@@ -15987,6 +16061,7 @@ type Config struct {
 }
 
 func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	// For local simulation, use http.Trigger(&http.Config{}) — see Testing locally with simulation below.
 	return cre.Workflow[*Config]{
 		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
 	}, nil
@@ -16052,6 +16127,10 @@ func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
 
 	return true, nil
 }
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
 ```
 
 **What's happening:**
@@ -16062,18 +16141,135 @@ func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
 
 
 <Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
 </Aside>
 
+## Testing locally with simulation
+
+After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+
+1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
+2. Register `http.Trigger(&http.Config{})` (empty config) for simulation.
+3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+
+### Minimal receiver for simulation
+
+Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to `ParseReportWithConfig`). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
+
+`config.staging.json`:
+
+```json
+{
+  "skipSignatureVerification": true
+}
+```
+
+```go
+//go:build wasip1
+
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+)
+
+type Config struct {
+	SkipSignatureVerification bool `json:"skipSignatureVerification"`
+}
+
+type parsedPayload struct {
+	Report     string   `json:"report"`
+	Context    string   `json:"context"`
+	Signatures []string `json:"signatures"`
+}
+
+func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{}), run),
+	}, nil
+}
+
+func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	var parsed parsedPayload
+	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
+		return false, err
+	}
+
+	rawReport, err := hex.DecodeString(parsed.Report)
+	if err != nil {
+		return false, err
+	}
+	reportContext, err := hex.DecodeString(parsed.Context)
+	if err != nil {
+		return false, err
+	}
+	sigs := make([][]byte, len(parsed.Signatures))
+	for i, sigHex := range parsed.Signatures {
+		sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+		SkipSignatureVerification: cfg.SkipSignatureVerification,
+	})
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+		"donId", report.DONID(),
+	)
+
+	_ = report.Body()
+	return true, nil
+}
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
+```
+
+### Sim wiring vs full verify
+
+| Mode                   | Config                                                       | What it validates                                                                             |
+| ---------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `SkipSignatureVerification: true` in `ParseReportWithConfig` | JSON + hex decode, metadata accessors, `Body()`                                               |
+| **Full crypto verify** | Default `cre.ParseReport()` (production registry)            | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
+
+```bash
+cre workflow simulate verify-report-receiver \
+  --target staging-settings \
+  --non-interactive \
+  --trigger-index 0 \
+  --http-payload verify-report-receiver/test-report-payload.json
+```
+
+**Pass criteria**
+
+- **Sim wiring:** `SkipSignatureVerification: true` in `ParseReportWithConfig`: logs show metadata and a successful handler return.
+- **Full crypto verify:** default `ParseReport` with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+
+`project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
+
 ## Report payload format
 
-Receivers need three fields (plus optional metadata your API may add):
+Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
 
-| Field        | Description                                                        |
-| ------------ | ------------------------------------------------------------------ |
-| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
-| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
-| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+| JSON field   | SDK field       | Description                                                     |
+| ------------ | --------------- | --------------------------------------------------------------- |
+| `report`     | `RawReport`     | Hex-encoded bytes (metadata header + workflow payload), no `0x` |
+| `context`    | `ReportContext` | Hex-encoded config digest + sequence number                     |
+| `signatures` | `Sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
 The `reportContext` layout used by the SDK:
 
@@ -16155,18 +16351,31 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Troubleshooting
 
-**`ErrUnknownSigner`**
+**`ErrUnknownSigner` / `invalid signature` in sim with fresh webhook JSON**
+
+- **Expected** when using default `ParseReport` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- For local wiring tests, use `SkipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
+
+**`ErrUnknownSigner` (deployed)**
 
 - Signatures may be from a different DON or stale registry config.
 - Confirm the sender workflow used production CRE and the report was not tampered with.
 
+**Wrong `--http-payload` path**
+
+- Invoke `cre` from the **project root**. Use `verify-report-receiver/test-report-payload.json`, not a bare filename unless your cwd matches.
+
+**Receiver JSON / hex decode error**
+
+- You copied a **binary** webhook body instead of Pattern 4 JSON with hex fields.
+
 **`ErrWrongSignatureCount`**
 
 - At least **f+1** valid signatures are required.
 
 **`could not read from chain ...`**
 
-- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim).
 
 **`ErrRawReportTooShort`**
 
@@ -16174,7 +16383,6 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go):** sender workflow; create and POST the report
 - **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification):** `ParseReport`, `Report`, and `ReportParseConfig`
 - **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-go):** trigger deployed receiver workflows
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index ad43a88111f..917eed28e5e 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -4041,35 +4041,26 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 
 <Aside type="caution" title="Parse responses before aggregation">
-  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value — never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
+  When using a numeric aggregation method (such as `median`), always parse the HTTP response **inside** your node function and return a numeric value: never pass the raw response body to the aggregation step. If your endpoint returns an error string and your node function passes that string to a median aggregation, consensus will fail with `unsupported type for median aggregation`. See the [best practices section](/cre/guides/workflow/using-http-client/get-request#best-practices) of the GET request guide for correct and incorrect patterns.
 </Aside>
 
-These guides will walk you through the common use cases for the HTTP client.
+## Guides
+
+- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
+- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
+- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
 
 ## CRE reports over HTTP
 
 A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
 
-Most secure HTTP integrations involve two parties:
+A typical secure integration uses two parties:
 
-**Sender workflow (CRE):** runs on a schedule or trigger, does your logic, then creates and ships the report:
+1. **Sender:** a CRE workflow that runs your logic, signs a report, and POSTs it to a URL. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http).
+2. **Receiver:** your API or another CRE workflow that verifies the report before using the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
 
-1. Run business logic and encode your payload.
-2. Call `runtime.report()` / `GenerateReport()` so the DON signs the report.
-3. Call `sendReport()` to POST the report to your URL.
-
-**Receiver:** a separate system that gets that HTTP POST (your API, or another CRE workflow with an HTTP trigger):
-
-4. Verify signatures with `Report.parse()` / `ParseReport()`, then use the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
-
-The sender **creates** the report in step 2; you do not fetch it from somewhere else first. The receiver **must** verify before trusting the data: the sender does not do that for you.
-
-## Guides
-
-- **[Making GET Requests](/cre/guides/workflow/using-http-client/get-request)**: Learn how to fetch data from a public API using a `GET` request.
-- **[Making POST Requests](/cre/guides/workflow/using-http-client/post-request)**: Learn how to send data to an external endpoint using a `POST` request.
-- **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)**: Learn how to submit cryptographically signed reports to an external HTTP endpoint.
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain)**: Verify report signatures and read workflow metadata when receiving reports over HTTP or other offchain channels.
+The sender creates the report inside the workflow; the receiver must verify signatures before trusting the payload.
 
 ---
 
@@ -15038,24 +15029,42 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 3. `runtime.report()`: DON produces a signed `ReportResponse`.
 4. `sendReport()`: format and POST to your URL.
 
-For a conceptual overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
-
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
 - Familiarity with `runtime.report()` (covered [below](#generating-reports-for-http-submission))
+- **`viem`** as a direct dependency in the workflow `package.json` (for ABI encoding in examples)
+- Protobuf HTTP/report types from **`@chainlink/cre-sdk/pb`** (`SDK_PB.ReportResponse`, `HTTP_CLIENT_PB.RequestJson`), not the main `@chainlink/cre-sdk` entry
 
 
 <Aside type="caution" title="Redirects are not supported">
   HTTP requests to URLs that return redirects (3xx status codes) will fail. Ensure the URL you provide is the final destination and does not redirect to another URL.
 </Aside>
 
-## Quick start: Minimal example
+## Payload contract (if you verify offchain)
+
+If a receiver uses [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts), your HTTP body must expose three fields. The verify guide expects **hex without `0x` in JSON** (field name `context`, not `reportContext`):
+
+| Your JSON field | SDK field on `ReportResponse` |
+| --------------- | ----------------------------- |
+| `report`        | `rawReport`                   |
+| `context`       | `reportContext`               |
+| `signatures`    | `sigs[].signature`            |
+
+Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) or the [complete working example](#complete-working-example). Other patterns are for APIs with different formats, not the default verify examples.
+
+## Quick start: Minimal example (binary only)
 
-Here's the simplest possible workflow that generates and submits a report via HTTP:
+This example POSTs **raw report bytes** (`application/octet-stream`). It is **not** compatible with the verify guide’s JSON receiver without changes. For sender → verify local testing, skip to the [complete working example](#complete-working-example).
+
+Here's the simplest workflow that generates and submits a report via HTTP:
 
 ```typescript
-import { ok, type ReportResponse, type RequestJson, type HTTPSendRequester } from "@chainlink/cre-sdk"
+import { ok, type HTTPSendRequester, type Report } from "@chainlink/cre-sdk"
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
 
 const formatReportSimple = (r: ReportResponse): RequestJson => {
   return {
@@ -15066,8 +15075,8 @@ const formatReportSimple = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -15141,6 +15150,15 @@ The transformation function gives you complete control over the format.
 
 Here are common patterns for formatting reports. Choose the one that matches your API's requirements.
 
+All patterns below use protobuf types and caching settings:
+
+```typescript
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
+```
+
 ### Choosing the right pattern
 
 | Pattern                                                                                                 | When to use                                               |
@@ -15155,8 +15173,6 @@ Here are common patterns for formatting reports. Choose the one that matches you
 Use this when your API accepts raw binary data:
 
 ```typescript
-import type { ReportResponse, RequestJson } from "@chainlink/cre-sdk"
-
 const formatReportSimple = (r: ReportResponse): RequestJson => {
   return {
     url: "https://api.example.com/reports",
@@ -15166,8 +15182,8 @@ const formatReportSimple = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true, // Enable caching
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -15213,8 +15229,8 @@ const formatReportWithSignatures = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/octet-stream",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -15245,8 +15261,8 @@ const formatReportWithHeaderSigs = (r: ReportResponse): RequestJson => {
     body: Buffer.from(r.rawReport).toString("base64"),
     headers,
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
@@ -15288,13 +15304,53 @@ const formatReportAsJSON = (r: ReportResponse): RequestJson => {
       "Content-Type": "application/json",
     },
     cacheSettings: {
-      readFromCache: true,
-      maxAgeMs: 60000,
+      store: true,
+      maxAge: "60s",
     },
   }
 }
 ```
 
+### Pattern 4 for offchain verification (hex)
+
+Use this variant when testing the [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) receiver in simulation. The verify examples decode **hex without a `0x` prefix**; the receiver adds `0x` when calling `hexToBytes`.
+
+Pattern 4 in the block above uses **base64** fields. Base64 sender output does **not** match the verify guide’s hex decoder without changes.
+
+```typescript
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+import { bytesToHex } from "viem"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
+
+const formatReportAsJSONHex =
+  (config: { apiUrl: string }) =>
+  (r: ReportResponse): RequestJson => {
+    const payload = {
+      report: bytesToHex(r.rawReport).slice(2),
+      context: bytesToHex(r.reportContext).slice(2),
+      signatures: r.sigs.map((sig) => bytesToHex(sig.signature).slice(2)),
+    }
+    const bodyBytes = new TextEncoder().encode(JSON.stringify(payload))
+
+    return {
+      url: config.apiUrl,
+      method: "POST",
+      body: Buffer.from(bodyBytes).toString("base64"),
+      headers: {
+        "Content-Type": "application/json",
+      },
+      cacheSettings: {
+        store: true,
+        maxAge: "60s",
+      },
+    }
+  }
+```
+
+The `body` field is the UTF-8 JSON string, base64-encoded for the protobuf `bytes` field (same pattern as other JSON POST bodies in TypeScript workflows).
+
 ### Understanding `cacheSettings` for reports
 
 You'll notice that all the patterns above include `cacheSettings`. This is critical for report submissions, just like it is for [POST requests](/cre/guides/workflow/using-http-client/post-request).
@@ -15371,7 +15427,11 @@ interface SubmitResponse {
   success: boolean
 }
 
-const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report): SubmitResponse => {
+const submitReportViaHTTP = (
+  runtime: Runtime<Config>,
+  sendRequester: HTTPSendRequester,
+  report: Report
+): SubmitResponse => {
   const response = sendRequester.sendReport(report, formatReportSimple).result()
 
   if (!ok(response)) {
@@ -15392,7 +15452,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
   const result = httpClient
     .sendRequest(
       runtime,
-      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(sendRequester, report),
+      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(runtime, sendRequester, report),
       consensusIdenticalAggregation<SubmitResponse>()
     )()
     .result()
@@ -15406,25 +15466,30 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 This example shows a workflow that:
 
 1. Generates a report from a single value
-2. Submits it to an HTTP API
-3. Uses the simple "report in body" format
+2. Submits it to an HTTP API as **Pattern 4 JSON with hex fields** (compatible with the verify guide’s receiver sim loop)
+3. Uses `config.apiUrl` from your target config file
+
+Add **`viem`** to `package.json`. Register handlers with `handler()` from `@chainlink/cre-sdk` (not `cron.handler()`).
 
 ```typescript
 import {
   CronCapability,
   HTTPClient,
   Runner,
+  handler,
   consensusIdenticalAggregation,
   hexToBase64,
   ok,
   type Runtime,
-  type Report,
   type CronPayload,
   type HTTPSendRequester,
-  type ReportResponse,
-  type RequestJson,
+  type Report,
 } from "@chainlink/cre-sdk"
-import { encodeAbiParameters, parseAbiParameters } from "viem"
+import type { SDK_PB, HTTP_CLIENT_PB } from "@chainlink/cre-sdk/pb"
+import { encodeAbiParameters, parseAbiParameters, bytesToHex } from "viem"
+
+type ReportResponse = SDK_PB.ReportResponse
+type RequestJson = HTTP_CLIENT_PB.RequestJson
 
 interface Config {
   apiUrl: string
@@ -15439,32 +15504,43 @@ type MyResult = Record<string, never>
 
 const initWorkflow = (config: Config) => {
   const cron = new CronCapability()
-
-  return [cron.handler(cron.trigger({ schedule: config.schedule }), onCronTrigger)]
+  return [handler(cron.trigger({ schedule: config.schedule }), onCronTrigger)]
 }
 
-// Transformation function: defines how the API expects the report
-const formatReportForMyAPI = (r: ReportResponse): RequestJson => {
-  return {
-    url: "https://webhook.site/your-unique-id", // Replace with your API
-    method: "POST",
-    body: Buffer.from(r.rawReport).toString("base64"),
-    headers: {
-      "Content-Type": "application/octet-stream",
-      "X-Report-SeqNr": r.seqNr.toString(),
-    },
-    cacheSettings: {
-      readFromCache: true, // Prevent duplicate submissions
-      maxAgeMs: 60000, // Accept cached responses up to 60 seconds old
-    },
+const formatReportForMyAPI =
+  (config: Config) =>
+  (r: ReportResponse): RequestJson => {
+    const payload = {
+      report: bytesToHex(r.rawReport).slice(2),
+      context: bytesToHex(r.reportContext).slice(2),
+      signatures: r.sigs.map((sig) => bytesToHex(sig.signature).slice(2)),
+    }
+    const bodyBytes = new TextEncoder().encode(JSON.stringify(payload))
+
+    return {
+      url: config.apiUrl,
+      method: "POST",
+      body: Buffer.from(bodyBytes).toString("base64"),
+      headers: {
+        "Content-Type": "application/json",
+        "X-Report-SeqNr": r.seqNr.toString(), // optional metadata for your API
+      },
+      cacheSettings: {
+        store: true,
+        maxAge: "60s",
+      },
+    }
   }
-}
 
-// Function that submits the report via HTTP
-const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report): SubmitResponse => {
-  runtime.log("Submitting report to API")
+const submitReportViaHTTP = (
+  runtime: Runtime<Config>,
+  sendRequester: HTTPSendRequester,
+  report: Report,
+  config: Config
+): SubmitResponse => {
+  runtime.log(`Submitting report to API: ${config.apiUrl}`)
 
-  const response = sendRequester.sendReport(report, formatReportForMyAPI).result()
+  const response = sendRequester.sendReport(report, formatReportForMyAPI(config)).result()
 
   runtime.log(`Report submitted - status: ${response.statusCode}, bodyLength: ${response.body.length}`)
 
@@ -15476,16 +15552,13 @@ const submitReportViaHTTP = (sendRequester: HTTPSendRequester, report: Report):
   return { success: true }
 }
 
-const onCronTrigger = (runtime: Runtime<Config>, payload: CronPayload): MyResult => {
-  // Step 1: Generate a report (example: a single uint256 value)
+const onCronTrigger = (runtime: Runtime<Config>, _payload: CronPayload): MyResult => {
   const myValue = 123456789n
   runtime.log(`Generating report with value: ${myValue}`)
 
-  // Encode the value using Viem
   const encodedValue = encodeAbiParameters(parseAbiParameters("uint256 value"), [myValue])
 
-  // Generate the report
-  const reportResponse = runtime
+  const report = runtime
     .report({
       encodedPayload: hexToBase64(encodedValue),
       encoderName: "evm",
@@ -15496,13 +15569,12 @@ const onCronTrigger = (runtime: Runtime<Config>, payload: CronPayload): MyResult
 
   runtime.log("Report generated successfully")
 
-  // Step 2: Submit the report via HTTP
   const httpClient = new HTTPClient()
 
   const submitResult = httpClient
     .sendRequest(
       runtime,
-      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(sendRequester, reportResponse),
+      (sendRequester: HTTPSendRequester) => submitReportViaHTTP(runtime, sendRequester, report, runtime.config),
       consensusIdenticalAggregation<SubmitResponse>()
     )()
     .result()
@@ -15529,12 +15601,21 @@ export async function main() {
 ### Testing with webhook.site
 
 1. Go to [webhook.site](https://webhook.site/) and get a unique URL
-2. Update `config.json` with your webhook URL
-3. Run the simulation:
+2. Update `config.json` (or `config.staging.json`) with your webhook URL in `apiUrl`
+3. From the **CRE project root**, run the simulation:
    ```bash
    cre workflow simulate my-workflow --target staging-settings
    ```
-4. Check webhook.site to see the report data received
+4. On webhook.site, open the request **Content** tab. You should see JSON with `report`, `context`, and `signatures` (hex strings). Use that JSON to test a receiver workflow in [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts#testing-locally-with-simulation).
+
+
+<Aside type="note" title="Binary vs JSON for verify testing">
+  If you post **raw binary** (`application/octet-stream`) instead of Pattern 4 JSON, webhook.site shows unreadable bytes and you cannot paste the body into the verify receiver without reformatting. Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) for the sender → copy payload → receiver sim checklist.
+</Aside>
+
+## Next step: verify on the receiver
+
+The sender does not validate the report for the receiver. After submission, the ingesting side must verify signatures before trusting the payload. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 
 ## Advanced: Low-level pattern
 
@@ -15597,10 +15678,16 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 - Your report format likely doesn't match what your API expects
 - Check if your API expects base64 encoding, JSON wrapping, or specific headers
 
+**TypeScript compile errors on the complete example**
+
+- Use `handler(cron.trigger(...), fn)` from `@chainlink/cre-sdk`, not `cron.handler()`
+- Import `ReportResponse` / `RequestJson` from `@chainlink/cre-sdk/pb`
+- Pass `runtime` from the trigger callback into helper functions (no global `runtime`)
+- Add `viem` as a direct workflow dependency
+
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
-- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** receiver workflow; verify before trusting payload
+- **[Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts):** verify signatures on the receiver before trusting payload data
 - **[HTTP Client SDK Reference](/cre/reference/sdk/http-client-ts):** complete API reference including `sendReport()` and `ReportResponse`
 - **[POST Requests](/cre/guides/workflow/using-http-client/post-request):** HTTP request patterns and caching
 - **[Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain):** encoding single values, structs, and complex types using Viem
@@ -15644,7 +15731,7 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-For the full sender → receiver overview, see [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
 
 ## What you'll learn
 
@@ -15684,9 +15771,11 @@ Default (`productionEnvironment()`):
 
 If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Complete example: HTTP receiver workflow
+## Complete example: HTTP receiver workflow (deploy)
+
+This workflow is for **deployed** receivers with `authorizedKeys`. For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) instead.
 
-This workflow accepts a JSON payload (matching the format from [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report)), verifies it, then processes the trusted body.
+It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
 
 ```typescript
 import {
@@ -15735,6 +15824,7 @@ export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promi
 
 export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
   const http = new HTTPCapability()
+  // For local simulation, use handler(http.trigger({}), run) — see Testing locally with simulation above.
   return [
     handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
   ]
@@ -15749,18 +15839,133 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 
 <Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead.
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
 </Aside>
 
+## Testing locally with simulation
+
+After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+
+1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
+2. Use the minimal receiver below with an **empty HTTP trigger config** (no `authorizedKeys` until deploy).
+3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+
+### Sim wiring vs full verify
+
+| Mode                   | Config                                              | What it validates                                                                                                                                                                      |
+| ---------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `skipSignatureVerification: true` in staging config | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                |
+| **Full crypto verify** | Default `Report.parse()` (production registry)      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; `Report.parse()` checks the mainnet Capability Registry. |
+
+### Minimal receiver for simulation
+
+Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call `Report.parse()` from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
+
+`config.staging.json`:
+
+```json
+{
+  "skipSignatureVerification": true
+}
+```
+
+```typescript
+import {
+  decodeJson,
+  handler,
+  hexToBytes,
+  HTTPCapability,
+  Report,
+  Runner,
+  type HTTPPayload,
+  type Runtime,
+} from "@chainlink/cre-sdk"
+
+interface Config {
+  skipSignatureVerification?: boolean
+}
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+/** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
+const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
+
+/** AggregateError from Report.parse often has an empty .message in sim output. */
+const formatError = (err: unknown): string => {
+  if (err instanceof AggregateError) {
+    const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
+    return parts.join("; ") || "report verification failed"
+  }
+  if (err instanceof Error) return err.message
+  return String(err)
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> {
+  try {
+    const parsed = decodeJson(payload.input) as ParsedPayload
+
+    const rawReport = fromHexNoPrefix(parsed.report)
+    const reportContext = fromHexNoPrefix(parsed.context)
+    const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
+
+    runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
+
+    const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
+      skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
+    })
+
+    runtime.log(
+      `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
+    )
+    report.body()
+    return { verified: true }
+  } catch (err) {
+    const msg = formatError(err)
+    runtime.log(`Report verification failed: ${msg}`)
+    throw new Error(msg)
+  }
+}
+
+export const initWorkflow = () => {
+  const http = new HTTPCapability()
+  // Simulation: http.trigger({}). Deploy: add authorizedKeys — see complete example below.
+  return [handler(http.trigger({}), run)]
+}
+
+export async function main() {
+  const runner = await Runner.newRunner<Config>()
+  await runner.run(initWorkflow)
+}
+```
+
+Save webhook JSON as `verify-report-receiver/test-report-payload.json`. From the **CRE project root**:
+
+```bash
+cre workflow simulate verify-report-receiver \
+  --target staging-settings \
+  --non-interactive \
+  --trigger-index 0 \
+  --http-payload verify-report-receiver/test-report-payload.json
+```
+
+**Pass criteria**
+
+- **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
+- **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+
 ## Report payload format
 
-Receivers need three fields (plus optional metadata your API may add):
+Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
 
-| Field        | Description                                                        |
-| ------------ | ------------------------------------------------------------------ |
-| `report`     | Hex-encoded `rawReport` bytes (metadata header + workflow payload) |
-| `context`    | Hex-encoded `reportContext` (config digest + sequence number)      |
-| `signatures` | Array of hex-encoded 65-byte ECDSA signatures from DON nodes       |
+| JSON field   | SDK field       | Description                                                     |
+| ------------ | --------------- | --------------------------------------------------------------- |
+| `report`     | `rawReport`     | Hex-encoded bytes (metadata header + workflow payload), no `0x` |
+| `context`    | `reportContext` | Hex-encoded config digest + sequence number                     |
+| `signatures` | `sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
 The `reportContext` layout used by the SDK:
 
@@ -15830,18 +16035,36 @@ Most workflows should use the default config (production environment only).
 
 ## Troubleshooting
 
-**`invalid signature` / `unknown signer`**
+**Empty error after verify sim**
+
+- `Report.parse()` may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
+- Format errors in your handler before rethrowing (see the simulation example above).
+
+**`invalid signature` / `unknown signer` in sim with fresh webhook JSON**
+
+- **Expected** when using default `Report.parse()` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- For local wiring tests, set `skipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
+
+**`invalid signature` / `unknown signer` (deployed)**
 
 - Signatures may be from a different DON or stale registry config.
 - Confirm the sender workflow used production CRE and the report was not tampered with.
 
+**`unexpected token: 'test'` on simulate**
+
+- Wrong `--http-payload` path. Invoke `cre` from the **project root** and use a path such as `verify-report-receiver/test-report-payload.json`.
+
+**Receiver JSON parse error**
+
+- You copied a **binary/octet-stream** webhook body instead of Pattern 4 JSON. Use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex).
+
 **`wrong number of signatures`**
 
 - At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
 
 **`could not read from chain ...`**
 
-- Registry read failed (RPC/network). Retry or check simulation vs production EVM access.
+- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim). Sepolia-only RPC is not sufficient for default `Report.parse()`.
 
 **`raw report too short`**
 
@@ -15849,7 +16072,6 @@ Most workflows should use the default config (production environment only).
 
 ## Learn more
 
-- **[API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http):** sender → receiver overview
 - **[Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts):** sender workflow; create and POST the report
 - **[SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification):** `Report.parse`, accessors, and `ReportParseConfig`
 - **[HTTP Trigger Overview](/cre/guides/workflow/using-triggers/http-trigger/overview-ts):** trigger deployed receiver workflows

From eb66a6890e259b26345c2d244ec001ad22455818 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 20 May 2026 22:19:22 -0500
Subject: [PATCH 4/9] review pass

---
 .../submitting-reports-http-go.mdx            |   1 +
 .../submitting-reports-http-ts.mdx            |   6 +-
 .../verifying-reports-offchain-go.mdx         | 223 ++++++++---------
 .../verifying-reports-offchain-ts.mdx         | 144 ++++++-----
 src/content/cre/llms-full-go.txt              | 224 +++++++++---------
 src/content/cre/llms-full-ts.txt              | 150 ++++++------
 6 files changed, 374 insertions(+), 374 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
index 728ce6242ae..40e6cdd62f1 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
@@ -437,6 +437,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math/big"
+	"time"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/smartcontractkit/chainlink-protos/cre/go/sdk"
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
index 13dda9c9fc9..f40f727eef5 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
@@ -65,11 +65,11 @@ If a receiver uses [Verifying CRE Reports Offchain](/cre/guides/workflow/using-h
 
 Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) or the [complete working example](#complete-working-example). Other patterns are for APIs with different formats, not the default verify examples.
 
-## Quick start: Minimal example (binary only)
+## Minimal example (binary)
 
-This example POSTs **raw report bytes** (`application/octet-stream`). It is **not** compatible with the verify guide’s JSON receiver without changes. For sender → verify local testing, skip to the [complete working example](#complete-working-example).
+This example POSTs **raw report bytes** (`application/octet-stream`). Use this if your API accepts raw binary. It is **not** compatible with the verify guide’s JSON receiver — for the sender → verify flow, use the [complete working example](#complete-working-example) instead.
 
-Here's the simplest workflow that generates and submits a report via HTTP:
+Here’s the simplest workflow that generates and submits a report via HTTP:
 
 ```typescript
 import { ok, type HTTPSendRequester, type Report } from "@chainlink/cre-sdk"
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index bb019bb7c83..6f2b0d3512b 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -44,7 +44,7 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
 
 ## What you'll learn
 
@@ -84,115 +84,6 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Complete example: HTTP receiver workflow (deploy)
-
-For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) first. This deploy example uses `AuthorizedKeys`.
-
-It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
-
-```go
-//go:build wasip1
-
-package main
-
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
-
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
-
-type Config struct {
-	AuthorizedKey string `json:"authorized_key"`
-}
-
-func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	// For local simulation, use http.Trigger(&http.Config{}) — see Testing locally with simulation below.
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
-	}, nil
-}
-
-type ParsedPayload struct {
-	Report  string   `json:"report"`
-	Context string   `json:"context"`
-	Sigs    []string `json:"signatures"`
-}
-
-func (p *ParsedPayload) Decode() (*DecodedReport, error) {
-	report := &DecodedReport{}
-	var err error
-
-	if report.Report, err = hex.DecodeString(p.Report); err != nil {
-		return nil, err
-	}
-	if report.Context, err = hex.DecodeString(p.Context); err != nil {
-		return nil, err
-	}
-
-	report.Sigs = make([][]byte, len(p.Sigs))
-	for i, sigHex := range p.Sigs {
-		report.Sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return report, nil
-}
-
-type DecodedReport struct {
-	Report  []byte
-	Context []byte
-	Sigs    [][]byte
-}
-
-func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	parsed := &ParsedPayload{}
-	if err := json.Unmarshal(payload.Input, parsed); err != nil {
-		return false, err
-	}
-
-	decoded, err := parsed.Decode()
-	if err != nil {
-		return false, err
-	}
-
-	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
-	if err != nil {
-		return false, err
-	}
-
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-	)
-
-	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
-	_ = report.Body()
-
-	return true, nil
-}
-
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
-
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `cre.ParseReport()` verifies signatures against the production CRE registry.
-3. On success, you read metadata and `Body()` safely.
-
-{/* prettier-ignore */}
-<Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
-</Aside>
-
 ## Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
@@ -310,6 +201,114 @@ cre workflow simulate verify-report-receiver \
 
 `project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
 
+## Complete example: HTTP receiver workflow (deploy)
+
+Once simulation is working, update the trigger config for deployment with `AuthorizedKeys`.
+
+It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
+
+```go
+//go:build wasip1
+
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+)
+
+type Config struct {
+	AuthorizedKey string `json:"authorized_key"`
+}
+
+func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
+	}, nil
+}
+
+type ParsedPayload struct {
+	Report  string   `json:"report"`
+	Context string   `json:"context"`
+	Sigs    []string `json:"signatures"`
+}
+
+func (p *ParsedPayload) Decode() (*DecodedReport, error) {
+	report := &DecodedReport{}
+	var err error
+
+	if report.Report, err = hex.DecodeString(p.Report); err != nil {
+		return nil, err
+	}
+	if report.Context, err = hex.DecodeString(p.Context); err != nil {
+		return nil, err
+	}
+
+	report.Sigs = make([][]byte, len(p.Sigs))
+	for i, sigHex := range p.Sigs {
+		report.Sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return report, nil
+}
+
+type DecodedReport struct {
+	Report  []byte
+	Context []byte
+	Sigs    [][]byte
+}
+
+func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	parsed := &ParsedPayload{}
+	if err := json.Unmarshal(payload.Input, parsed); err != nil {
+		return false, err
+	}
+
+	decoded, err := parsed.Decode()
+	if err != nil {
+		return false, err
+	}
+
+	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+	)
+
+	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
+	_ = report.Body()
+
+	return true, nil
+}
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `Body()` safely.
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
+</Aside>
+
 ## Report payload format
 
 Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
@@ -374,7 +373,9 @@ report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext
 
 ### Deferred verification
 
-If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first (for filtering), then verify:
+This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
+
+If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first, then verify:
 
 ```go
 report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index 37576a76951..a2534ecbaaa 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -44,7 +44,7 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
 
 ## What you'll learn
 
@@ -84,77 +84,6 @@ Default (`productionEnvironment()`):
 
 If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Complete example: HTTP receiver workflow (deploy)
-
-This workflow is for **deployed** receivers with `authorizedKeys`. For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) instead.
-
-It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
-
-```typescript
-import {
-  HTTPCapability,
-  handler,
-  Report,
-  type HTTPPayload,
-  type Runtime,
-  type SecretsProvider,
-} from "@chainlink/cre-sdk"
-import { hexToBytes } from "viem"
-import { z } from "zod"
-
-export const configSchema = z
-  .object({
-    authorized_key: z.string(),
-  })
-  .transform((data) => ({
-    authorizedKey: data.authorized_key,
-  }))
-
-export type Config = z.infer<typeof configSchema>
-
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
-
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
-  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
-
-  const rawReport = hexToBytes(`0x${parsed.report}`)
-  const reportContext = hexToBytes(`0x${parsed.context}`)
-  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
-
-  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
-
-  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
-
-  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
-  void report.body()
-
-  return true
-}
-
-export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
-  const http = new HTTPCapability()
-  // For local simulation, use handler(http.trigger({}), run) — see Testing locally with simulation above.
-  return [
-    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
-  ]
-}
-```
-
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `Report.parse()` verifies signatures against the production CRE registry.
-3. On success, you read metadata and `body()` safely.
-
-{/* prettier-ignore */}
-<Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
-</Aside>
-
 ## Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
@@ -245,7 +174,6 @@ export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promi
 
 export const initWorkflow = () => {
   const http = new HTTPCapability()
-  // Simulation: http.trigger({}). Deploy: add authorizedKeys — see complete example below.
   return [handler(http.trigger({}), run)]
 }
 
@@ -270,6 +198,76 @@ cre workflow simulate verify-report-receiver \
 - **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
 - **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
 
+## Complete example: HTTP receiver workflow (deploy)
+
+Once simulation is working, update the trigger config for deployment with `authorizedKeys`.
+
+It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
+
+```typescript
+import {
+  HTTPCapability,
+  handler,
+  Report,
+  type HTTPPayload,
+  type Runtime,
+  type SecretsProvider,
+} from "@chainlink/cre-sdk"
+import { hexToBytes } from "viem"
+import { z } from "zod"
+
+export const configSchema = z
+  .object({
+    authorized_key: z.string(),
+  })
+  .transform((data) => ({
+    authorizedKey: data.authorized_key,
+  }))
+
+export type Config = z.infer<typeof configSchema>
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
+  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
+
+  const rawReport = hexToBytes(`0x${parsed.report}`)
+  const reportContext = hexToBytes(`0x${parsed.context}`)
+  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
+
+  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
+
+  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
+
+  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
+  report.body()
+
+  return true
+}
+
+export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
+  const http = new HTTPCapability()
+  return [
+    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
+  ]
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `Report.parse()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `body()` safely.
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
+</Aside>
+
 ## Report payload format
 
 Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index bdfdd806116..9b1a9d26cb4 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -15720,6 +15720,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math/big"
+	"time"
 
 	"github.com/ethereum/go-ethereum/accounts/abi"
 	"github.com/smartcontractkit/chainlink-protos/cre/go/sdk"
@@ -15995,7 +15996,7 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
 3. `cre.ParseReport()`: verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
 
 ## What you'll learn
 
@@ -16035,115 +16036,6 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Complete example: HTTP receiver workflow (deploy)
-
-For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) first. This deploy example uses `AuthorizedKeys`.
-
-It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
-
-```go
-//go:build wasip1
-
-package main
-
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
-
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
-
-type Config struct {
-	AuthorizedKey string `json:"authorized_key"`
-}
-
-func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	// For local simulation, use http.Trigger(&http.Config{}) — see Testing locally with simulation below.
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
-	}, nil
-}
-
-type ParsedPayload struct {
-	Report  string   `json:"report"`
-	Context string   `json:"context"`
-	Sigs    []string `json:"signatures"`
-}
-
-func (p *ParsedPayload) Decode() (*DecodedReport, error) {
-	report := &DecodedReport{}
-	var err error
-
-	if report.Report, err = hex.DecodeString(p.Report); err != nil {
-		return nil, err
-	}
-	if report.Context, err = hex.DecodeString(p.Context); err != nil {
-		return nil, err
-	}
-
-	report.Sigs = make([][]byte, len(p.Sigs))
-	for i, sigHex := range p.Sigs {
-		report.Sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return report, nil
-}
-
-type DecodedReport struct {
-	Report  []byte
-	Context []byte
-	Sigs    [][]byte
-}
-
-func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	parsed := &ParsedPayload{}
-	if err := json.Unmarshal(payload.Input, parsed); err != nil {
-		return false, err
-	}
-
-	decoded, err := parsed.Decode()
-	if err != nil {
-		return false, err
-	}
-
-	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
-	if err != nil {
-		return false, err
-	}
-
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-	)
-
-	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
-	_ = report.Body()
-
-	return true, nil
-}
-
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
-
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `cre.ParseReport()` verifies signatures against the production CRE registry.
-3. On success, you read metadata and `Body()` safely.
-
-
-<Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
-</Aside>
-
 ## Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
@@ -16261,6 +16153,114 @@ cre workflow simulate verify-report-receiver \
 
 `project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
 
+## Complete example: HTTP receiver workflow (deploy)
+
+Once simulation is working, update the trigger config for deployment with `AuthorizedKeys`.
+
+It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
+
+```go
+//go:build wasip1
+
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"log/slog"
+
+	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+	"github.com/smartcontractkit/cre-sdk-go/cre"
+	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+)
+
+type Config struct {
+	AuthorizedKey string `json:"authorized_key"`
+}
+
+func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+	return cre.Workflow[*Config]{
+		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
+	}, nil
+}
+
+type ParsedPayload struct {
+	Report  string   `json:"report"`
+	Context string   `json:"context"`
+	Sigs    []string `json:"signatures"`
+}
+
+func (p *ParsedPayload) Decode() (*DecodedReport, error) {
+	report := &DecodedReport{}
+	var err error
+
+	if report.Report, err = hex.DecodeString(p.Report); err != nil {
+		return nil, err
+	}
+	if report.Context, err = hex.DecodeString(p.Context); err != nil {
+		return nil, err
+	}
+
+	report.Sigs = make([][]byte, len(p.Sigs))
+	for i, sigHex := range p.Sigs {
+		report.Sigs[i], err = hex.DecodeString(sigHex)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return report, nil
+}
+
+type DecodedReport struct {
+	Report  []byte
+	Context []byte
+	Sigs    [][]byte
+}
+
+func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+	parsed := &ParsedPayload{}
+	if err := json.Unmarshal(payload.Input, parsed); err != nil {
+		return false, err
+	}
+
+	decoded, err := parsed.Decode()
+	if err != nil {
+		return false, err
+	}
+
+	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
+	if err != nil {
+		return false, err
+	}
+
+	runtime.Logger().Info("Verified report",
+		"workflowId", report.WorkflowID(),
+		"executionId", report.ExecutionID(),
+	)
+
+	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
+	_ = report.Body()
+
+	return true, nil
+}
+
+func main() {
+	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `Body()` safely.
+
+
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex) when testing this receiver.
+</Aside>
+
 ## Report payload format
 
 Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
@@ -16325,7 +16325,9 @@ report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext
 
 ### Deferred verification
 
-If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first (for filtering), then verify:
+This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
+
+If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first, then verify:
 
 ```go
 report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 917eed28e5e..1a1308cb0b6 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -15053,11 +15053,11 @@ If a receiver uses [Verifying CRE Reports Offchain](/cre/guides/workflow/using-h
 
 Use [Pattern 4 for offchain verification (hex)](#pattern-4-for-offchain-verification-hex) or the [complete working example](#complete-working-example). Other patterns are for APIs with different formats, not the default verify examples.
 
-## Quick start: Minimal example (binary only)
+## Minimal example (binary)
 
-This example POSTs **raw report bytes** (`application/octet-stream`). It is **not** compatible with the verify guide’s JSON receiver without changes. For sender → verify local testing, skip to the [complete working example](#complete-working-example).
+This example POSTs **raw report bytes** (`application/octet-stream`). Use this if your API accepts raw binary. It is **not** compatible with the verify guide’s JSON receiver — for the sender → verify flow, use the [complete working example](#complete-working-example) instead.
 
-Here's the simplest workflow that generates and submits a report via HTTP:
+Here’s the simplest workflow that generates and submits a report via HTTP:
 
 ```typescript
 import { ok, type HTTPSendRequester, type Report } from "@chainlink/cre-sdk"
@@ -15731,7 +15731,7 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
 3. `Report.parse()`: verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. For local simulation, start with [Testing locally with simulation](#testing-locally-with-simulation) before the [deploy example](#complete-example-http-receiver-workflow) below.
+Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
 
 ## What you'll learn
 
@@ -15771,77 +15771,6 @@ Default (`productionEnvironment()`):
 
 If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Complete example: HTTP receiver workflow (deploy)
-
-This workflow is for **deployed** receivers with `authorizedKeys`. For **local simulation**, use [Testing locally with simulation](#testing-locally-with-simulation) instead.
-
-It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
-
-```typescript
-import {
-  HTTPCapability,
-  handler,
-  Report,
-  type HTTPPayload,
-  type Runtime,
-  type SecretsProvider,
-} from "@chainlink/cre-sdk"
-import { hexToBytes } from "viem"
-import { z } from "zod"
-
-export const configSchema = z
-  .object({
-    authorized_key: z.string(),
-  })
-  .transform((data) => ({
-    authorizedKey: data.authorized_key,
-  }))
-
-export type Config = z.infer<typeof configSchema>
-
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
-
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
-  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
-
-  const rawReport = hexToBytes(`0x${parsed.report}`)
-  const reportContext = hexToBytes(`0x${parsed.context}`)
-  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
-
-  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
-
-  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
-
-  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
-  void report.body()
-
-  return true
-}
-
-export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
-  const http = new HTTPCapability()
-  // For local simulation, use handler(http.trigger({}), run) — see Testing locally with simulation above.
-  return [
-    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
-  ]
-}
-```
-
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `Report.parse()` verifies signatures against the production CRE registry.
-3. On success, you read metadata and `body()` safely.
-
-
-<Aside type="caution" title="Hex encoding">
-  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
-</Aside>
-
 ## Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
@@ -15932,7 +15861,6 @@ export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promi
 
 export const initWorkflow = () => {
   const http = new HTTPCapability()
-  // Simulation: http.trigger({}). Deploy: add authorizedKeys — see complete example below.
   return [handler(http.trigger({}), run)]
 }
 
@@ -15957,6 +15885,76 @@ cre workflow simulate verify-report-receiver \
 - **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
 - **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
 
+## Complete example: HTTP receiver workflow (deploy)
+
+Once simulation is working, update the trigger config for deployment with `authorizedKeys`.
+
+It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
+
+```typescript
+import {
+  HTTPCapability,
+  handler,
+  Report,
+  type HTTPPayload,
+  type Runtime,
+  type SecretsProvider,
+} from "@chainlink/cre-sdk"
+import { hexToBytes } from "viem"
+import { z } from "zod"
+
+export const configSchema = z
+  .object({
+    authorized_key: z.string(),
+  })
+  .transform((data) => ({
+    authorizedKey: data.authorized_key,
+  }))
+
+export type Config = z.infer<typeof configSchema>
+
+type ParsedPayload = {
+  report: string
+  context: string
+  signatures: string[]
+}
+
+export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
+  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
+
+  const rawReport = hexToBytes(`0x${parsed.report}`)
+  const reportContext = hexToBytes(`0x${parsed.context}`)
+  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
+
+  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
+
+  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
+
+  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
+  report.body()
+
+  return true
+}
+
+export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
+  const http = new HTTPCapability()
+  return [
+    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
+  ]
+}
+```
+
+**What's happening:**
+
+1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
+2. `Report.parse()` verifies signatures against the production CRE registry.
+3. On success, you read metadata and `body()` safely.
+
+
+<Aside type="caution" title="Hex encoding">
+  The example expects **hex strings without a `0x` prefix** in JSON. Adjust decoding if your API sends `0x`-prefixed values or base64 instead. Pattern 4 in the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) uses base64 by default; use [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex) when testing this receiver.
+</Aside>
+
 ## Report payload format
 
 Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:

From 7ed611f07d1286ba378937991e578df8e0727691 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 20 May 2026 22:25:36 -0500
Subject: [PATCH 5/9] nit

---
 .../using-http-client/verifying-reports-offchain-go.mdx         | 2 ++
 .../using-http-client/verifying-reports-offchain-ts.mdx         | 2 ++
 src/content/cre/llms-full-go.txt                                | 2 ++
 src/content/cre/llms-full-ts.txt                                | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index 6f2b0d3512b..486161a556e 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -104,6 +104,8 @@ Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in stag
 }
 ```
 
+`main.go`:
+
 ```go
 //go:build wasip1
 
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index a2534ecbaaa..a42faaa3f30 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -111,6 +111,8 @@ Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy
 }
 ```
 
+`main.ts`:
+
 ```typescript
 import {
   decodeJson,
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 9b1a9d26cb4..175df69db76 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -16056,6 +16056,8 @@ Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in stag
 }
 ```
 
+`main.go`:
+
 ```go
 //go:build wasip1
 
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 1a1308cb0b6..ee27231a3a5 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -15798,6 +15798,8 @@ Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy
 }
 ```
 
+`main.ts`:
+
 ```typescript
 import {
   decodeJson,

From 9ab40d5719db17c584ca61c4d7778fb334e7d92b Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Thu, 21 May 2026 14:42:30 -0500
Subject: [PATCH 6/9] more cleanup

---
 .../generating-reports-single-values.mdx      |  14 +-
 .../generating-reports-structs.mdx            |   2 +-
 .../workflow/using-http-client/index.mdx      |   2 +-
 .../submitting-reports-http-go.mdx            |  36 +++--
 .../submitting-reports-http-ts.mdx            |  40 +++--
 .../verifying-reports-offchain-go.mdx         |  66 ++++----
 .../verifying-reports-offchain-ts.mdx         |  70 ++++----
 src/content/cre/index.mdx                     |  23 +--
 src/content/cre/key-terms.mdx                 |   8 +-
 src/content/cre/llms-full-go.txt              | 151 ++++++++++--------
 src/content/cre/llms-full-ts.txt              | 143 ++++++++++-------
 11 files changed, 312 insertions(+), 243 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
index ac36c54224b..364730964e5 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values.mdx
@@ -11,9 +11,9 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`: your encoded data plus workflow metadata and signatures.
+This guide shows how to manually generate a **[CRE report](/cre/key-terms#report-cre-report)** containing a single value (like `uint256`, `address`, or `bool`). See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition; in short, it is a DON-signed package from [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) with your encoded data, workflow metadata, and signatures.
 
-This guide covers **creating** the signed report (`GenerateReport()` / `runtime.report()`). **Delivering** it is a separate step: see the table below.
+This guide covers **creating** the signed report ([`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime)). **Delivering** it is a separate step: see the table below.
 
 **Use this approach when:**
 
@@ -31,12 +31,12 @@ This guide covers **creating** the signed report (`GenerateReport()` / `runtime.
 Manually generating a report for a single value involves two main steps:
 
 1. **ABI-encode the value** into bytes using the `go-ethereum/accounts/abi` package
-1. **Generate a cryptographically signed report** using `runtime.GenerateReport()`
+1. **Generate a cryptographically signed report** using [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
 
-| After `GenerateReport()` / `report()`        | Guide                                                                                                        | Who verifies?                                                                                                             |
-| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
-| `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
-| `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
+| After [`GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) | Guide                                                                                                        | Who verifies?                                                                                                             |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
+| [`WriteReport()`](/cre/reference/sdk/evm-client-go#writereport) / [`writeReport()`](/cre/reference/sdk/evm-client-ts#writereport)                                                   | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
+| [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) / [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport)                                  | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
 See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
diff --git a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
index 68dce8ba63f..51dcf3ee5a3 100644
--- a/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
+++ b/src/content/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs.mdx
@@ -11,7 +11,7 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+This guide shows how to generate a **[CRE report](/cre/key-terms#report-cre-report)** containing a struct with multiple fields. See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 There are two encoding approaches depending on whether you have generated bindings for your contract.
 
diff --git a/src/content/cre/guides/workflow/using-http-client/index.mdx b/src/content/cre/guides/workflow/using-http-client/index.mdx
index e49ebb2c766..577c06c7416 100644
--- a/src/content/cre/guides/workflow/using-http-client/index.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/index.mdx
@@ -32,7 +32,7 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package your workflow creates with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go). It bundles your encoded payload, workflow metadata, report context, and cryptographic signatures from the DON. See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition, including how onchain delivery differs from HTTP.
 
 A typical secure integration uses two parties:
 
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
index 40e6cdd62f1..ef19f933188 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-go.mdx
@@ -16,7 +16,7 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 **What you'll learn:**
 
-- How to use `SendReport` to submit reports via HTTP
+- How to use [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) to submit reports via HTTP
 - How to write transformation functions for different API formats
 - Best practices for report submission and deduplication
 
@@ -25,27 +25,33 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is the signed output your workflow DON produces when you call [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). It packages your encoded data (the payload you computed in the callback), fixed workflow metadata, a report context (config digest and sequence number), and ECDSA signatures from DON nodes.
+
+This guide covers the **sender** path: create the report in your workflow, then POST it to an HTTP endpoint. The receiver must verify those signatures before trusting the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver side.
+
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                      |
-| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                    |
-| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 3–4 below: `GenerateReport()`, then `SendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
-| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+| Question                    | Answer                                                                                                                                                                                                                                                                                                                |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | A [CRE report](/cre/key-terms#report-cre-report): output of [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) after DON consensus (encoded payload + metadata + signatures).                                                                         |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                                                                                                                                                                |
+| What does this guide cover? | Steps 3–4 below: [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values), then [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here. |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).                                                                                                                                           |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
-4. `SendReport()`: format and POST to your URL.
+3. [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values): DON produces a signed `sdk.ReportResponse`.
+4. [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport): format and POST to your URL.
 
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
 - Understanding of [generating reports](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
-- A generated report from `runtime.GenerateReport()`
+- A generated report from [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Redirects are not supported">
@@ -97,7 +103,7 @@ func submitReport(config *Config, logger *slog.Logger, sendRequester *http.SendR
 **What's happening here:**
 
 1. `formatReportSimple` transforms the report into an HTTP request that your API understands
-1. `sendRequester.SendReport()` calls your transformation function and sends the request
+1. [`sendRequester.SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) calls your transformation function and sends the request
 1. The SDK handles consensus and returns the result
 
 The rest of this guide explains how this works and shows different formatting patterns for various API requirements.
@@ -106,7 +112,7 @@ The rest of this guide explains how this works and shows different formatting pa
 
 ### The report structure
 
-When you call `runtime.GenerateReport()`, the SDK creates a `sdk.ReportResponse` containing:
+After [consensus](/cre/key-terms#consensus), [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) returns a `sdk.ReportResponse`: the wire-format view of a [CRE report](/cre/key-terms#report-cre-report). It contains:
 
 ```go
 type sdk.ReportResponse struct {
@@ -135,7 +141,7 @@ func(reportResponse *sdk.ReportResponse) (*http.Request, error)
 
 **The SDK calls this function internally:**
 
-1. You pass your transformation function to `SendReport`
+1. You pass your transformation function to [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport)
 1. The SDK calls it with the generated `sdk.ReportResponse`
 1. Your function returns an `http.Request` formatted for your API
 1. The SDK sends the request and handles consensus
@@ -380,7 +386,7 @@ This approach is reliable because the `RawReport` is identical across all nodes
 
 ## Using `SendReport` (recommended approach)
 
-Use the high-level `http.SendRequest` pattern with `sendRequester.SendReport()`:
+Use the high-level `http.SendRequest` pattern with [`sendRequester.SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport):
 
 ```go
 func submitReportViaHTTP(config *Config, logger *slog.Logger, sendRequester *http.SendRequester) (*SubmitResponse, error) {
@@ -650,7 +656,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `cre.ParseReport()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 </Aside>
 
 ## Troubleshooting
diff --git a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
index f40f727eef5..896af607edc 100644
--- a/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/submitting-reports-http-ts.mdx
@@ -16,7 +16,7 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 **What you'll learn:**
 
-- How to use `sendReport()` to submit reports via HTTP
+- How to use [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) to submit reports via HTTP
 - How to write transformation functions for different API formats
 - Best practices for report submission and deduplication
 
@@ -25,26 +25,32 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is the signed output your workflow DON produces when you call [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). It packages your encoded data (the payload you computed in the callback), fixed workflow metadata, a report context (config digest and sequence number), and ECDSA signatures from DON nodes.
+
+This guide covers the **sender** path: create the report in your workflow, then POST it to an HTTP endpoint. The receiver must verify those signatures before trusting the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver side.
+
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                      |
-| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                            |
-| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 3–4 below: `runtime.report()`, then `sendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
-| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+| Question                    | Answer                                                                                                                                                                                                                                                               |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | A [CRE report](/cre/key-terms#report-cre-report): output of [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) after DON consensus (encoded payload + metadata + signatures).                                                                  |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                                                                                                               |
+| What does this guide cover? | Steps 3–4 below: [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime), then [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here. |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).                                                                                          |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.report()`: DON produces a signed `ReportResponse`.
-4. `sendReport()`: format and POST to your URL.
+3. [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime): DON produces a signed `ReportResponse`.
+4. [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport): format and POST to your URL.
 
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
-- Familiarity with `runtime.report()` (covered [below](#generating-reports-for-http-submission))
+- Familiarity with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (covered [below](#generating-reports-for-http-submission))
 - **`viem`** as a direct dependency in the workflow `package.json` (for ABI encoding in examples)
 - Protobuf HTTP/report types from **`@chainlink/cre-sdk/pb`** (`SDK_PB.ReportResponse`, `HTTP_CLIENT_PB.RequestJson`), not the main `@chainlink/cre-sdk` entry
 
@@ -107,7 +113,7 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): { succe
 **What's happening here:**
 
 1. `formatReportSimple` transforms the report into an HTTP request that your API understands
-1. `sendRequester.sendReport()` calls your transformation function and sends the request
+1. [`sendRequester.sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) calls your transformation function and sends the request
 1. The SDK handles consensus and returns the result
 
 The rest of this guide explains how this works and shows different formatting patterns for various API requirements.
@@ -116,7 +122,7 @@ The rest of this guide explains how this works and shows different formatting pa
 
 ### The report structure
 
-When you call `runtime.report()`, the SDK creates a `ReportResponse` containing:
+After [consensus](/cre/key-terms#consensus), [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) returns a `ReportResponse`: the wire-format view of a [CRE report](/cre/key-terms#report-cre-report). It contains:
 
 ```typescript
 interface ReportResponse {
@@ -145,7 +151,7 @@ Your transformation function tells the SDK how to format the report for your API
 
 **The SDK calls this function internally:**
 
-1. You pass your transformation function to `sendReport()`
+1. You pass your transformation function to [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport)
 1. The SDK calls it with the generated `ReportResponse`
 1. Your function returns a `RequestJson` formatted for your API
 1. The SDK sends the request and handles consensus
@@ -395,7 +401,7 @@ This approach is reliable because the `rawReport` is identical across all nodes
 
 ## Generating reports for HTTP submission
 
-Before you can submit a report via HTTP, you need to generate it using `runtime.report()`. This creates a cryptographically signed report from your encoded data.
+Before you can submit a report via HTTP, you need to generate it using [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). This creates a cryptographically signed report from your encoded data.
 
 **Basic pattern:**
 
@@ -419,11 +425,11 @@ const report = runtime
 // Step 3: Submit via HTTP (covered in next section)
 ```
 
-The `runtime.report()` method works the same way whether you're encoding a single value or a struct—just use Viem's `encodeAbiParameters()` with the appropriate ABI types. For detailed examples on encoding single values, structs, and complex types, see the [Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain) guide.
+The [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) method works the same way whether you're encoding a single value or a struct—just use Viem's `encodeAbiParameters()` with the appropriate ABI types. For detailed examples on encoding single values, structs, and complex types, see the [Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain) guide.
 
 ## Using `sendReport()` (recommended approach)
 
-Use the high-level `httpClient.sendRequest()` pattern with `sendRequester.sendReport()`:
+Use the high-level `httpClient.sendRequest()` pattern with [`sendRequester.sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport):
 
 ```typescript
 import {
@@ -674,7 +680,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `Report.parse()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Troubleshooting
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index 486161a556e..d87b1fffa39 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -16,11 +16,11 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+The CRE SDK provides [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
 
 {/* prettier-ignore */}
 <Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), `ParseReport` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
 </Aside>
 
 {/* prettier-ignore */}
@@ -28,20 +28,26 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
   When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
+
+This guide is the **receiver** path: decode the POST body, call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), then read trusted metadata and `Body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
+
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                              |
-| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                            |
-| What does this guide cover?  | Step 3 below: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                     |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                     |
+| Question                     | Answer                                                                                                                                                                                                                                                                                                                         |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#what-is-a-cre-report). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
+| What does this guide cover?  | Step 3 below: [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before you use `Body()` or take side effects.                                                                                                                                                                                                   |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                                                                |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `cre.ParseReport()`: verify signatures and read metadata.
+3. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport): verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
 Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
@@ -49,7 +55,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How `cre.ParseReport()` validates signatures and reads metadata
+- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata
 - How to build a receiver workflow that accepts reports over HTTP
 - How to restrict verification to specific CRE environments or zones
 
@@ -61,12 +67,12 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 
 ## Onchain vs offchain verification
 
-| Aspect               | Offchain (`cre.ParseReport`)                                 | Onchain (`KeystoneForwarder`)     |
-| -------------------- | ------------------------------------------------------------ | --------------------------------- |
-| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
-| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
-| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+| Aspect               | Offchain ([`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport)) | Onchain (`KeystoneForwarder`)     |
+| -------------------- | --------------------------------------------------------------------------- | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                                           | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                                            | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                       | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -82,7 +88,7 @@ Default (`cre.ProductionEnvironment()`):
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
 4. **Return a `*cre.Report`** with accessors for workflow ID, owner, execution ID, body, and more.
 
-If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
+If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
 ## Testing locally with simulation
 
@@ -94,7 +100,7 @@ After you run the [submit guide complete example](/cre/guides/workflow/using-htt
 
 ### Minimal receiver for simulation
 
-Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to `ParseReportWithConfig`). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
+Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig)). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
 
 `config.staging.json`:
 
@@ -183,10 +189,10 @@ func main() {
 
 ### Sim wiring vs full verify
 
-| Mode                   | Config                                                       | What it validates                                                                             |
-| ---------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `SkipSignatureVerification: true` in `ParseReportWithConfig` | JSON + hex decode, metadata accessors, `Body()`                                               |
-| **Full crypto verify** | Default `cre.ParseReport()` (production registry)            | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
+| Mode                   | Config                                                                                                              | What it validates                                                                             |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) | JSON + hex decode, metadata accessors, `Body()`                                               |
+| **Full crypto verify** | Default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) (production registry)                      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
 
 ```bash
 cre workflow simulate verify-report-receiver \
@@ -198,8 +204,8 @@ cre workflow simulate verify-report-receiver \
 
 **Pass criteria**
 
-- **Sim wiring:** `SkipSignatureVerification: true` in `ParseReportWithConfig`: logs show metadata and a successful handler return.
-- **Full crypto verify:** default `ParseReport` with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+- **Sim wiring:** `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig): logs show metadata and a successful handler return.
+- **Full crypto verify:** default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
 
 `project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
 
@@ -303,7 +309,7 @@ func main() {
 **What's happening:**
 
 1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+2. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) verifies signatures against the production CRE registry.
 3. On success, you read metadata and `Body()` safely.
 
 {/* prettier-ignore */}
@@ -313,7 +319,7 @@ func main() {
 
 ## Report payload format
 
-Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`:
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -336,7 +342,7 @@ See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report
 func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
 ```
 
-Parses and verifies a report against the production CRE environment. Use `ParseReportWithConfig` for custom environments or zones.
+Parses and verifies a report against the production CRE environment. Use [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) for custom environments or zones.
 
 ### `*cre.Report` accessors
 
@@ -377,7 +383,7 @@ report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext
 
 This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
 
-If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first, then verify:
+If you set `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig), parse the header first, then verify:
 
 ```go
 report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
@@ -396,7 +402,7 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Best practices
 
-1. **Verify before side effects**: Call `cre.ParseReport()` before writing to databases, chains, or external systems.
+1. **Verify before side effects**: Call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before writing to databases, chains, or external systems.
 2. **Permission on metadata**: After verification, check `WorkflowID()`, `WorkflowOwner()`, or `DONID()` match your expectations.
 3. **Deduplicate by execution ID**: Use `ExecutionID()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#understanding-cachesettings-for-reports)).
 4. **Do not skip signature verification in production** unless you have another trust path.
@@ -405,7 +411,7 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 **`ErrUnknownSigner` / `invalid signature` in sim with fresh webhook JSON**
 
-- **Expected** when using default `ParseReport` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- **Expected** when using default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
 - For local wiring tests, use `SkipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
 
 **`ErrUnknownSigner` (deployed)**
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index a42faaa3f30..ed6a799d911 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -16,11 +16,11 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+The CRE SDK provides [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
 
 {/* prettier-ignore */}
 <Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), `Report.parse` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
 </Aside>
 
 {/* prettier-ignore */}
@@ -28,20 +28,26 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
   When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
+
+This guide is the **receiver** path: decode the POST body, call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), then read trusted metadata and `body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
+
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                      |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.report()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                    |
-| What does this guide cover?  | Step 3 below: `Report.parse()` before you use `body()` or take side effects.                                                                                                                |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                             |
+| Question                     | Answer                                                                                                                                                                                                                                                                               |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#what-is-a-cre-report). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
+| What does this guide cover?  | Step 3 below: [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before you use `body()` or take side effects.                                                                                                                                                       |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                      |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `Report.parse()`: verify signatures and read metadata.
+3. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification): verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
 Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
@@ -49,7 +55,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How `Report.parse()` validates signatures and reads metadata
+- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata
 - How to build a receiver workflow that accepts reports over HTTP
 - How to restrict verification to specific CRE environments or zones
 
@@ -61,12 +67,12 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 
 ## Onchain vs offchain verification
 
-| Aspect               | Offchain (`Report.parse`)                                    | Onchain (`KeystoneForwarder`)     |
-| -------------------- | ------------------------------------------------------------ | --------------------------------- |
-| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
-| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
-| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+| Aspect               | Offchain ([`Report.parse()`](/cre/reference/sdk/core-ts#report-verification)) | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ----------------------------------------------------------------------------- | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                                             | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                                              | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                  | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                         | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -82,7 +88,7 @@ Default (`productionEnvironment()`):
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
 4. **Return a `Report` object** with accessors for workflow ID, owner, execution ID, body, and more.
 
-If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
+If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
 ## Testing locally with simulation
 
@@ -94,14 +100,14 @@ After you run the [submit guide complete example](/cre/guides/workflow/using-htt
 
 ### Sim wiring vs full verify
 
-| Mode                   | Config                                              | What it validates                                                                                                                                                                      |
-| ---------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `skipSignatureVerification: true` in staging config | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                |
-| **Full crypto verify** | Default `Report.parse()` (production registry)      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; `Report.parse()` checks the mainnet Capability Registry. |
+| Mode                   | Config                                                                                           | What it validates                                                                                                                                                                                                                        |
+| ---------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `skipSignatureVerification: true` in staging config                                              | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                                                                  |
+| **Full crypto verify** | Default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) (production registry) | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) checks the mainnet Capability Registry. |
 
 ### Minimal receiver for simulation
 
-Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call `Report.parse()` from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
+Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
 
 `config.staging.json`:
 
@@ -262,7 +268,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 **What's happening:**
 
 1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `Report.parse()` verifies signatures against the production CRE registry.
+2. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) verifies signatures against the production CRE registry.
 3. On success, you read metadata and `body()` safely.
 
 {/* prettier-ignore */}
@@ -272,7 +278,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 ## Report payload format
 
-Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -331,17 +337,17 @@ const config: ReportParseConfig = {
 }
 ```
 
-| Option                      | Description                                                                                                                                                                                                                                                                |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                    |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                         |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call `Report.parse()` without this flag for production verification. |
+| Option                      | Description                                                                                                                                                                                                                                                                                                                  |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                                                                      |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                                                                           |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) without this flag for production verification. |
 
 Most workflows should use the default config (production environment only).
 
 ## Best practices
 
-1. **Verify before side effects**: Call `Report.parse()` before writing to databases, chains, or external systems.
+1. **Verify before side effects**: Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before writing to databases, chains, or external systems.
 2. **Permission on metadata**: After verification, check `workflowId()`, `workflowOwner()`, or `donId()` match your expectations.
 3. **Deduplicate by execution ID**: Use `executionId()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#understanding-cachesettings-for-reports)).
 4. **Do not skip signature verification in production** unless you have another trust path.
@@ -350,12 +356,12 @@ Most workflows should use the default config (production environment only).
 
 **Empty error after verify sim**
 
-- `Report.parse()` may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
+- [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
 - Format errors in your handler before rethrowing (see the simulation example above).
 
 **`invalid signature` / `unknown signer` in sim with fresh webhook JSON**
 
-- **Expected** when using default `Report.parse()` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- **Expected** when using default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
 - For local wiring tests, set `skipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
 
 **`invalid signature` / `unknown signer` (deployed)**
diff --git a/src/content/cre/index.mdx b/src/content/cre/index.mdx
index e0d87181230..7f7432d5c44 100644
--- a/src/content/cre/index.mdx
+++ b/src/content/cre/index.mdx
@@ -110,17 +110,18 @@ Learn more about [Consensus Computing in CRE](/cre/concepts/consensus-computing)
 
 ## Glossary: Building blocks
 
-| Concept            | One-liner                                                         |
-| ------------------ | ----------------------------------------------------------------- |
-| **Workflow**       | Compiled WebAssembly (WASM) binary.                               |
-| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.         |
-| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).          |
-| **Callback**       | Function that runs when its trigger fires; contains your logic.   |
-| **Runtime**        | Object passed to a callback; used to invoke capabilities.         |
-| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).   |
-| **Workflow DON**   | Watches triggers and coordinates the workflow.                    |
-| **Capability DON** | Executes a specific capability.                                   |
-| **Consensus**      | BFT protocol that merges node results into one verifiable report. |
+| Concept            | One-liner                                                        |
+| ------------------ | ---------------------------------------------------------------- |
+| **Workflow**       | Compiled WebAssembly (WASM) binary.                              |
+| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.        |
+| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).         |
+| **Callback**       | Function that runs when its trigger fires; contains your logic.  |
+| **Runtime**        | Object passed to a callback; used to invoke capabilities.        |
+| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).  |
+| **Workflow DON**   | Watches triggers and coordinates the workflow.                   |
+| **Capability DON** | Executes a specific capability.                                  |
+| **Consensus**      | BFT protocol that merges node results into one trusted outcome.  |
+| **Report**         | DON-signed package from `runtime.report()` / `GenerateReport()`. |
 
 Full definitions live on **[Key Terms and Concepts](/cre/key-terms)**.
 
diff --git a/src/content/cre/key-terms.mdx b/src/content/cre/key-terms.mdx
index 722c51ddc98..98a95fb4b12 100644
--- a/src/content/cre/key-terms.mdx
+++ b/src/content/cre/key-terms.mdx
@@ -5,7 +5,7 @@ date: Last Modified
 metadata:
   description: "Learn essential CRE concepts: workflows, handlers, triggers, callbacks, Runtime, capabilities, DONs, and consensus."
   datePublished: "2025-11-04"
-  lastModified: "2025-11-04"
+  lastModified: "2026-05-20"
 ---
 
 import { Aside } from "@components"
@@ -75,6 +75,12 @@ Short-lived objects passed to your callback function during a specific execution
 
 Learn more about [Consensus and Aggregation](/cre/reference/sdk/consensus).
 
+### Report (CRE report)
+
+A cryptographically signed package your workflow [DON](/cre/key-terms#decentralized-oracle-network-don) produces after your callback encodes its result: payload bytes, report context, and DON signatures. Create it with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go).
+
+Deliver onchain with [`writeReport()`](/cre/reference/sdk/evm-client-ts#writereport) / [`WriteReport()`](/cre/reference/sdk/evm-client-go#writereport), or offchain with [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) / [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport). Receivers verify with [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) or [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http) and [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
+
 ### SDK Clients: `EVMClient` & `HTTPClient`
 
 The primary SDK clients you use inside a callback to interact with capabilities. For example, you use an EVM client to read from a smart contract and an HTTP client to make offchain API requests.
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 175df69db76..fde695841ea 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -99,17 +99,18 @@ Learn more about [Consensus Computing in CRE](/cre/concepts/consensus-computing)
 
 ## Glossary: Building blocks
 
-| Concept            | One-liner                                                         |
-| ------------------ | ----------------------------------------------------------------- |
-| **Workflow**       | Compiled WebAssembly (WASM) binary.                               |
-| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.         |
-| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).          |
-| **Callback**       | Function that runs when its trigger fires; contains your logic.   |
-| **Runtime**        | Object passed to a callback; used to invoke capabilities.         |
-| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).   |
-| **Workflow DON**   | Watches triggers and coordinates the workflow.                    |
-| **Capability DON** | Executes a specific capability.                                   |
-| **Consensus**      | BFT protocol that merges node results into one verifiable report. |
+| Concept            | One-liner                                                        |
+| ------------------ | ---------------------------------------------------------------- |
+| **Workflow**       | Compiled WebAssembly (WASM) binary.                              |
+| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.        |
+| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).         |
+| **Callback**       | Function that runs when its trigger fires; contains your logic.  |
+| **Runtime**        | Object passed to a callback; used to invoke capabilities.        |
+| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).  |
+| **Workflow DON**   | Watches triggers and coordinates the workflow.                   |
+| **Capability DON** | Executes a specific capability.                                  |
+| **Consensus**      | BFT protocol that merges node results into one trusted outcome.  |
+| **Report**         | DON-signed package from `runtime.report()` / `GenerateReport()`. |
 
 Full definitions live on **[Key Terms and Concepts](/cre/key-terms)**.
 
@@ -149,7 +150,7 @@ Jump to what you need:
 
 # Key Terms and Concepts
 Source: https://docs.chain.link/cre/key-terms
-Last Updated: 2025-11-04
+Last Updated: 2026-05-20
 
 This page defines the fundamental terms and concepts for the Chainlink Runtime Environment (CRE).
 
@@ -216,6 +217,12 @@ Short-lived objects passed to your callback function during a specific execution
 
 Learn more about [Consensus and Aggregation](/cre/reference/sdk/consensus).
 
+### Report (CRE report)
+
+A cryptographically signed package your workflow [DON](/cre/key-terms#decentralized-oracle-network-don) produces after your callback encodes its result: payload bytes, report context, and DON signatures. Create it with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go).
+
+Deliver onchain with [`writeReport()`](/cre/reference/sdk/evm-client-ts#writereport) / [`WriteReport()`](/cre/reference/sdk/evm-client-go#writereport), or offchain with [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) / [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport). Receivers verify with [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) or [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http) and [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
+
 ### SDK Clients: `EVMClient` & `HTTPClient`
 
 The primary SDK clients you use inside a callback to interact with capabilities. For example, you use an EVM client to read from a smart contract and an HTTP client to make offchain API requests.
@@ -3770,9 +3777,9 @@ writePromise := reserveManager.WriteReportFromUpdateReserves(runtime, updateData
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values
 Last Updated: 2025-11-04
 
-This guide shows how to manually generate a **CRE report** containing a single value (like `uint256`, `address`, or `bool`). A CRE report is a DON-signed package from `runtime.GenerateReport()` / `runtime.report()`: your encoded data plus workflow metadata and signatures.
+This guide shows how to manually generate a **[CRE report](/cre/key-terms#report-cre-report)** containing a single value (like `uint256`, `address`, or `bool`). See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition; in short, it is a DON-signed package from [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) with your encoded data, workflow metadata, and signatures.
 
-This guide covers **creating** the signed report (`GenerateReport()` / `runtime.report()`). **Delivering** it is a separate step: see the table below.
+This guide covers **creating** the signed report ([`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime)). **Delivering** it is a separate step: see the table below.
 
 **Use this approach when:**
 
@@ -3790,12 +3797,12 @@ This guide covers **creating** the signed report (`GenerateReport()` / `runtime.
 Manually generating a report for a single value involves two main steps:
 
 1. **ABI-encode the value** into bytes using the `go-ethereum/accounts/abi` package
-2. **Generate a cryptographically signed report** using `runtime.GenerateReport()`
+2. **Generate a cryptographically signed report** using [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
 
-| After `GenerateReport()` / `report()`        | Guide                                                                                                        | Who verifies?                                                                                                             |
-| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
-| `evm.Client.WriteReport()` / `writeReport()` | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
-| `http.Client` `SendReport()`                 | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
+| After [`GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) / [`report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) | Guide                                                                                                        | Who verifies?                                                                                                             |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------- |
+| [`WriteReport()`](/cre/reference/sdk/evm-client-go#writereport) / [`writeReport()`](/cre/reference/sdk/evm-client-ts#writereport)                                                   | [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) | `KeystoneForwarder` onchain                                                                                               |
+| [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) / [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport)                                  | [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http)                | Receiver: [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain) or your API |
 
 See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http) for the sender → receiver mental model.
 
@@ -4036,7 +4043,7 @@ func main() {
 Source: https://docs.chain.link/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-structs
 Last Updated: 2025-11-04
 
-This guide shows how to generate a **CRE report** containing a struct with multiple fields. A CRE report is a DON-signed package from `runtime.GenerateReport()`. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
+This guide shows how to generate a **[CRE report](/cre/key-terms#report-cre-report)** containing a struct with multiple fields. See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition. After generation, deliver it [onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain) or via [HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http); HTTP receivers should [verify offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain). See [API Interactions: CRE reports over HTTP](/cre/guides/workflow/using-http-client#cre-reports-over-http).
 
 There are two encoding approaches depending on whether you have generated bindings for your contract.
 
@@ -4744,7 +4751,7 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package your workflow creates with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go). It bundles your encoded payload, workflow metadata, report context, and cryptographic signatures from the DON. See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition, including how onchain delivery differs from HTTP.
 
 A typical secure integration uses two parties:
 
@@ -15299,7 +15306,7 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 **What you'll learn:**
 
-- How to use `SendReport` to submit reports via HTTP
+- How to use [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) to submit reports via HTTP
 - How to write transformation functions for different API formats
 - Best practices for report submission and deduplication
 
@@ -15308,27 +15315,33 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is the signed output your workflow DON produces when you call [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). It packages your encoded data (the payload you computed in the callback), fixed workflow metadata, a report context (config digest and sequence number), and ECDSA signatures from DON nodes.
+
+This guide covers the **sender** path: create the report in your workflow, then POST it to an HTTP endpoint. The receiver must verify those signatures before trusting the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go) on the receiver side.
+
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                      |
-| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.GenerateReport()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                    |
-| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 3–4 below: `GenerateReport()`, then `SendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
-| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go). |
+| Question                    | Answer                                                                                                                                                                                                                                                                                                                |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | A [CRE report](/cre/key-terms#report-cre-report): output of [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) after DON consensus (encoded payload + metadata + signatures).                                                                         |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                                                                                                                                                                |
+| What does this guide cover? | Steps 3–4 below: [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values), then [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here. |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).                                                                                                                                           |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.GenerateReport()`: DON produces a signed `sdk.ReportResponse`.
-4. `SendReport()`: format and POST to your URL.
+3. [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values): DON produces a signed `sdk.ReportResponse`.
+4. [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport): format and POST to your URL.
 
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
 - Understanding of [generating reports](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
-- A generated report from `runtime.GenerateReport()`
+- A generated report from [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values)
 
 
 <Aside type="caution" title="Redirects are not supported">
@@ -15380,7 +15393,7 @@ func submitReport(config *Config, logger *slog.Logger, sendRequester *http.SendR
 **What's happening here:**
 
 1. `formatReportSimple` transforms the report into an HTTP request that your API understands
-2. `sendRequester.SendReport()` calls your transformation function and sends the request
+2. [`sendRequester.SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport) calls your transformation function and sends the request
 3. The SDK handles consensus and returns the result
 
 The rest of this guide explains how this works and shows different formatting patterns for various API requirements.
@@ -15389,7 +15402,7 @@ The rest of this guide explains how this works and shows different formatting pa
 
 ### The report structure
 
-When you call `runtime.GenerateReport()`, the SDK creates a `sdk.ReportResponse` containing:
+After [consensus](/cre/key-terms#consensus), [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) returns a `sdk.ReportResponse`: the wire-format view of a [CRE report](/cre/key-terms#report-cre-report). It contains:
 
 ```go
 type sdk.ReportResponse struct {
@@ -15418,7 +15431,7 @@ func(reportResponse *sdk.ReportResponse) (*http.Request, error)
 
 **The SDK calls this function internally:**
 
-1. You pass your transformation function to `SendReport`
+1. You pass your transformation function to [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport)
 2. The SDK calls it with the generated `sdk.ReportResponse`
 3. Your function returns an `http.Request` formatted for your API
 4. The SDK sends the request and handles consensus
@@ -15663,7 +15676,7 @@ This approach is reliable because the `RawReport` is identical across all nodes
 
 ## Using `SendReport` (recommended approach)
 
-Use the high-level `http.SendRequest` pattern with `sendRequester.SendReport()`:
+Use the high-level `http.SendRequest` pattern with [`sendRequester.SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport):
 
 ```go
 func submitReportViaHTTP(config *Config, logger *slog.Logger, sendRequester *http.SendRequester) (*SubmitResponse, error) {
@@ -15933,7 +15946,7 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 
 
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `cre.ParseReport()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-go).
 </Aside>
 
 ## Troubleshooting
@@ -15968,11 +15981,11 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+The CRE SDK provides [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
 
 
 <Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), `ParseReport` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
 </Aside>
 
 
@@ -15980,20 +15993,26 @@ The CRE SDK provides `cre.ParseReport()` to do this inside a workflow. Verificat
   When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
+
+This guide is the **receiver** path: decode the POST body, call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), then read trusted metadata and `Body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
+
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                              |
-| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.GenerateReport()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `GenerateReport()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                            |
-| What does this guide cover?  | Step 3 below: `cre.ParseReport()` before you use `Body()` or take side effects.                                                                                                                     |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                     |
+| Question                     | Answer                                                                                                                                                                                                                                                                                                                         |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#what-is-a-cre-report). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
+| What does this guide cover?  | Step 3 below: [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before you use `Body()` or take side effects.                                                                                                                                                                                                   |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                                                                |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `cre.ParseReport()`: verify signatures and read metadata.
+3. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport): verify signatures and read metadata.
 4. Use trusted `Body()` in your logic.
 
 Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
@@ -16001,7 +16020,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How `cre.ParseReport()` validates signatures and reads metadata
+- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata
 - How to build a receiver workflow that accepts reports over HTTP
 - How to restrict verification to specific CRE environments or zones
 
@@ -16013,12 +16032,12 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 
 ## Onchain vs offchain verification
 
-| Aspect               | Offchain (`cre.ParseReport`)                                 | Onchain (`KeystoneForwarder`)     |
-| -------------------- | ------------------------------------------------------------ | --------------------------------- |
-| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
-| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
-| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+| Aspect               | Offchain ([`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport)) | Onchain (`KeystoneForwarder`)     |
+| -------------------- | --------------------------------------------------------------------------- | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                                           | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                                            | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                       | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -16034,7 +16053,7 @@ Default (`cre.ProductionEnvironment()`):
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
 4. **Return a `*cre.Report`** with accessors for workflow ID, owner, execution ID, body, and more.
 
-If verification fails, `cre.ParseReport()` returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
+If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
 ## Testing locally with simulation
 
@@ -16046,7 +16065,7 @@ After you run the [submit guide complete example](/cre/guides/workflow/using-htt
 
 ### Minimal receiver for simulation
 
-Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to `ParseReportWithConfig`). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
+Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig)). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
 
 `config.staging.json`:
 
@@ -16135,10 +16154,10 @@ func main() {
 
 ### Sim wiring vs full verify
 
-| Mode                   | Config                                                       | What it validates                                                                             |
-| ---------------------- | ------------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `SkipSignatureVerification: true` in `ParseReportWithConfig` | JSON + hex decode, metadata accessors, `Body()`                                               |
-| **Full crypto verify** | Default `cre.ParseReport()` (production registry)            | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
+| Mode                   | Config                                                                                                              | What it validates                                                                             |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) | JSON + hex decode, metadata accessors, `Body()`                                               |
+| **Full crypto verify** | Default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) (production registry)                      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
 
 ```bash
 cre workflow simulate verify-report-receiver \
@@ -16150,8 +16169,8 @@ cre workflow simulate verify-report-receiver \
 
 **Pass criteria**
 
-- **Sim wiring:** `SkipSignatureVerification: true` in `ParseReportWithConfig`: logs show metadata and a successful handler return.
-- **Full crypto verify:** default `ParseReport` with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+- **Sim wiring:** `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig): logs show metadata and a successful handler return.
+- **Full crypto verify:** default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
 
 `project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
 
@@ -16255,7 +16274,7 @@ func main() {
 **What's happening:**
 
 1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `cre.ParseReport()` verifies signatures against the production CRE registry.
+2. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) verifies signatures against the production CRE registry.
 3. On success, you read metadata and `Body()` safely.
 
 
@@ -16265,7 +16284,7 @@ func main() {
 
 ## Report payload format
 
-Receivers need three JSON fields. The JSON key is `context` even though the SDK field is `ReportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`:
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -16288,7 +16307,7 @@ See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report
 func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
 ```
 
-Parses and verifies a report against the production CRE environment. Use `ParseReportWithConfig` for custom environments or zones.
+Parses and verifies a report against the production CRE environment. Use [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) for custom environments or zones.
 
 ### `*cre.Report` accessors
 
@@ -16329,7 +16348,7 @@ report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext
 
 This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
 
-If you set `SkipSignatureVerification: true` in `ParseReportWithConfig`, parse the header first, then verify:
+If you set `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig), parse the header first, then verify:
 
 ```go
 report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
@@ -16348,7 +16367,7 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 ## Best practices
 
-1. **Verify before side effects**: Call `cre.ParseReport()` before writing to databases, chains, or external systems.
+1. **Verify before side effects**: Call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before writing to databases, chains, or external systems.
 2. **Permission on metadata**: After verification, check `WorkflowID()`, `WorkflowOwner()`, or `DONID()` match your expectations.
 3. **Deduplicate by execution ID**: Use `ExecutionID()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#understanding-cachesettings-for-reports)).
 4. **Do not skip signature verification in production** unless you have another trust path.
@@ -16357,7 +16376,7 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 **`ErrUnknownSigner` / `invalid signature` in sim with fresh webhook JSON**
 
-- **Expected** when using default `ParseReport` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- **Expected** when using default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
 - For local wiring tests, use `SkipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
 
 **`ErrUnknownSigner` (deployed)**
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index ee27231a3a5..3e58f8ca273 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -99,17 +99,18 @@ Learn more about [Consensus Computing in CRE](/cre/concepts/consensus-computing)
 
 ## Glossary: Building blocks
 
-| Concept            | One-liner                                                         |
-| ------------------ | ----------------------------------------------------------------- |
-| **Workflow**       | Compiled WebAssembly (WASM) binary.                               |
-| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.         |
-| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).          |
-| **Callback**       | Function that runs when its trigger fires; contains your logic.   |
-| **Runtime**        | Object passed to a callback; used to invoke capabilities.         |
-| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).   |
-| **Workflow DON**   | Watches triggers and coordinates the workflow.                    |
-| **Capability DON** | Executes a specific capability.                                   |
-| **Consensus**      | BFT protocol that merges node results into one verifiable report. |
+| Concept            | One-liner                                                        |
+| ------------------ | ---------------------------------------------------------------- |
+| **Workflow**       | Compiled WebAssembly (WASM) binary.                              |
+| **Handler**        | `handler(trigger, callback)` pair; the atom of execution.        |
+| **Trigger**        | Event that starts an execution (cron, HTTP, EVM log, …).         |
+| **Callback**       | Function that runs when its trigger fires; contains your logic.  |
+| **Runtime**        | Object passed to a callback; used to invoke capabilities.        |
+| **Capability**     | Decentralized microservice (chain read/write, HTTP Fetch, ...).  |
+| **Workflow DON**   | Watches triggers and coordinates the workflow.                   |
+| **Capability DON** | Executes a specific capability.                                  |
+| **Consensus**      | BFT protocol that merges node results into one trusted outcome.  |
+| **Report**         | DON-signed package from `runtime.report()` / `GenerateReport()`. |
 
 Full definitions live on **[Key Terms and Concepts](/cre/key-terms)**.
 
@@ -149,7 +150,7 @@ Jump to what you need:
 
 # Key Terms and Concepts
 Source: https://docs.chain.link/cre/key-terms
-Last Updated: 2025-11-04
+Last Updated: 2026-05-20
 
 This page defines the fundamental terms and concepts for the Chainlink Runtime Environment (CRE).
 
@@ -216,6 +217,12 @@ Short-lived objects passed to your callback function during a specific execution
 
 Learn more about [Consensus and Aggregation](/cre/reference/sdk/consensus).
 
+### Report (CRE report)
+
+A cryptographically signed package your workflow [DON](/cre/key-terms#decentralized-oracle-network-don) produces after your callback encodes its result: payload bytes, report context, and DON signatures. Create it with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go).
+
+Deliver onchain with [`writeReport()`](/cre/reference/sdk/evm-client-ts#writereport) / [`WriteReport()`](/cre/reference/sdk/evm-client-go#writereport), or offchain with [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) / [`SendReport()`](/cre/reference/sdk/http-client-go#sendrequestersendreport). Receivers verify with [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) or [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http) and [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain).
+
 ### SDK Clients: `EVMClient` & `HTTPClient`
 
 The primary SDK clients you use inside a callback to interact with capabilities. For example, you use an EVM client to read from a smart contract and an HTTP client to make offchain API requests.
@@ -4053,7 +4060,7 @@ The CRE SDK provides an HTTP client that allows your workflows to interact with
 
 ## CRE reports over HTTP
 
-A **CRE report** is a DON-signed package your workflow creates with `runtime.report()` (TypeScript) or `runtime.GenerateReport()` (Go). It contains your encoded payload, workflow metadata, and cryptographic signatures.
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package your workflow creates with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (TypeScript) or [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) (Go). It bundles your encoded payload, workflow metadata, report context, and cryptographic signatures from the DON. See [Key Terms: Report](/cre/key-terms#report-cre-report) for the full definition, including how onchain delivery differs from HTTP.
 
 A typical secure integration uses two parties:
 
@@ -15004,7 +15011,7 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
 
 **What you'll learn:**
 
-- How to use `sendReport()` to submit reports via HTTP
+- How to use [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) to submit reports via HTTP
 - How to write transformation functions for different API formats
 - Best practices for report submission and deduplication
 
@@ -15013,26 +15020,32 @@ This guide is for the **sender** side: a CRE workflow that **creates** a signed
   This guide covers HTTP submission. For submitting reports to smart contracts, see [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/overview-ts).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is the signed output your workflow DON produces when you call [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). It packages your encoded data (the payload you computed in the callback), fixed workflow metadata, a report context (config digest and sequence number), and ECDSA signatures from DON nodes.
+
+This guide covers the **sender** path: create the report in your workflow, then POST it to an HTTP endpoint. The receiver must verify those signatures before trusting the data. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts) on the receiver side.
+
 ## Where this guide fits
 
-| Question                    | Answer                                                                                                                                                                      |
-| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?         | Output of `runtime.report()` after your workflow DON reaches consensus: encoded payload + metadata + signatures.                                                            |
-| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                      |
-| What does this guide cover? | Steps 3–4 below: `runtime.report()`, then `sendReport()` to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here.                    |
-| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts). |
+| Question                    | Answer                                                                                                                                                                                                                                                               |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| What is the report?         | A [CRE report](/cre/key-terms#report-cre-report): output of [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) after DON consensus (encoded payload + metadata + signatures).                                                                  |
+| Where does it come from?    | **Inside this workflow:** after your logic runs (fetch data, compute, encode). There is no separate "get report" step.                                                                                                                                               |
+| What does this guide cover? | Steps 3–4 below: [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime), then [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) to your API. Steps 1–2 (trigger and your callback logic) are prerequisites, not the focus here. |
+| Who verifies it?            | The **receiver:** your HTTP service or a separate CRE workflow. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).                                                                                          |
 
 **Sender flow in one workflow execution:**
 
 1. Trigger fires (cron, HTTP, …).
 2. Your callback runs (API calls, encoding, etc.).
-3. `runtime.report()`: DON produces a signed `ReportResponse`.
-4. `sendReport()`: format and POST to your URL.
+3. [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime): DON produces a signed `ReportResponse`.
+4. [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport): format and POST to your URL.
 
 ## Prerequisites
 
 - Familiarity with [making POST requests](/cre/guides/workflow/using-http-client/post-request)
-- Familiarity with `runtime.report()` (covered [below](#generating-reports-for-http-submission))
+- Familiarity with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) (covered [below](#generating-reports-for-http-submission))
 - **`viem`** as a direct dependency in the workflow `package.json` (for ABI encoding in examples)
 - Protobuf HTTP/report types from **`@chainlink/cre-sdk/pb`** (`SDK_PB.ReportResponse`, `HTTP_CLIENT_PB.RequestJson`), not the main `@chainlink/cre-sdk` entry
 
@@ -15095,7 +15108,7 @@ const submitReport = (sendRequester: HTTPSendRequester, report: Report): { succe
 **What's happening here:**
 
 1. `formatReportSimple` transforms the report into an HTTP request that your API understands
-2. `sendRequester.sendReport()` calls your transformation function and sends the request
+2. [`sendRequester.sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport) calls your transformation function and sends the request
 3. The SDK handles consensus and returns the result
 
 The rest of this guide explains how this works and shows different formatting patterns for various API requirements.
@@ -15104,7 +15117,7 @@ The rest of this guide explains how this works and shows different formatting pa
 
 ### The report structure
 
-When you call `runtime.report()`, the SDK creates a `ReportResponse` containing:
+After [consensus](/cre/key-terms#consensus), [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) returns a `ReportResponse`: the wire-format view of a [CRE report](/cre/key-terms#report-cre-report). It contains:
 
 ```typescript
 interface ReportResponse {
@@ -15133,7 +15146,7 @@ Your transformation function tells the SDK how to format the report for your API
 
 **The SDK calls this function internally:**
 
-1. You pass your transformation function to `sendReport()`
+1. You pass your transformation function to [`sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport)
 2. The SDK calls it with the generated `ReportResponse`
 3. Your function returns a `RequestJson` formatted for your API
 4. The SDK sends the request and handles consensus
@@ -15383,7 +15396,7 @@ This approach is reliable because the `rawReport` is identical across all nodes
 
 ## Generating reports for HTTP submission
 
-Before you can submit a report via HTTP, you need to generate it using `runtime.report()`. This creates a cryptographically signed report from your encoded data.
+Before you can submit a report via HTTP, you need to generate it using [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). This creates a cryptographically signed report from your encoded data.
 
 **Basic pattern:**
 
@@ -15407,11 +15420,11 @@ const report = runtime
 // Step 3: Submit via HTTP (covered in next section)
 ```
 
-The `runtime.report()` method works the same way whether you're encoding a single value or a struct—just use Viem's `encodeAbiParameters()` with the appropriate ABI types. For detailed examples on encoding single values, structs, and complex types, see the [Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain) guide.
+The [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) method works the same way whether you're encoding a single value or a struct—just use Viem's `encodeAbiParameters()` with the appropriate ABI types. For detailed examples on encoding single values, structs, and complex types, see the [Writing Data Onchain](/cre/guides/workflow/using-evm-client/onchain-write/writing-data-onchain) guide.
 
 ## Using `sendReport()` (recommended approach)
 
-Use the high-level `httpClient.sendRequest()` pattern with `sendRequester.sendReport()`:
+Use the high-level `httpClient.sendRequest()` pattern with [`sendRequester.sendReport()`](/cre/reference/sdk/http-client-ts#using-sendreport):
 
 ```typescript
 import {
@@ -15662,7 +15675,7 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 
 
 <Aside type="caution" title="Signature verification is your responsibility">
-  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use `Report.parse()` in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
+  Unlike onchain submissions (where the `KeystoneForwarder` contract verifies signatures), **HTTP submissions require you to verify signatures** before trusting the report data. Use [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) in a receiver workflow or implement equivalent checks in your API. See [Verifying CRE Reports Offchain](/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts).
 </Aside>
 
 ## Troubleshooting
@@ -15703,11 +15716,11 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+The CRE SDK provides [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
 
 
 <Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), `Report.parse` still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
 </Aside>
 
 
@@ -15715,20 +15728,26 @@ The CRE SDK provides `Report.parse()` to do this inside a workflow. Verification
   When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
 </Aside>
 
+## What is a CRE report?
+
+A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
+
+This guide is the **receiver** path: decode the POST body, call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), then read trusted metadata and `body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
+
 ## Where this guide fits
 
-| Question                     | Answer                                                                                                                                                                                      |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| What is the report?          | Same CRE report the **sender** created with `runtime.report()`. See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#where-this-guide-fits). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → `runtime.report()` → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                    |
-| What does this guide cover?  | Step 3 below: `Report.parse()` before you use `body()` or take side effects.                                                                                                                |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                             |
+| Question                     | Answer                                                                                                                                                                                                                                                                               |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#what-is-a-cre-report). |
+| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
+| What does this guide cover?  | Step 3 below: [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before you use `body()` or take side effects.                                                                                                                                                       |
+| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                      |
 
 **Receiver flow:**
 
 1. HTTP trigger (or your API) receives the POST payload.
 2. Decode hex fields into bytes.
-3. `Report.parse()`: verify signatures and read metadata.
+3. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification): verify signatures and read metadata.
 4. Use trusted `body()` in your logic.
 
 Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
@@ -15736,7 +15755,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How `Report.parse()` validates signatures and reads metadata
+- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata
 - How to build a receiver workflow that accepts reports over HTTP
 - How to restrict verification to specific CRE environments or zones
 
@@ -15748,12 +15767,12 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 
 ## Onchain vs offchain verification
 
-| Aspect               | Offchain (`Report.parse`)                                    | Onchain (`KeystoneForwarder`)     |
-| -------------------- | ------------------------------------------------------------ | --------------------------------- |
-| **Where it runs**    | Inside your CRE workflow callback                            | In a smart contract transaction   |
-| **Signature check**  | Local `ecrecover` on report hash                             | Contract logic onchain            |
-| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`) | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                        | Consumer contracts via `onReport` |
+| Aspect               | Offchain ([`Report.parse()`](/cre/reference/sdk/core-ts#report-verification)) | Onchain (`KeystoneForwarder`)     |
+| -------------------- | ----------------------------------------------------------------------------- | --------------------------------- |
+| **Where it runs**    | Inside your CRE workflow callback                                             | In a smart contract transaction   |
+| **Signature check**  | Local `ecrecover` on report hash                                              | Contract logic onchain            |
+| **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                  | Forwarder + registry              |
+| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                         | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -15769,7 +15788,7 @@ Default (`productionEnvironment()`):
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
 4. **Return a `Report` object** with accessors for workflow ID, owner, execution ID, body, and more.
 
-If verification fails, `Report.parse()` throws (for example, unknown signer, insufficient signatures, or registry read failure).
+If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
 ## Testing locally with simulation
 
@@ -15781,14 +15800,14 @@ After you run the [submit guide complete example](/cre/guides/workflow/using-htt
 
 ### Sim wiring vs full verify
 
-| Mode                   | Config                                              | What it validates                                                                                                                                                                      |
-| ---------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `skipSignatureVerification: true` in staging config | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                |
-| **Full crypto verify** | Default `Report.parse()` (production registry)      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; `Report.parse()` checks the mainnet Capability Registry. |
+| Mode                   | Config                                                                                           | What it validates                                                                                                                                                                                                                        |
+| ---------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Wiring / decode**    | `skipSignatureVerification: true` in staging config                                              | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                                                                  |
+| **Full crypto verify** | Default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) (production registry) | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) checks the mainnet Capability Registry. |
 
 ### Minimal receiver for simulation
 
-Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call `Report.parse()` from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
+Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
 
 `config.staging.json`:
 
@@ -15949,7 +15968,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 **What's happening:**
 
 1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. `Report.parse()` verifies signatures against the production CRE registry.
+2. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) verifies signatures against the production CRE registry.
 3. On success, you read metadata and `body()` safely.
 
 
@@ -15959,7 +15978,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 ## Report payload format
 
-Receivers need three JSON fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -16018,17 +16037,17 @@ const config: ReportParseConfig = {
 }
 ```
 
-| Option                      | Description                                                                                                                                                                                                                                                                |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                    |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                         |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call `Report.parse()` without this flag for production verification. |
+| Option                      | Description                                                                                                                                                                                                                                                                                                                  |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                                                                      |
+| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                                                                           |
+| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) without this flag for production verification. |
 
 Most workflows should use the default config (production environment only).
 
 ## Best practices
 
-1. **Verify before side effects**: Call `Report.parse()` before writing to databases, chains, or external systems.
+1. **Verify before side effects**: Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before writing to databases, chains, or external systems.
 2. **Permission on metadata**: After verification, check `workflowId()`, `workflowOwner()`, or `donId()` match your expectations.
 3. **Deduplicate by execution ID**: Use `executionId()` or `keccak256(rawReport)` to reject replays (see [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#understanding-cachesettings-for-reports)).
 4. **Do not skip signature verification in production** unless you have another trust path.
@@ -16037,12 +16056,12 @@ Most workflows should use the default config (production environment only).
 
 **Empty error after verify sim**
 
-- `Report.parse()` may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
+- [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) may throw an **`AggregateError`** of multiple `invalid signature` errors. **`AggregateError.message` is often empty**, so the CLI prints `Execution resulted in an error being returned:` with nothing after the colon.
 - Format errors in your handler before rethrowing (see the simulation example above).
 
 **`invalid signature` / `unknown signer` in sim with fresh webhook JSON**
 
-- **Expected** when using default `Report.parse()` on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
+- **Expected** when using default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) on a **sim-signed** report: simulator DON keys do not match mainnet registry signers.
 - For local wiring tests, set `skipSignatureVerification: true`. For real crypto verify, use a **deployed sender** or production-signed reports.
 
 **`invalid signature` / `unknown signer` (deployed)**

From 86cec49023729507d6a30db7a09b2b293c752bf5 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Tue, 9 Jun 2026 11:28:59 -0500
Subject: [PATCH 7/9] restructure (untested)

---
 .../verifying-reports-offchain-go.mdx         | 168 +++++++++++++++---
 .../verifying-reports-offchain-ts.mdx         | 152 +++++++++++++---
 src/content/cre/llms-full-go.txt              | 168 +++++++++++++++---
 src/content/cre/llms-full-ts.txt              | 152 +++++++++++++---
 4 files changed, 524 insertions(+), 116 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index d87b1fffa39..2710d920dc5 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -16,47 +16,34 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+There are two ways to verify, depending on who receives the POST:
 
-{/* prettier-ignore */}
-<Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
-</Aside>
+| My receiver is...                               | Use                                                                                                                                                                                                                  |
+| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                       |
+| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
 
-{/* prettier-ignore */}
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
 ## What is a CRE report?
 
 A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
 
-This guide is the **receiver** path: decode the POST body, call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), then read trusted metadata and `Body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
-
-## Where this guide fits
+See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered. Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side.
 
-| Question                     | Answer                                                                                                                                                                                                                                                                                                                         |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#what-is-a-cre-report). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
-| What does this guide cover?  | Step 3 below: [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before you use `Body()` or take side effects.                                                                                                                                                                                                   |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                                                                |
+**Receiver flow (both paths):**
 
-**Receiver flow:**
-
-1. HTTP trigger (or your API) receives the POST payload.
+1. Your endpoint (API or CRE HTTP trigger) receives the POST payload.
 2. Decode hex fields into bytes.
-3. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport): verify signatures and read metadata.
-4. Use trusted `Body()` in your logic.
-
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
+3. Verify signatures against the Capability Registry.
+4. Use the trusted payload body in your logic.
 
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata
-- How to build a receiver workflow that accepts reports over HTTP
+- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata (inside a CRE workflow)
+- How to build a CRE receiver workflow that accepts reports over HTTP
+- How to verify reports in your own API server without a CRE receiver workflow
 - How to restrict verification to specific CRE environments or zones
 
 ## Prerequisites
@@ -72,7 +59,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 | **Where it runs**    | Inside your CRE workflow callback                                           | In a smart contract transaction   |
 | **Signature check**  | Local `ecrecover` on report hash                                            | Contract logic onchain            |
 | **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                       | Consumer contracts via `onReport` |
+| **Typical use**      | CRE receiver workflows with an HTTP trigger                                 | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -90,7 +77,130 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Testing locally with simulation
+## Verifying outside CRE
+
+[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
+
+**What you need:**
+
+- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
+- `github.com/ethereum/go-ethereum/crypto` for `Keccak256` and signature recovery
+
+**Verification steps:**
+
+1. Decode the hex JSON fields into bytes.
+2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
+3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
+4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
+5. For each signature (65 bytes), recover the signing address. Require at least **f+1** addresses from the authorized signer set.
+
+The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go) for the exact call and decoding logic.
+
+```go
+package main
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"fmt"
+
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/ethclient"
+)
+
+const (
+	reportHeaderLength = 109
+	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
+)
+
+// parseHeader extracts key fields from the 109-byte rawReport metadata header.
+func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
+	if len(rawReport) < reportHeaderLength {
+		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
+	}
+	donId = binary.BigEndian.Uint32(rawReport[37:41])
+	workflowId = hex.EncodeToString(rawReport[45:77])
+	body = rawReport[reportHeaderLength:]
+	return
+}
+
+// reportHash computes keccak256(keccak256(rawReport) || reportContext).
+func reportHash(rawReport, reportContext []byte) []byte {
+	inner := crypto.Keccak256(rawReport)
+	return crypto.Keccak256(append(inner, reportContext...))
+}
+
+// fetchSigners calls the Capability Registry on Ethereum Mainnet to get
+// the fault tolerance f and authorized signer addresses for the given DON.
+// Use go-ethereum's ethclient and ABI encoding.
+// See report_verification.go in cre-sdk-go for the exact call and decoding logic.
+func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
+	// TODO: implement using your Ethereum Mainnet RPC
+	// 1. ABI-encode getDON(donId), call capabilityRegistry, decode f and nodeP2PIds
+	// 2. ABI-encode getNodesByP2PIds(nodeP2PIds), call capabilityRegistry, decode signer addresses
+	return 0, nil, fmt.Errorf("implement: call getDON then getNodesByP2PIds on the Capability Registry")
+}
+
+// verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
+func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
+	donId, _, _, err := parseHeader(rawReport)
+	if err != nil {
+		return err
+	}
+	f, signers, err := fetchSigners(client, donId)
+	if err != nil {
+		return err
+	}
+	hash := reportHash(rawReport, reportContext)
+	required := f + 1
+	valid := 0
+
+	for _, sig := range signatures {
+		if len(sig) != 65 {
+			continue
+		}
+		norm := make([]byte, 65)
+		copy(norm, sig)
+		if norm[64] >= 27 {
+			norm[64] -= 27 // normalize recovery byte
+		}
+		pubKey, err := crypto.SigToPub(hash, norm)
+		if err != nil {
+			continue
+		}
+		addr := crypto.PubkeyToAddress(*pubKey)
+		if signers[addr] {
+			valid++
+		}
+		if valid >= required {
+			return nil
+		}
+	}
+	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
+}
+```
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Cache registry results">
+  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+</Aside>
+
+## CRE receiver workflow
+
+Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles registry reads and caching automatically.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
+
+{/* prettier-ignore */}
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+### Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
 
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index ed6a799d911..68bf1ce1f33 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -16,47 +16,34 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+There are two ways to verify, depending on who receives the POST:
 
-{/* prettier-ignore */}
-<Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
-</Aside>
+| My receiver is...                                            | Use                                                                                                                                                                                                                    |
+| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                         |
+| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
 
-{/* prettier-ignore */}
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
 ## What is a CRE report?
 
 A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
 
-This guide is the **receiver** path: decode the POST body, call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), then read trusted metadata and `body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
-
-## Where this guide fits
+See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered. Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side.
 
-| Question                     | Answer                                                                                                                                                                                                                                                                               |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#what-is-a-cre-report). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
-| What does this guide cover?  | Step 3 below: [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before you use `body()` or take side effects.                                                                                                                                                       |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                      |
+**Receiver flow (both paths):**
 
-**Receiver flow:**
-
-1. HTTP trigger (or your API) receives the POST payload.
+1. Your endpoint (API or CRE HTTP trigger) receives the POST payload.
 2. Decode hex fields into bytes.
-3. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification): verify signatures and read metadata.
-4. Use trusted `body()` in your logic.
-
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
+3. Verify signatures against the Capability Registry.
+4. Use the trusted payload body in your logic.
 
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata
-- How to build a receiver workflow that accepts reports over HTTP
+- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata (inside a CRE workflow)
+- How to build a CRE receiver workflow that accepts reports over HTTP
+- How to verify reports in your own API server without a CRE receiver workflow
 - How to restrict verification to specific CRE environments or zones
 
 ## Prerequisites
@@ -72,7 +59,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 | **Where it runs**    | Inside your CRE workflow callback                                             | In a smart contract transaction   |
 | **Signature check**  | Local `ecrecover` on report hash                                              | Contract logic onchain            |
 | **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                  | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                         | Consumer contracts via `onReport` |
+| **Typical use**      | CRE receiver workflows with an HTTP trigger                                   | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -90,7 +77,114 @@ Default (`productionEnvironment()`):
 
 If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Testing locally with simulation
+## Verifying outside CRE
+
+[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
+
+**What you need:**
+
+- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
+- `viem` for the cryptographic primitives (`keccak256`, `recoverAddress`)
+
+**Verification steps:**
+
+1. Decode the hex JSON fields into bytes.
+2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
+3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
+4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
+5. For each signature (65 bytes), `ecrecover` the signing address. Require at least **f+1** addresses from the authorized signer set.
+
+The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript) for the exact ABI encoding and decoding.
+
+```typescript
+import { keccak256, concatHex, toHex, recoverAddress } from "viem"
+
+const REPORT_HEADER_LENGTH = 109
+
+/** Parse key fields from the 109-byte rawReport metadata header. */
+function parseHeader(rawReport: Uint8Array) {
+  if (rawReport.length < REPORT_HEADER_LENGTH) {
+    throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
+  }
+  const view = new DataView(rawReport.buffer, rawReport.byteOffset)
+  return {
+    donId: view.getUint32(37, false), // bytes 37–40
+    workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
+    workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
+    body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
+  }
+}
+
+/** keccak256(keccak256(rawReport) || reportContext) */
+function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
+  return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
+}
+
+/**
+ * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
+ * Calls getDON(donId) → getNodesByP2PIds(p2pIds) on Ethereum Mainnet.
+ * Use viem's createPublicClient + readContract, or any Ethereum JSON-RPC client.
+ * See report.ts in cre-sdk-typescript for the exact ABI encoding/decoding.
+ */
+async function fetchSigners(donId: number): Promise<{ f: number; signers: Set<string> }> {
+  // TODO: implement using your Ethereum Mainnet RPC
+  // Registry: 0x76c9cf548b4179F8901cda1f8623568b58215E62
+  throw new Error("implement: call getDON(donId) then getNodesByP2PIds(p2pIds)")
+}
+
+/** Verify that ≥ f+1 signatures are from authorized DON signers. */
+async function verifyReport(rawReport: Uint8Array, signatures: Uint8Array[], reportContext: Uint8Array): Promise<void> {
+  const { donId } = parseHeader(rawReport)
+  const { f, signers } = await fetchSigners(donId)
+  const hash = reportHash(rawReport, reportContext)
+  const required = f + 1
+  let valid = 0
+
+  for (const sig of signatures) {
+    if (sig.length !== 65) continue
+    const normalized = new Uint8Array(sig)
+    if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
+    try {
+      const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
+      if (signers.has(recovered.toLowerCase().slice(2))) valid++
+    } catch {
+      /* malformed signature — skip */
+    }
+    if (valid >= required) return
+  }
+  throw new Error(`insufficient valid signatures: ${valid}/${required}`)
+}
+
+// Usage — given hex fields from your API POST body:
+const rawReport = hexToBytes(`0x${payload.report}`)
+const reportContext = hexToBytes(`0x${payload.context}`)
+const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
+
+await verifyReport(rawReport, signatures, reportContext)
+// If it doesn't throw, the report is authentic.
+// Read the payload: parseHeader(rawReport).body
+```
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Cache registry results">
+  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+</Aside>
+
+## CRE receiver workflow
+
+Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles registry reads and caching automatically.
+
+{/* prettier-ignore */}
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
+
+{/* prettier-ignore */}
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+### Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
 
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index fde695841ea..32c599e5c53 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -15981,47 +15981,34 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) to do this inside a workflow. Verification runs offchain in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+There are two ways to verify, depending on who receives the POST:
 
+| My receiver is...                               | Use                                                                                                                                                                                                                  |
+| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                       |
+| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
 
-<Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-go), [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
-</Aside>
-
-
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
 ## What is a CRE report?
 
 A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
 
-This guide is the **receiver** path: decode the POST body, call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), then read trusted metadata and `Body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
-
-## Where this guide fits
-
-| Question                     | Answer                                                                                                                                                                                                                                                                                                                         |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go#what-is-a-cre-report). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.GenerateReport()`](/cre/guides/workflow/using-evm-client/onchain-write/generating-reports-single-values) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
-| What does this guide cover?  | Step 3 below: [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before you use `Body()` or take side effects.                                                                                                                                                                                                   |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                                                                |
+See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered. Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side.
 
-**Receiver flow:**
+**Receiver flow (both paths):**
 
-1. HTTP trigger (or your API) receives the POST payload.
+1. Your endpoint (API or CRE HTTP trigger) receives the POST payload.
 2. Decode hex fields into bytes.
-3. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport): verify signatures and read metadata.
-4. Use trusted `Body()` in your logic.
-
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) on the sender side. This guide covers local simulation first, then the deploy example with `AuthorizedKeys`.
+3. Verify signatures against the Capability Registry.
+4. Use the trusted payload body in your logic.
 
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata
-- How to build a receiver workflow that accepts reports over HTTP
+- How [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) validates signatures and reads metadata (inside a CRE workflow)
+- How to build a CRE receiver workflow that accepts reports over HTTP
+- How to verify reports in your own API server without a CRE receiver workflow
 - How to restrict verification to specific CRE environments or zones
 
 ## Prerequisites
@@ -16037,7 +16024,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 | **Where it runs**    | Inside your CRE workflow callback                                           | In a smart contract transaction   |
 | **Signature check**  | Local `ecrecover` on report hash                                            | Contract logic onchain            |
 | **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                       | Consumer contracts via `onReport` |
+| **Typical use**      | CRE receiver workflows with an HTTP trigger                                 | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -16055,7 +16042,130 @@ Default (`cre.ProductionEnvironment()`):
 
 If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) returns an error (for example, `ErrUnknownSigner`, `ErrWrongSignatureCount`, or registry read failure).
 
-## Testing locally with simulation
+## Verifying outside CRE
+
+[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
+
+**What you need:**
+
+- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
+- `github.com/ethereum/go-ethereum/crypto` for `Keccak256` and signature recovery
+
+**Verification steps:**
+
+1. Decode the hex JSON fields into bytes.
+2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
+3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
+4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
+5. For each signature (65 bytes), recover the signing address. Require at least **f+1** addresses from the authorized signer set.
+
+The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go) for the exact call and decoding logic.
+
+```go
+package main
+
+import (
+	"encoding/binary"
+	"encoding/hex"
+	"fmt"
+
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/ethereum/go-ethereum/ethclient"
+)
+
+const (
+	reportHeaderLength = 109
+	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
+)
+
+// parseHeader extracts key fields from the 109-byte rawReport metadata header.
+func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
+	if len(rawReport) < reportHeaderLength {
+		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
+	}
+	donId = binary.BigEndian.Uint32(rawReport[37:41])
+	workflowId = hex.EncodeToString(rawReport[45:77])
+	body = rawReport[reportHeaderLength:]
+	return
+}
+
+// reportHash computes keccak256(keccak256(rawReport) || reportContext).
+func reportHash(rawReport, reportContext []byte) []byte {
+	inner := crypto.Keccak256(rawReport)
+	return crypto.Keccak256(append(inner, reportContext...))
+}
+
+// fetchSigners calls the Capability Registry on Ethereum Mainnet to get
+// the fault tolerance f and authorized signer addresses for the given DON.
+// Use go-ethereum's ethclient and ABI encoding.
+// See report_verification.go in cre-sdk-go for the exact call and decoding logic.
+func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
+	// TODO: implement using your Ethereum Mainnet RPC
+	// 1. ABI-encode getDON(donId), call capabilityRegistry, decode f and nodeP2PIds
+	// 2. ABI-encode getNodesByP2PIds(nodeP2PIds), call capabilityRegistry, decode signer addresses
+	return 0, nil, fmt.Errorf("implement: call getDON then getNodesByP2PIds on the Capability Registry")
+}
+
+// verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
+func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
+	donId, _, _, err := parseHeader(rawReport)
+	if err != nil {
+		return err
+	}
+	f, signers, err := fetchSigners(client, donId)
+	if err != nil {
+		return err
+	}
+	hash := reportHash(rawReport, reportContext)
+	required := f + 1
+	valid := 0
+
+	for _, sig := range signatures {
+		if len(sig) != 65 {
+			continue
+		}
+		norm := make([]byte, 65)
+		copy(norm, sig)
+		if norm[64] >= 27 {
+			norm[64] -= 27 // normalize recovery byte
+		}
+		pubKey, err := crypto.SigToPub(hash, norm)
+		if err != nil {
+			continue
+		}
+		addr := crypto.PubkeyToAddress(*pubKey)
+		if signers[addr] {
+			valid++
+		}
+		if valid >= required {
+			return nil
+		}
+	}
+	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
+}
+```
+
+
+<Aside type="caution" title="Cache registry results">
+  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+</Aside>
+
+## CRE receiver workflow
+
+Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles registry reads and caching automatically.
+
+
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
+
+
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+### Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
 
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index 3e58f8ca273..faa30f6ad84 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -15716,47 +15716,34 @@ This guide is for the **receiver** side: you already received a CRE report packa
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
-The CRE SDK provides [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) to do this inside a workflow. Verification runs **offchain** in your callback: signatures are checked with local cryptography, while authorized signer addresses are loaded via **read-only calls to the onchain Capability Registry** (default: Ethereum Mainnet). Results are cached per DON.
+There are two ways to verify, depending on who receives the POST:
 
+| My receiver is...                                            | Use                                                                                                                                                                                                                    |
+| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                         |
+| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
 
-<Aside type="note" title="Not your workflow deployment registry">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy (`private` or `onchain:ethereum-mainnet`). If you deployed with the [private registry](/cre/guides/operations/deploying-to-private-registry-ts), [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) still works the same way. For an HTTP-triggered receiver, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry) when triggering deployed workflows. Local simulation may still need an `ethereum-mainnet` RPC in `project.yaml` for those registry reads, even though private deploy does not.
-</Aside>
-
-
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling your consumer's `onReport`. This guide covers **offchain** verification for HTTP and custom ingest paths. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
 ## What is a CRE report?
 
 A **[CRE report](/cre/key-terms#report-cre-report)** is a DON-signed package another workflow (or system) created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). You receive its bytes over HTTP (or another channel) as `rawReport`, `reportContext`, and `signatures`. Before you use the encoded payload, you must confirm the signatures match authorized DON signers on the Capability Registry.
 
-This guide is the **receiver** path: decode the POST body, call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), then read trusted metadata and `body()`. See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered.
-
-## Where this guide fits
-
-| Question                     | Answer                                                                                                                                                                                                                                                                               |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| What is the report?          | Same [CRE report](/cre/key-terms#report-cre-report) the **sender** created with [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime). See [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#what-is-a-cre-report). |
-| Where does it come from?     | Another workflow (or system) already ran sender steps: logic → [`runtime.report()`](/cre/reference/sdk/core-ts#runtime-and-noderuntime) → HTTP POST. You receive `rawReport`, `context`, and `signatures` in the request body.                                                       |
-| What does this guide cover?  | Step 3 below: [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before you use `body()` or take side effects.                                                                                                                                                       |
-| Same workflow as the sender? | Often **no:** common pattern is Workflow A (publish) and Workflow B (ingest with HTTP trigger).                                                                                                                                                                                      |
+See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are created and delivered. Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side.
 
-**Receiver flow:**
+**Receiver flow (both paths):**
 
-1. HTTP trigger (or your API) receives the POST payload.
+1. Your endpoint (API or CRE HTTP trigger) receives the POST payload.
 2. Decode hex fields into bytes.
-3. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification): verify signatures and read metadata.
-4. Use trusted `body()` in your logic.
-
-Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) on the sender side. This guide covers local simulation first, then the deploy example with `authorizedKeys`.
+3. Verify signatures against the Capability Registry.
+4. Use the trusted payload body in your logic.
 
 ## What you'll learn
 
 - When to verify reports offchain vs relying on onchain forwarders
-- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata
-- How to build a receiver workflow that accepts reports over HTTP
+- How [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) validates signatures and reads metadata (inside a CRE workflow)
+- How to build a CRE receiver workflow that accepts reports over HTTP
+- How to verify reports in your own API server without a CRE receiver workflow
 - How to restrict verification to specific CRE environments or zones
 
 ## Prerequisites
@@ -15772,7 +15759,7 @@ Pair this guide with [Submitting Reports via HTTP](/cre/guides/workflow/using-ht
 | **Where it runs**    | Inside your CRE workflow callback                                             | In a smart contract transaction   |
 | **Signature check**  | Local `ecrecover` on report hash                                              | Contract logic onchain            |
 | **Signer allowlist** | Read from Capability Registry (`getDON`, `getNodesByP2PIds`)                  | Forwarder + registry              |
-| **Typical use**      | HTTP APIs, webhooks, ingest workflows                                         | Consumer contracts via `onReport` |
+| **Typical use**      | CRE receiver workflows with an HTTP trigger                                   | Consumer contracts via `onReport` |
 
 Offchain verification still uses **onchain data as a trust anchor**: the first time a DON is seen, the SDK reads the production Capability Registry on Ethereum Mainnet to learn `f` and authorized signer addresses.
 
@@ -15790,7 +15777,114 @@ Default (`productionEnvironment()`):
 
 If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) throws (for example, unknown signer, insufficient signatures, or registry read failure).
 
-## Testing locally with simulation
+## Verifying outside CRE
+
+[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
+
+**What you need:**
+
+- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
+- `viem` for the cryptographic primitives (`keccak256`, `recoverAddress`)
+
+**Verification steps:**
+
+1. Decode the hex JSON fields into bytes.
+2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
+3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
+4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
+5. For each signature (65 bytes), `ecrecover` the signing address. Require at least **f+1** addresses from the authorized signer set.
+
+The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript) for the exact ABI encoding and decoding.
+
+```typescript
+import { keccak256, concatHex, toHex, recoverAddress } from "viem"
+
+const REPORT_HEADER_LENGTH = 109
+
+/** Parse key fields from the 109-byte rawReport metadata header. */
+function parseHeader(rawReport: Uint8Array) {
+  if (rawReport.length < REPORT_HEADER_LENGTH) {
+    throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
+  }
+  const view = new DataView(rawReport.buffer, rawReport.byteOffset)
+  return {
+    donId: view.getUint32(37, false), // bytes 37–40
+    workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
+    workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
+    body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
+  }
+}
+
+/** keccak256(keccak256(rawReport) || reportContext) */
+function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
+  return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
+}
+
+/**
+ * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
+ * Calls getDON(donId) → getNodesByP2PIds(p2pIds) on Ethereum Mainnet.
+ * Use viem's createPublicClient + readContract, or any Ethereum JSON-RPC client.
+ * See report.ts in cre-sdk-typescript for the exact ABI encoding/decoding.
+ */
+async function fetchSigners(donId: number): Promise<{ f: number; signers: Set<string> }> {
+  // TODO: implement using your Ethereum Mainnet RPC
+  // Registry: 0x76c9cf548b4179F8901cda1f8623568b58215E62
+  throw new Error("implement: call getDON(donId) then getNodesByP2PIds(p2pIds)")
+}
+
+/** Verify that ≥ f+1 signatures are from authorized DON signers. */
+async function verifyReport(rawReport: Uint8Array, signatures: Uint8Array[], reportContext: Uint8Array): Promise<void> {
+  const { donId } = parseHeader(rawReport)
+  const { f, signers } = await fetchSigners(donId)
+  const hash = reportHash(rawReport, reportContext)
+  const required = f + 1
+  let valid = 0
+
+  for (const sig of signatures) {
+    if (sig.length !== 65) continue
+    const normalized = new Uint8Array(sig)
+    if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
+    try {
+      const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
+      if (signers.has(recovered.toLowerCase().slice(2))) valid++
+    } catch {
+      /* malformed signature — skip */
+    }
+    if (valid >= required) return
+  }
+  throw new Error(`insufficient valid signatures: ${valid}/${required}`)
+}
+
+// Usage — given hex fields from your API POST body:
+const rawReport = hexToBytes(`0x${payload.report}`)
+const reportContext = hexToBytes(`0x${payload.context}`)
+const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
+
+await verifyReport(rawReport, signatures, reportContext)
+// If it doesn't throw, the report is authentic.
+// Read the payload: parseHeader(rawReport).body
+```
+
+
+<Aside type="caution" title="Cache registry results">
+  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+</Aside>
+
+## CRE receiver workflow
+
+Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles registry reads and caching automatically.
+
+
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
+
+
+<Aside type="note" title="Onchain verification is different">
+  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+</Aside>
+
+### Testing locally with simulation
 
 After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
 

From 0e5ef8292246d770c2a6017da10a4d6785054a16 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 10 Jun 2026 22:43:27 -0500
Subject: [PATCH 8/9] major update

---
 .../verifying-reports-offchain-go.mdx         | 774 +++++++++---------
 .../verifying-reports-offchain-ts.mdx         | 665 +++++++--------
 src/content/cre/llms-full-go.txt              | 664 ++++++++-------
 src/content/cre/llms-full-ts.txt              | 577 ++++++-------
 4 files changed, 1359 insertions(+), 1321 deletions(-)

diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
index 2710d920dc5..faba443197e 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-go.mdx
@@ -12,16 +12,16 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+This guide is for the **receiver** side: you already received a CRE report package — typically via HTTP from a [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) sender workflow — and need to **prove it is authentic** before using the payload.
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
 There are two ways to verify, depending on who receives the POST:
 
-| My receiver is...                               | Use                                                                                                                                                                                                                  |
-| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                       |
-| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
+| My receiver is...                               | Use                                                                                                                    |
+| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                         |
+| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [CRE receiver workflow](#cre-receiver-workflow) |
 
 Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
@@ -48,8 +48,8 @@ See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are cr
 
 ## Prerequisites
 
-- **SDK**: `cre-sdk-go` v1.8.0 or later (report verification support)
-- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) (report structure and JSON payload patterns)
+- **A report payload to verify** — three hex fields: `report`, `context`, `signatures`. If you don't have one yet, follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) to create a sender workflow and capture its output first.
+- **SDK**: `cre-sdk-go` v1.8.0 or later (for the CRE receiver workflow path)
 - For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go)
 
 ## Onchain vs offchain verification
@@ -70,6 +70,8 @@ Default (`cre.ProductionEnvironment()`):
 
 ## How verification works
 
+At its core, verification answers one question: did enough authorized nodes from the right DON sign this exact report? To answer it, the receiver decodes the report's metadata header to find which DON produced it, asks the onchain Capability Registry for that DON's authorized signers and quorum threshold (`f`), then checks that at least `f+1` of the provided signatures come from those addresses. Both paths in this guide — the outside-CRE program and the CRE receiver workflow — run this same sequence:
+
 1. **Parse the report header** from `rawReport` (109-byte metadata + body).
 2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
@@ -79,348 +81,393 @@ If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparse
 
 ## Verifying outside CRE
 
-[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
-
-**What you need:**
-
-- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
-- `github.com/ethereum/go-ethereum/crypto` for `Keccak256` and signature recovery
-
-**Verification steps:**
-
-1. Decode the hex JSON fields into bytes.
-2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
-3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
-4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
-5. For each signature (65 bytes), recover the signing address. Require at least **f+1** addresses from the authorized signer set.
-
-The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go) for the exact call and decoding logic.
-
-```go
-package main
-
-import (
-	"encoding/binary"
-	"encoding/hex"
-	"fmt"
-
-	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/ethclient"
-)
-
-const (
-	reportHeaderLength = 109
-	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
-)
-
-// parseHeader extracts key fields from the 109-byte rawReport metadata header.
-func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
-	if len(rawReport) < reportHeaderLength {
-		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
-	}
-	donId = binary.BigEndian.Uint32(rawReport[37:41])
-	workflowId = hex.EncodeToString(rawReport[45:77])
-	body = rawReport[reportHeaderLength:]
-	return
-}
-
-// reportHash computes keccak256(keccak256(rawReport) || reportContext).
-func reportHash(rawReport, reportContext []byte) []byte {
-	inner := crypto.Keccak256(rawReport)
-	return crypto.Keccak256(append(inner, reportContext...))
-}
-
-// fetchSigners calls the Capability Registry on Ethereum Mainnet to get
-// the fault tolerance f and authorized signer addresses for the given DON.
-// Use go-ethereum's ethclient and ABI encoding.
-// See report_verification.go in cre-sdk-go for the exact call and decoding logic.
-func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
-	// TODO: implement using your Ethereum Mainnet RPC
-	// 1. ABI-encode getDON(donId), call capabilityRegistry, decode f and nodeP2PIds
-	// 2. ABI-encode getNodesByP2PIds(nodeP2PIds), call capabilityRegistry, decode signer addresses
-	return 0, nil, fmt.Errorf("implement: call getDON then getNodesByP2PIds on the Capability Registry")
-}
-
-// verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
-func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
-	donId, _, _, err := parseHeader(rawReport)
-	if err != nil {
-		return err
-	}
-	f, signers, err := fetchSigners(client, donId)
-	if err != nil {
-		return err
-	}
-	hash := reportHash(rawReport, reportContext)
-	required := f + 1
-	valid := 0
-
-	for _, sig := range signatures {
-		if len(sig) != 65 {
-			continue
-		}
-		norm := make([]byte, 65)
-		copy(norm, sig)
-		if norm[64] >= 27 {
-			norm[64] -= 27 // normalize recovery byte
-		}
-		pubKey, err := crypto.SigToPub(hash, norm)
-		if err != nil {
-			continue
-		}
-		addr := crypto.PubkeyToAddress(*pubKey)
-		if signers[addr] {
-			valid++
-		}
-		if valid >= required {
-			return nil
-		}
-	}
-	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
-}
-```
+[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object and can only run inside a CRE workflow callback. If your API server receives reports directly, you can verify without the CRE SDK using standard libraries.
+
+If you followed the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go), you already have a JSON payload with `report`, `context`, and `signatures` as hex strings — this section shows how to verify it.
+
+1. Create a new folder for your verification program and initialize a module:
+
+   ```bash
+   mkdir verify-report && cd verify-report
+   go mod init verify-report
+   go get github.com/ethereum/go-ethereum
+   ```
+
+1. Save the following as `main.go`.
+
+   Parses the 109-byte report header to identify the DON, reads the authorized signer list and fault tolerance `f` from the Capability Registry on Ethereum Mainnet, then recovers each signature and requires at least `f+1` to match. The ABI layout mirrors [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go).
+
+   ```go
+   // verify-report/main.go
+   package main
+
+   import (
+   	"context"
+   	"encoding/binary"
+   	"encoding/hex"
+   	"fmt"
+   	"math/big"
+   	"sync"
+
+   	"github.com/ethereum/go-ethereum"
+   	"github.com/ethereum/go-ethereum/common"
+   	"github.com/ethereum/go-ethereum/crypto"
+   	"github.com/ethereum/go-ethereum/ethclient"
+   )
+
+   const (
+   	reportHeaderLength = 109
+   	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
+   )
+
+   // parseHeader extracts key fields from the 109-byte rawReport metadata header.
+   func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
+   	if len(rawReport) < reportHeaderLength {
+   		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
+   	}
+   	donId = binary.BigEndian.Uint32(rawReport[37:41])
+   	workflowId = hex.EncodeToString(rawReport[45:77])
+   	body = rawReport[reportHeaderLength:]
+   	return
+   }
+
+   // reportHash computes keccak256(keccak256(rawReport) || reportContext).
+   func reportHash(rawReport, reportContext []byte) []byte {
+   	inner := crypto.Keccak256(rawReport)
+   	return crypto.Keccak256(append(inner, reportContext...))
+   }
+
+   // padUint256 encodes a uint64 as a big-endian 32-byte ABI word.
+   func padUint256(v uint64) []byte {
+   	b := make([]byte, 32)
+   	binary.BigEndian.PutUint64(b[24:], v)
+   	return b
+   }
+
+   type donInfo struct {
+   	f       int
+   	signers map[common.Address]bool
+   }
+
+   // signerCache caches registry lookups by DON ID. Registry data only changes
+   // during DON reconfiguration; clear and retry if you see unexpected signer errors after a DON upgrade.
+   var signerCache sync.Map
+
+   // fetchSigners calls the Capability Registry on Ethereum Mainnet to get
+   // the fault tolerance f and authorized signer addresses for the given DON.
+   // Makes two eth_call reads: getDON(donId) then getNodesByP2PIds(nodeP2PIds).
+   // Result is cached by DON ID.
+   func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
+   	if cached, ok := signerCache.Load(donId); ok {
+   		info := cached.(donInfo)
+   		return info.f, info.signers, nil
+   	}
+
+   	registry := common.HexToAddress(capabilityRegistry)
+   	ctx := context.Background()
+
+   	// Step 1: getDON(uint32 donId) — selector keccak256("getDON(uint32)")[0:4] = 0x23537405
+   	var donIdPadded [32]byte
+   	binary.BigEndian.PutUint32(donIdPadded[28:], donId)
+   	getDONCalldata := append([]byte{0x23, 0x53, 0x74, 0x05}, donIdPadded[:]...)
+
+   	getDONBytes, err := client.CallContract(ctx, ethereum.CallMsg{To: &registry, Data: getDONCalldata}, nil)
+   	if err != nil {
+   		return 0, nil, fmt.Errorf("getDON call failed: %w", err)
+   	}
+   	if len(getDONBytes) < 224 {
+   		return 0, nil, fmt.Errorf("getDON response too short: %d bytes", len(getDONBytes))
+   	}
+
+   	// Response layout (see report_verification.go in cre-sdk-go for full ABI documentation):
+   	//   slot 3 (bytes  96-127): f               (uint8, zero-padded to 32)
+   	//   slot 6 (bytes 192-223): ptr[nodeP2PIds] relative to tupleStart = 32
+   	f = int(new(big.Int).SetBytes(getDONBytes[96:128]).Int64())
+   	nodeP2PIdsPtr := int(new(big.Int).SetBytes(getDONBytes[192:224]).Int64())
+   	nodeCountOff := 32 + nodeP2PIdsPtr
+   	nodeCount := int(new(big.Int).SetBytes(getDONBytes[nodeCountOff : nodeCountOff+32]).Int64())
+
+   	nodeP2PIds := make([][]byte, nodeCount)
+   	for i := 0; i < nodeCount; i++ {
+   		start := nodeCountOff + 32 + i*32
+   		id := make([]byte, 32)
+   		copy(id, getDONBytes[start:start+32])
+   		nodeP2PIds[i] = id
+   	}
+
+   	if nodeCount == 0 {
+   		info := donInfo{f: f, signers: nil}
+   		signerCache.Store(donId, info)
+   		return f, nil, nil
+   	}
+
+   	// Step 2: getNodesByP2PIds(bytes32[]) — selector 0x05a51966
+   	// ABI-encode bytes32[]: [ptr=32][count][id0]...[idN]
+   	getNodesCalldata := append([]byte{0x05, 0xa5, 0x19, 0x66}, padUint256(32)...)
+   	getNodesCalldata = append(getNodesCalldata, padUint256(uint64(nodeCount))...)
+   	for _, id := range nodeP2PIds {
+   		getNodesCalldata = append(getNodesCalldata, id...)
+   	}
+
+   	getNodesBytes, err := client.CallContract(ctx, ethereum.CallMsg{To: &registry, Data: getNodesCalldata}, nil)
+   	if err != nil {
+   		return 0, nil, fmt.Errorf("getNodesByP2PIds call failed: %w", err)
+   	}
+   	if len(getNodesBytes) < 64 {
+   		return 0, nil, fmt.Errorf("getNodesByP2PIds response too short: %d bytes", len(getNodesBytes))
+   	}
+
+   	// Response layout: [outerPtr][count][elem0-ptr][elem1-ptr]...[tuple0][tuple1]...
+   	// Each NodeInfo tuple (9 slots × 32 bytes): slot 3 = signer bytes32, first 20 bytes = address
+   	outerPtr := int(new(big.Int).SetBytes(getNodesBytes[0:32]).Int64())
+   	returnedCount := int(new(big.Int).SetBytes(getNodesBytes[outerPtr : outerPtr+32]).Int64())
+   	const nodeTupleHead = 288 // 9 slots × 32 bytes
+
+   	signers = make(map[common.Address]bool, returnedCount)
+   	for i := 0; i < returnedCount; i++ {
+   		elemPtrOff := outerPtr + 32 + i*32
+   		elemPtr := int(new(big.Int).SetBytes(getNodesBytes[elemPtrOff : elemPtrOff+32]).Int64())
+   		tupleBase := outerPtr + 32 + elemPtr
+   		if tupleBase+nodeTupleHead > len(getNodesBytes) {
+   			break
+   		}
+   		signerSlot := tupleBase + 3*32
+   		addr := common.BytesToAddress(getNodesBytes[signerSlot : signerSlot+20])
+   		signers[addr] = true
+   	}
+
+   	signerCache.Store(donId, donInfo{f: f, signers: signers})
+   	return f, signers, nil
+   }
+
+   // verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
+   func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
+   	donId, _, _, err := parseHeader(rawReport)
+   	if err != nil {
+   		return err
+   	}
+   	f, signers, err := fetchSigners(client, donId)
+   	if err != nil {
+   		return err
+   	}
+   	hash := reportHash(rawReport, reportContext)
+   	required := f + 1
+   	valid := 0
+
+   	for _, sig := range signatures {
+   		if len(sig) != 65 {
+   			continue
+   		}
+   		norm := make([]byte, 65)
+   		copy(norm, sig)
+   		if norm[64] >= 27 {
+   			norm[64] -= 27 // normalize recovery byte
+   		}
+   		pubKey, err := crypto.SigToPub(hash, norm)
+   		if err != nil {
+   			continue
+   		}
+   		addr := crypto.PubkeyToAddress(*pubKey)
+   		if signers[addr] {
+   			valid++
+   		}
+   		if valid >= required {
+   			return nil
+   		}
+   	}
+   	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
+   }
+
+   // Usage — create the client once for your server, reuse it across requests:
+   //
+   //   client, err := ethclient.Dial(os.Getenv("ETH_MAINNET_RPC_URL"))
+   //
+   // For each incoming report POST:
+   //   if err := verifyReport(rawReport, signatures, reportContext, client); err != nil {
+   //       // reject the request
+   //   }
+   //   // verified: use parseHeader(rawReport) to read the payload body
+   ```
+
+1. Set your RPC URL and run:
+
+   ```bash
+   export ETH_MAINNET_RPC_URL=https://your-mainnet-rpc-endpoint
+   go run main.go
+   ```
+
+1. Check the output.
+
+   With a **sim-signed report** (from the submit guide sender simulation):
+
+   ```
+   insufficient valid signatures: 0/4
+   ```
+
+   This is correct. Simulation uses local test keys that are not registered in the mainnet Capability Registry. The registry call succeeded and returned the real signer list; none of the sim signatures matched it. The verification logic is working as intended.
+
+   With a **production-signed report** from a deployed sender, `verifyReport` returns `nil`. Read the payload:
+
+   ```go
+   donId, workflowId, body, err := parseHeader(rawReport)
+   // body is the ABI-encoded payload the sender embedded
+   ```
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Cache registry results">
-  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+  `fetchSigners` caches by DON ID using a `sync.Map` for the lifetime of the process. Registry data only changes during DON reconfiguration. If you see unexpected `ErrUnknownSigner` errors after a DON upgrade, clear the cache (for example, by restarting the process) and retry.
 </Aside>
 
 ## CRE receiver workflow
 
-Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles registry reads and caching automatically.
+Use this path if you want the receiver itself to be a CRE workflow with an HTTP trigger. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles Capability Registry reads and caching automatically.
 
 {/* prettier-ignore */}
-<Aside type="note" title="Using the private registry?">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+<Aside type="caution" title="Educational Example Disclaimer">
+  This page includes an educational example to use a Chainlink system, product, or service and is provided to
+  demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
+  template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
+  missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
+  code in this example in a production environment without completing your own audits and application of best practices.
+  Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
+  that are generated due to errors in code.
 </Aside>
 
 {/* prettier-ignore */}
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
 </Aside>
 
-### Testing locally with simulation
-
-After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
-
-1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
-2. Register `http.Trigger(&http.Config{})` (empty config) for simulation.
-3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
-
-### Minimal receiver for simulation
-
-Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig)). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
-
-`config.staging.json`:
-
-```json
-{
-  "skipSignatureVerification": true
-}
-```
-
-`main.go`:
-
-```go
-//go:build wasip1
-
-package main
-
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
-
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
+### Testing with simulation
 
-type Config struct {
-	SkipSignatureVerification bool `json:"skipSignatureVerification"`
-}
+If you ran the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example), you already copied JSON from webhook.site. Use that payload here.
 
-type parsedPayload struct {
-	Report     string   `json:"report"`
-	Context    string   `json:"context"`
-	Signatures []string `json:"signatures"`
-}
-
-func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{}), run),
-	}, nil
-}
-
-func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	var parsed parsedPayload
-	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
-		return false, err
-	}
-
-	rawReport, err := hex.DecodeString(parsed.Report)
-	if err != nil {
-		return false, err
-	}
-	reportContext, err := hex.DecodeString(parsed.Context)
-	if err != nil {
-		return false, err
-	}
-	sigs := make([][]byte, len(parsed.Signatures))
-	for i, sigHex := range parsed.Signatures {
-		sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
-		SkipSignatureVerification: cfg.SkipSignatureVerification,
-	})
-	if err != nil {
-		return false, err
-	}
-
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-		"donId", report.DONID(),
-	)
-
-	_ = report.Body()
-	return true, nil
-}
-
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
-
-### Sim wiring vs full verify
-
-| Mode                   | Config                                                                                                              | What it validates                                                                             |
-| ---------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) | JSON + hex decode, metadata accessors, `Body()`                                               |
-| **Full crypto verify** | Default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) (production registry)                      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
-
-```bash
-cre workflow simulate verify-report-receiver \
-  --target staging-settings \
-  --non-interactive \
-  --trigger-index 0 \
-  --http-payload verify-report-receiver/test-report-payload.json
-```
-
-**Pass criteria**
-
-- **Sim wiring:** `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig): logs show metadata and a successful handler return.
-- **Full crypto verify:** default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
-
-`project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
-
-## Complete example: HTTP receiver workflow (deploy)
-
-Once simulation is working, update the trigger config for deployment with `AuthorizedKeys`.
-
-It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
-
-```go
-//go:build wasip1
-
-package main
-
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
-
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
-
-type Config struct {
-	AuthorizedKey string `json:"authorized_key"`
-}
-
-func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
-	}, nil
-}
-
-type ParsedPayload struct {
-	Report  string   `json:"report"`
-	Context string   `json:"context"`
-	Sigs    []string `json:"signatures"`
-}
-
-func (p *ParsedPayload) Decode() (*DecodedReport, error) {
-	report := &DecodedReport{}
-	var err error
-
-	if report.Report, err = hex.DecodeString(p.Report); err != nil {
-		return nil, err
-	}
-	if report.Context, err = hex.DecodeString(p.Context); err != nil {
-		return nil, err
-	}
-
-	report.Sigs = make([][]byte, len(p.Sigs))
-	for i, sigHex := range p.Sigs {
-		report.Sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return report, nil
-}
-
-type DecodedReport struct {
-	Report  []byte
-	Context []byte
-	Sigs    [][]byte
-}
-
-func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	parsed := &ParsedPayload{}
-	if err := json.Unmarshal(payload.Input, parsed); err != nil {
-		return false, err
-	}
-
-	decoded, err := parsed.Decode()
-	if err != nil {
-		return false, err
-	}
-
-	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
-	if err != nil {
-		return false, err
-	}
-
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-	)
-
-	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
-	_ = report.Body()
-
-	return true, nil
-}
-
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
+{/* prettier-ignore */}
+<Aside type="note" title="CRE project required">
+  The directory you run `cre` from must contain a `project.yaml`. If you do not have one, run `cre init` from your project folder or follow the [Getting Started guide](/cre/getting-started/overview).
+</Aside>
 
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) verifies signatures against the production CRE registry.
-3. On success, you read metadata and `Body()` safely.
+1. Save the webhook JSON as `test-report-payload.json` inside your receiver workflow folder:
+
+   ```
+   verify-report-receiver/test-report-payload.json
+   ```
+
+1. Create a `verify-report-receiver/` folder in your CRE project with the following files.
+
+   `config.staging.json` — enables wiring tests without mainnet signer validation:
+
+   ```json
+   {
+     "skipSignatureVerification": true
+   }
+   ```
+
+   `main.go` — uses an empty HTTP trigger (add `AuthorizedKeys` before deploying):
+
+   ```go
+   // verify-report-receiver/main.go
+   //go:build wasip1
+
+   package main
+
+   import (
+   	"encoding/hex"
+   	"encoding/json"
+   	"log/slog"
+
+   	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+   	"github.com/smartcontractkit/cre-sdk-go/cre"
+   	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+   )
+
+   type Config struct {
+   	SkipSignatureVerification bool `json:"skipSignatureVerification"`
+   }
+
+   type parsedPayload struct {
+   	Report     string   `json:"report"`
+   	Context    string   `json:"context"`
+   	Signatures []string `json:"signatures"`
+   }
+
+   func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+   	return cre.Workflow[*Config]{
+   		cre.Handler(http.Trigger(&http.Config{}), run),
+   	}, nil
+   }
+
+   func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+   	var parsed parsedPayload
+   	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
+   		return false, err
+   	}
+
+   	rawReport, err := hex.DecodeString(parsed.Report)
+   	if err != nil {
+   		return false, err
+   	}
+   	reportContext, err := hex.DecodeString(parsed.Context)
+   	if err != nil {
+   		return false, err
+   	}
+   	sigs := make([][]byte, len(parsed.Signatures))
+   	for i, sigHex := range parsed.Signatures {
+   		sigs[i], err = hex.DecodeString(sigHex)
+   		if err != nil {
+   			return false, err
+   		}
+   	}
+
+   	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+   		SkipSignatureVerification: cfg.SkipSignatureVerification,
+   	})
+   	if err != nil {
+   		return false, err
+   	}
+
+   	runtime.Logger().Info("Verified report",
+   		"workflowId", report.WorkflowID(),
+   		"executionId", report.ExecutionID(),
+   		"donId", report.DONID(),
+   	)
+
+   	_ = report.Body()
+   	return true, nil
+   }
+
+   func main() {
+   	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+   }
+   ```
+
+1. From the CRE project root, run the simulation:
+
+   ```bash
+   cre workflow simulate verify-report-receiver \
+     --target staging-settings \
+     --non-interactive \
+     --trigger-index 0 \
+     --http-payload verify-report-receiver/test-report-payload.json
+   ```
+
+1. Check the output.
+
+   A successful wiring run logs the decoded report metadata and returns successfully:
+
+   ```
+   [USER LOG] msg="Verified report" workflowId=... executionId=... donId=1
+   ✓ Workflow Simulation Result: true
+   ```
+
+   This confirms JSON decoding, hex parsing, and [`cre.ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) are wired correctly. Signatures are not verified against the mainnet registry in this mode — that requires a production-signed report from a deployed sender.
+
+### Deploying to production
+
+The `run` handler you simulated is the same code you deploy. For production, make two configuration changes:
+
+1. **Remove `skipSignatureVerification`** from your target config (or omit it; the default is `false`). Reports from a deployed sender must pass real signature verification.
+2. **Add `AuthorizedKeys`** to your HTTP trigger — required for deployed workflows, not just simulation. See [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go).
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Hex encoding">
@@ -429,7 +476,7 @@ func main() {
 
 ## Report payload format
 
-When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`. See [Payload contract](/cre/guides/workflow/using-http-client/submitting-reports-http-go#payload-contract-if-you-verify-offchain) in the submit guide for how the sender produces these fields.
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -437,26 +484,13 @@ When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for
 | `context`    | `ReportContext` | Hex-encoded config digest + sequence number                     |
 | `signatures` | `Sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
-The `reportContext` layout used by the SDK:
-
-- Bytes 0–31: config digest
-- Bytes 32–39: sequence number (big-endian `uint64`)
-
 ## API reference
 
-See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
-
-### `cre.ParseReport()`
-
-```go
-func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
-```
-
-Parses and verifies a report against the production CRE environment. Use [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) for custom environments or zones.
+For full signatures, types, and `ReportParseConfig` options (including deferred verification), see [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification).
 
 ### `*cre.Report` accessors
 
-After a successful parse:
+After a successful [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport):
 
 | Method            | Description                               |
 | ----------------- | ----------------------------------------- |
@@ -470,46 +504,6 @@ After a successful parse:
 | `SeqNr()`         | Sequence number from report context       |
 | `ConfigDigest()`  | Config digest from report context         |
 
-### `cre.ReportParseConfig`
-
-```go
-config := cre.ReportParseConfig{
-    AcceptedZones: []cre.Zone{
-        cre.ZoneFromEnvironment(cre.ProductionEnvironment(), 1),
-    },
-    AcceptedEnvironments: []cre.Environment{cre.ProductionEnvironment()},
-    SkipSignatureVerification: false,
-}
-report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, config)
-```
-
-| Field                       | Description                                                                                                |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------- |
-| `AcceptedEnvironments`      | Registry environments to check (defaults to production)                                                    |
-| `AcceptedZones`             | Restrict to specific DON IDs within an environment                                                         |
-| `SkipSignatureVerification` | Parse header only; call `report.VerifySignatures()` or `VerifySignaturesWithConfig()` afterward when ready |
-
-### Deferred verification
-
-This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
-
-If you set `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig), parse the header first, then verify:
-
-```go
-report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
-    SkipSignatureVerification: true,
-})
-if err != nil {
-    return false, err
-}
-
-// Optional: inspect report.WorkflowID(), report.DONID(), etc. before registry reads
-
-if err := report.VerifySignatures(runtime); err != nil {
-    return false, err
-}
-```
-
 ## Best practices
 
 1. **Verify before side effects**: Call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before writing to databases, chains, or external systems.
@@ -541,9 +535,9 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 - At least **f+1** valid signatures are required.
 
-**`could not read from chain ...`**
+**`could not read from chain ...`** _(CRE receiver workflow only)_
 
-- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim).
+- Registry read failed (RPC/network). Configure an **`ethereum-mainnet` RPC** in `project.yaml` — required for default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), including during sim.
 
 **`ErrRawReportTooShort`**
 
diff --git a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
index 68bf1ce1f33..a024f5cc3d8 100644
--- a/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
+++ b/src/content/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts.mdx
@@ -12,16 +12,16 @@ metadata:
 
 import { Aside } from "@components"
 
-This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+This guide is for the **receiver** side: you already received a CRE report package — typically via HTTP from a [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) sender workflow — and need to **prove it is authentic** before using the payload.
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
 There are two ways to verify, depending on who receives the POST:
 
-| My receiver is...                                            | Use                                                                                                                                                                                                                    |
-| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                         |
-| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
+| My receiver is...                                            | Use                                                                                                                      |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ |
+| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                           |
+| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [CRE receiver workflow](#cre-receiver-workflow) |
 
 Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
@@ -48,8 +48,8 @@ See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are cr
 
 ## Prerequisites
 
-- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (report verification support)
-- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) (report structure and JSON payload patterns)
+- **A report payload to verify** — three hex fields: `report`, `context`, `signatures`. If you don't have one yet, follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) to create a sender workflow and capture its output first.
+- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (for the CRE receiver workflow path)
 - For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts)
 
 ## Onchain vs offchain verification
@@ -70,6 +70,8 @@ Default (`productionEnvironment()`):
 
 ## How verification works
 
+At its core, verification answers one question: did enough authorized nodes from the right DON sign this exact report? To answer it, the receiver decodes the report's metadata header to find which DON produced it, asks the onchain Capability Registry for that DON's authorized signers and quorum threshold (`f`), then checks that at least `f+1` of the provided signatures come from those addresses. Both paths in this guide — the outside-CRE script and the CRE receiver workflow — run this same sequence:
+
 1. **Parse the report header** from `rawReport` (109-byte metadata + body).
 2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
@@ -79,291 +81,353 @@ If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-veri
 
 ## Verifying outside CRE
 
-[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
-
-**What you need:**
-
-- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
-- `viem` for the cryptographic primitives (`keccak256`, `recoverAddress`)
-
-**Verification steps:**
-
-1. Decode the hex JSON fields into bytes.
-2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
-3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
-4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
-5. For each signature (65 bytes), `ecrecover` the signing address. Require at least **f+1** addresses from the authorized signer set.
-
-The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript) for the exact ABI encoding and decoding.
-
-```typescript
-import { keccak256, concatHex, toHex, recoverAddress } from "viem"
-
-const REPORT_HEADER_LENGTH = 109
-
-/** Parse key fields from the 109-byte rawReport metadata header. */
-function parseHeader(rawReport: Uint8Array) {
-  if (rawReport.length < REPORT_HEADER_LENGTH) {
-    throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
-  }
-  const view = new DataView(rawReport.buffer, rawReport.byteOffset)
-  return {
-    donId: view.getUint32(37, false), // bytes 37–40
-    workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
-    workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
-    body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
-  }
-}
-
-/** keccak256(keccak256(rawReport) || reportContext) */
-function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
-  return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
-}
-
-/**
- * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
- * Calls getDON(donId) → getNodesByP2PIds(p2pIds) on Ethereum Mainnet.
- * Use viem's createPublicClient + readContract, or any Ethereum JSON-RPC client.
- * See report.ts in cre-sdk-typescript for the exact ABI encoding/decoding.
- */
-async function fetchSigners(donId: number): Promise<{ f: number; signers: Set<string> }> {
-  // TODO: implement using your Ethereum Mainnet RPC
-  // Registry: 0x76c9cf548b4179F8901cda1f8623568b58215E62
-  throw new Error("implement: call getDON(donId) then getNodesByP2PIds(p2pIds)")
-}
-
-/** Verify that ≥ f+1 signatures are from authorized DON signers. */
-async function verifyReport(rawReport: Uint8Array, signatures: Uint8Array[], reportContext: Uint8Array): Promise<void> {
-  const { donId } = parseHeader(rawReport)
-  const { f, signers } = await fetchSigners(donId)
-  const hash = reportHash(rawReport, reportContext)
-  const required = f + 1
-  let valid = 0
-
-  for (const sig of signatures) {
-    if (sig.length !== 65) continue
-    const normalized = new Uint8Array(sig)
-    if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
-    try {
-      const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
-      if (signers.has(recovered.toLowerCase().slice(2))) valid++
-    } catch {
-      /* malformed signature — skip */
-    }
-    if (valid >= required) return
-  }
-  throw new Error(`insufficient valid signatures: ${valid}/${required}`)
-}
-
-// Usage — given hex fields from your API POST body:
-const rawReport = hexToBytes(`0x${payload.report}`)
-const reportContext = hexToBytes(`0x${payload.context}`)
-const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
-
-await verifyReport(rawReport, signatures, reportContext)
-// If it doesn't throw, the report is authentic.
-// Read the payload: parseHeader(rawReport).body
-```
+[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object and can only run inside a CRE workflow callback. If your API server receives reports directly, you can verify without the CRE SDK using standard libraries.
+
+If you followed the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts), you already have a JSON payload with `report`, `context`, and `signatures` as hex strings — this section shows how to verify it.
+
+1. Create a new folder for your verification script and install `viem`:
+
+   ```bash
+   mkdir verify-report && cd verify-report
+   npm init -y
+   npm install viem
+   ```
+
+1. Save the following as `verify.ts`.
+
+   Parses the 109-byte report header to identify the DON, reads the authorized signer list and fault tolerance `f` from the Capability Registry on Ethereum Mainnet, then ecrecovers each signature and requires at least `f+1` to match. The ABI layout mirrors [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript).
+
+   ```typescript
+   // verify-report/verify.ts
+   import { keccak256, concatHex, toHex, recoverAddress, hexToBytes, createPublicClient, http } from "viem"
+   import { mainnet } from "viem/chains"
+
+   const REPORT_HEADER_LENGTH = 109
+   const CAPABILITY_REGISTRY = "0x76c9cf548b4179F8901cda1f8623568b58215E62" as const
+
+   /** Parse key fields from the 109-byte rawReport metadata header. */
+   function parseHeader(rawReport: Uint8Array) {
+     if (rawReport.length < REPORT_HEADER_LENGTH) {
+       throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
+     }
+     const view = new DataView(rawReport.buffer, rawReport.byteOffset)
+     return {
+       donId: view.getUint32(37, false), // bytes 37–40
+       workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
+       workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
+       body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
+     }
+   }
+
+   /** keccak256(keccak256(rawReport) || reportContext) */
+   function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
+     return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
+   }
+
+   /** Read the last 4 bytes of a 32-byte uint256 ABI slot as a JS number. */
+   function readSlot(bytes: Uint8Array, offset: number): number {
+     return new DataView(bytes.buffer, bytes.byteOffset + offset + 28, 4).getUint32(0, false)
+   }
+
+   // In-process cache: registry data only changes during DON reconfiguration.
+   const signerCache = new Map<number, { f: number; signers: Set<string> }>()
+
+   type PublicClient = ReturnType<typeof createPublicClient>
+
+   /**
+    * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
+    * Makes two eth_call reads: getDON(donId) then getNodesByP2PIds(nodeP2PIds).
+    * Result is cached by DON ID.
+    */
+   async function fetchSigners(client: PublicClient, donId: number): Promise<{ f: number; signers: Set<string> }> {
+     const cached = signerCache.get(donId)
+     if (cached) return cached
+
+     // Step 1: getDON(uint32 donId) — selector keccak256("getDON(uint32)")[0:4] = 0x23537405
+     const donIdPadded = new Uint8Array(32)
+     new DataView(donIdPadded.buffer).setUint32(28, donId, false)
+     const getDONCalldata = concatHex(["0x23537405", toHex(donIdPadded)])
+
+     const getDONResult = await client.call({ to: CAPABILITY_REGISTRY, data: getDONCalldata })
+     if (!getDONResult.data) throw new Error("getDON returned empty response")
+     const getDONBytes = hexToBytes(getDONResult.data)
+     if (getDONBytes.length < 224) throw new Error(`getDON response too short: ${getDONBytes.length} bytes`)
+
+     // Response layout (see report.ts in cre-sdk-typescript for full ABI documentation):
+     //   slot 3 (bytes  96-127): f               (uint8, zero-padded to 32)
+     //   slot 6 (bytes 192-223): ptr[nodeP2PIds] relative to tupleStart = 32
+     const f = readSlot(getDONBytes, 96)
+     const nodeP2PIdsPtr = readSlot(getDONBytes, 192)
+     const nodeCountOff = 32 + nodeP2PIdsPtr
+     const nodeCount = readSlot(getDONBytes, nodeCountOff)
+
+     const nodeP2PIds: `0x${string}`[] = []
+     for (let i = 0; i < nodeCount; i++) {
+       const start = nodeCountOff + 32 + i * 32
+       nodeP2PIds.push(toHex(getDONBytes.slice(start, start + 32)))
+     }
+
+     if (nodeCount === 0) {
+       const result = { f, signers: new Set<string>() }
+       signerCache.set(donId, result)
+       return result
+     }
+
+     // Step 2: getNodesByP2PIds(bytes32[]) — selector 0x05a51966
+     // ABI-encode bytes32[]: [ptr=32][count][id0]...[idN]
+     const ptrBytes = new Uint8Array(32)
+     new DataView(ptrBytes.buffer).setUint32(28, 32, false)
+     const countBytes = new Uint8Array(32)
+     new DataView(countBytes.buffer).setUint32(28, nodeCount, false)
+     const getNodesCalldata = concatHex(["0x05a51966", toHex(ptrBytes), toHex(countBytes), ...nodeP2PIds])
+
+     const getNodesResult = await client.call({ to: CAPABILITY_REGISTRY, data: getNodesCalldata })
+     if (!getNodesResult.data) throw new Error("getNodesByP2PIds returned empty response")
+     const getNodesBytes = hexToBytes(getNodesResult.data)
+     if (getNodesBytes.length < 64)
+       throw new Error(`getNodesByP2PIds response too short: ${getNodesBytes.length} bytes`)
+
+     // Response layout: [outerPtr][count][elem0-ptr][elem1-ptr]...[tuple0][tuple1]...
+     // Each NodeInfo tuple (9 slots × 32 bytes): slot 3 = signer bytes32, first 20 bytes = address
+     const outerPtr = readSlot(getNodesBytes, 0)
+     const returnedCount = readSlot(getNodesBytes, outerPtr)
+     const NODE_TUPLE_HEAD = 288 // 9 slots × 32 bytes
+
+     const signers = new Set<string>()
+     for (let i = 0; i < returnedCount; i++) {
+       const elemPtr = readSlot(getNodesBytes, outerPtr + 32 + i * 32)
+       const tupleBase = outerPtr + 32 + elemPtr
+       if (tupleBase + NODE_TUPLE_HEAD > getNodesBytes.length) break
+       const addrBytes = getNodesBytes.slice(tupleBase + 3 * 32, tupleBase + 3 * 32 + 20)
+       signers.add(toHex(addrBytes).slice(2).toLowerCase()) // 40-char hex, no 0x prefix
+     }
+
+     const result = { f, signers }
+     signerCache.set(donId, result)
+     return result
+   }
+
+   /** Verify that ≥ f+1 signatures are from authorized DON signers. */
+   async function verifyReport(
+     rawReport: Uint8Array,
+     signatures: Uint8Array[],
+     reportContext: Uint8Array,
+     client: PublicClient
+   ): Promise<void> {
+     const { donId } = parseHeader(rawReport)
+     const { f, signers } = await fetchSigners(client, donId)
+     const hash = reportHash(rawReport, reportContext)
+     const required = f + 1
+     let valid = 0
+
+     for (const sig of signatures) {
+       if (sig.length !== 65) continue
+       const normalized = new Uint8Array(sig)
+       if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
+       try {
+         const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
+         if (signers.has(recovered.toLowerCase().slice(2))) valid++
+       } catch {
+         /* malformed signature — skip */
+       }
+       if (valid >= required) return
+     }
+     throw new Error(`insufficient valid signatures: ${valid}/${required}`)
+   }
+
+   // Usage — create the client once for your server, reuse it across requests:
+   const client = createPublicClient({
+     chain: mainnet,
+     transport: http(process.env.ETH_MAINNET_RPC_URL!),
+   })
+
+   // For each incoming report POST:
+   const rawReport = hexToBytes(`0x${payload.report}`)
+   const reportContext = hexToBytes(`0x${payload.context}`)
+   const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
+
+   await verifyReport(rawReport, signatures, reportContext, client)
+   // If it doesn't throw, the report is authentic.
+   // Read the payload: parseHeader(rawReport).body
+   ```
+
+1. Set your RPC URL and run the script:
+
+   ```bash
+   export ETH_MAINNET_RPC_URL=https://your-mainnet-rpc-endpoint
+   npx tsx verify.ts
+   ```
+
+1. Check the output.
+
+   With a **sim-signed report** (from the submit guide sender simulation):
+
+   ```
+   Error: insufficient valid signatures: 0/4
+   ```
+
+   This error is the expected output for this example. The registry call succeeded and returned the real mainnet signer list (`f=3, signers=10` for this DON), but the simulation generated its signatures with local test keys that don't appear on that list. The verification logic ran correctly and rejected the unrecognized signatures. When you switch to a production-signed report from a deployed sender, `verifyReport` will return without throwing.
+
+   With a **production-signed report** from a deployed sender, `verifyReport` returns without throwing. Read the payload:
+
+   ```typescript
+   const { body, workflowId, workflowOwner } = parseHeader(rawReport)
+   // body is the ABI-encoded payload the sender embedded
+   ```
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Cache registry results">
-  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
+  `fetchSigners` caches by DON ID in memory for the lifetime of the process. Registry data only changes during DON reconfiguration. If you see unexpected `invalid signature` errors after a DON upgrade, clear the cache and retry.
 </Aside>
 
 ## CRE receiver workflow
 
-Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles registry reads and caching automatically.
+Use this path if you want the receiver itself to be a CRE workflow with an HTTP trigger. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles Capability Registry reads and caching automatically.
+
+{/* prettier-ignore */}
+<Aside type="caution" title="Educational Example Disclaimer">
+  This page includes an educational example to use a Chainlink system, product, or service and is provided to
+  demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
+  template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
+  missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
+  code in this example in a production environment without completing your own audits and application of best practices.
+  Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
+  that are generated due to errors in code.
+</Aside>
 
 {/* prettier-ignore */}
 <Aside type="note" title="Using the private registry?">
   This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
 </Aside>
 
+### Testing with simulation
+
+If you ran the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example), you already copied JSON from webhook.site. Use that payload here.
+
 {/* prettier-ignore */}
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
+<Aside type="note" title="CRE project required">
+  The directory you run `cre` from must contain a `project.yaml`. If you do not have one, run `cre init` from your project folder or follow the [Getting Started guide](/cre/getting-started/overview).
 </Aside>
 
-### Testing locally with simulation
-
-After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
-
-1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
-2. Use the minimal receiver below with an **empty HTTP trigger config** (no `authorizedKeys` until deploy).
-3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
-
-### Sim wiring vs full verify
-
-| Mode                   | Config                                                                                           | What it validates                                                                                                                                                                                                                        |
-| ---------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `skipSignatureVerification: true` in staging config                                              | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                                                                  |
-| **Full crypto verify** | Default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) (production registry) | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) checks the mainnet Capability Registry. |
-
-### Minimal receiver for simulation
-
-Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
-
-`config.staging.json`:
-
-```json
-{
-  "skipSignatureVerification": true
-}
-```
-
-`main.ts`:
-
-```typescript
-import {
-  decodeJson,
-  handler,
-  hexToBytes,
-  HTTPCapability,
-  Report,
-  Runner,
-  type HTTPPayload,
-  type Runtime,
-} from "@chainlink/cre-sdk"
-
-interface Config {
-  skipSignatureVerification?: boolean
-}
-
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
-
-/** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
-const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
-
-/** AggregateError from Report.parse often has an empty .message in sim output. */
-const formatError = (err: unknown): string => {
-  if (err instanceof AggregateError) {
-    const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
-    return parts.join("; ") || "report verification failed"
-  }
-  if (err instanceof Error) return err.message
-  return String(err)
-}
-
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> {
-  try {
-    const parsed = decodeJson(payload.input) as ParsedPayload
-
-    const rawReport = fromHexNoPrefix(parsed.report)
-    const reportContext = fromHexNoPrefix(parsed.context)
-    const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
-
-    runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
-
-    const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
-      skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
-    })
-
-    runtime.log(
-      `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
-    )
-    report.body()
-    return { verified: true }
-  } catch (err) {
-    const msg = formatError(err)
-    runtime.log(`Report verification failed: ${msg}`)
-    throw new Error(msg)
-  }
-}
-
-export const initWorkflow = () => {
-  const http = new HTTPCapability()
-  return [handler(http.trigger({}), run)]
-}
-
-export async function main() {
-  const runner = await Runner.newRunner<Config>()
-  await runner.run(initWorkflow)
-}
-```
-
-Save webhook JSON as `verify-report-receiver/test-report-payload.json`. From the **CRE project root**:
-
-```bash
-cre workflow simulate verify-report-receiver \
-  --target staging-settings \
-  --non-interactive \
-  --trigger-index 0 \
-  --http-payload verify-report-receiver/test-report-payload.json
-```
-
-**Pass criteria**
-
-- **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
-- **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
-
-## Complete example: HTTP receiver workflow (deploy)
-
-Once simulation is working, update the trigger config for deployment with `authorizedKeys`.
-
-It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
-
-```typescript
-import {
-  HTTPCapability,
-  handler,
-  Report,
-  type HTTPPayload,
-  type Runtime,
-  type SecretsProvider,
-} from "@chainlink/cre-sdk"
-import { hexToBytes } from "viem"
-import { z } from "zod"
-
-export const configSchema = z
-  .object({
-    authorized_key: z.string(),
-  })
-  .transform((data) => ({
-    authorizedKey: data.authorized_key,
-  }))
-
-export type Config = z.infer<typeof configSchema>
-
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
-
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
-  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
-
-  const rawReport = hexToBytes(`0x${parsed.report}`)
-  const reportContext = hexToBytes(`0x${parsed.context}`)
-  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
-
-  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
-
-  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
-
-  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
-  report.body()
-
-  return true
-}
-
-export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
-  const http = new HTTPCapability()
-  return [
-    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
-  ]
-}
-```
-
-**What's happening:**
-
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) verifies signatures against the production CRE registry.
-3. On success, you read metadata and `body()` safely.
+1. Save the webhook JSON as `test-report-payload.json` inside your receiver workflow folder:
+
+   ```
+   verify-report-receiver/test-report-payload.json
+   ```
+
+1. Create a `verify-report-receiver/` folder in your CRE project with the following files.
+
+   `config.staging.json` — enables wiring tests without mainnet signer validation:
+
+   ```json
+   {
+     "skipSignatureVerification": true
+   }
+   ```
+
+   `main.ts` — uses an empty HTTP trigger (add `authorizedKeys` before deploying):
+
+   ```typescript
+   // verify-report-receiver/main.ts
+   import {
+     decodeJson,
+     handler,
+     hexToBytes,
+     HTTPCapability,
+     Report,
+     Runner,
+     type HTTPPayload,
+     type Runtime,
+   } from "@chainlink/cre-sdk"
+
+   interface Config {
+     skipSignatureVerification?: boolean
+   }
+
+   type ParsedPayload = {
+     report: string
+     context: string
+     signatures: string[]
+   }
+
+   /** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
+   const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
+
+   /** AggregateError from Report.parse often has an empty .message in sim output. */
+   const formatError = (err: unknown): string => {
+     if (err instanceof AggregateError) {
+       const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
+       return parts.join("; ") || "report verification failed"
+     }
+     if (err instanceof Error) return err.message
+     return String(err)
+   }
+
+   const run = async (runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> => {
+     try {
+       const parsed = decodeJson(payload.input) as ParsedPayload
+
+       const rawReport = fromHexNoPrefix(parsed.report)
+       const reportContext = fromHexNoPrefix(parsed.context)
+       const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
+
+       runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
+
+       const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
+         skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
+       })
+
+       runtime.log(
+         `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
+       )
+       report.body()
+       return { verified: true }
+     } catch (err) {
+       const msg = formatError(err)
+       runtime.log(`Report verification failed: ${msg}`)
+       throw new Error(msg)
+     }
+   }
+
+   const initWorkflow = () => {
+     const http = new HTTPCapability()
+     return [handler(http.trigger({}), run)]
+   }
+
+   export async function main() {
+     const runner = await Runner.newRunner<Config>()
+     await runner.run(initWorkflow)
+   }
+   ```
+
+1. From the CRE project root, run the simulation:
+
+   ```bash
+   cre workflow simulate verify-report-receiver \
+     --target staging-settings \
+     --non-interactive \
+     --trigger-index 0 \
+     --http-payload verify-report-receiver/test-report-payload.json
+   ```
+
+1. Check the output.
+
+   A successful wiring run logs the decoded report metadata and returns `{ verified: true }`:
+
+   ```
+   [USER LOG] Parsing report (141 bytes, 4 signatures)
+   [USER LOG] Verified report workflowId=... executionId=... donId=1
+   ✓ Workflow Simulation Result: { "verified": true }
+   ```
+
+   This confirms JSON decoding, hex parsing, and [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) are wired correctly. Signatures are not verified against the mainnet registry in this mode — that requires a production-signed report from a deployed sender.
+
+### Deploying to production
+
+The `run` handler you simulated is the same code you deploy. For production, make two configuration changes:
+
+1. **Remove `skipSignatureVerification`** from your target config (or omit it; the default is `false`). Reports from a deployed sender must pass real signature verification.
+2. **Add `authorizedKeys`** to your HTTP trigger — required for deployed workflows, not just simulation. See [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts).
 
 {/* prettier-ignore */}
 <Aside type="caution" title="Hex encoding">
@@ -372,7 +436,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 ## Report payload format
 
-When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `reportContext`. See [Payload contract](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#payload-contract-if-you-verify-offchain) in the submit guide for how the sender produces these fields.
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -380,32 +444,13 @@ When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for
 | `context`    | `reportContext` | Hex-encoded config digest + sequence number                     |
 | `signatures` | `sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
-The `reportContext` layout used by the SDK:
-
-- Bytes 0–31: config digest
-- Bytes 32–39: sequence number (big-endian `uint64`)
-
 ## API reference
 
-See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
-
-### `Report.parse()`
-
-```typescript
-Report.parse(
-  runtime: Runtime,
-  rawReport: Uint8Array,
-  signatures: Uint8Array[],
-  reportContext: Uint8Array,
-  config?: ReportParseConfig,
-): Promise<Report>
-```
-
-Parses and verifies a report. Throws if verification fails.
+For full signatures, types, and `ReportParseConfig` options, see [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification).
 
 ### `Report` accessors
 
-After a successful parse:
+After a successful [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification):
 
 | Method            | Description                               |
 | ----------------- | ----------------------------------------- |
@@ -419,26 +464,6 @@ After a successful parse:
 | `seqNr()`         | Sequence number from report context       |
 | `configDigest()`  | Config digest from report context         |
 
-### `ReportParseConfig`
-
-```typescript
-import { productionEnvironment, zoneFromEnvironment, type ReportParseConfig } from "@chainlink/cre-sdk"
-
-const config: ReportParseConfig = {
-  acceptedZones: [zoneFromEnvironment(productionEnvironment(), 1)],
-  acceptedEnvironments: [productionEnvironment()],
-  skipSignatureVerification: false,
-}
-```
-
-| Option                      | Description                                                                                                                                                                                                                                                                                                                  |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                                                                      |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                                                                           |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) without this flag for production verification. |
-
-Most workflows should use the default config (production environment only).
-
 ## Best practices
 
 1. **Verify before side effects**: Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before writing to databases, chains, or external systems.
@@ -475,9 +500,9 @@ Most workflows should use the default config (production environment only).
 
 - At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
 
-**`could not read from chain ...`**
+**`could not read from chain ...`** _(CRE receiver workflow only)_
 
-- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim). Sepolia-only RPC is not sufficient for default `Report.parse()`.
+- Registry read failed (RPC/network). Configure an **`ethereum-mainnet` RPC** in `project.yaml` — required for default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), including during sim. Sepolia-only RPC is not sufficient.
 
 **`raw report too short`**
 
diff --git a/src/content/cre/llms-full-go.txt b/src/content/cre/llms-full-go.txt
index 32c599e5c53..3f3390f2dbe 100644
--- a/src/content/cre/llms-full-go.txt
+++ b/src/content/cre/llms-full-go.txt
@@ -15977,16 +15977,16 @@ func onCronTrigger(config *Config, runtime cre.Runtime, trigger *cron.Payload) (
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client/verifying-reports-offchain-go
 Last Updated: 2026-05-20
 
-This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+This guide is for the **receiver** side: you already received a CRE report package — typically via HTTP from a [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) sender workflow — and need to **prove it is authentic** before using the payload.
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
 There are two ways to verify, depending on who receives the POST:
 
-| My receiver is...                               | Use                                                                                                                                                                                                                  |
-| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                       |
-| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
+| My receiver is...                               | Use                                                                                                                    |
+| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| **My own API or server** (Go HTTP server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                         |
+| **A CRE workflow** with an HTTP trigger         | [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) — see [CRE receiver workflow](#cre-receiver-workflow) |
 
 Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
@@ -16013,8 +16013,8 @@ See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are cr
 
 ## Prerequisites
 
-- **SDK**: `cre-sdk-go` v1.8.0 or later (report verification support)
-- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) (report structure and JSON payload patterns)
+- **A report payload to verify** — three hex fields: `report`, `context`, `signatures`. If you don't have one yet, follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-go) to create a sender workflow and capture its output first.
+- **SDK**: `cre-sdk-go` v1.8.0 or later (for the CRE receiver workflow path)
 - For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go)
 
 ## Onchain vs offchain verification
@@ -16035,6 +16035,8 @@ Default (`cre.ProductionEnvironment()`):
 
 ## How verification works
 
+At its core, verification answers one question: did enough authorized nodes from the right DON sign this exact report? To answer it, the receiver decodes the report's metadata header to find which DON produced it, asks the onchain Capability Registry for that DON's authorized signers and quorum threshold (`f`), then checks that at least `f+1` of the provided signatures come from those addresses. Both paths in this guide — the outside-CRE program and the CRE receiver workflow — run this same sequence:
+
 1. **Parse the report header** from `rawReport` (109-byte metadata + body).
 2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
@@ -16044,348 +16046,393 @@ If verification fails, [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparse
 
 ## Verifying outside CRE
 
-[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
-
-**What you need:**
+[`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) requires the CRE `runtime` object and can only run inside a CRE workflow callback. If your API server receives reports directly, you can verify without the CRE SDK using standard libraries.
 
-- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
-- `github.com/ethereum/go-ethereum/crypto` for `Keccak256` and signature recovery
+If you followed the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-go), you already have a JSON payload with `report`, `context`, and `signatures` as hex strings — this section shows how to verify it.
 
-**Verification steps:**
+1. Create a new folder for your verification program and initialize a module:
 
-1. Decode the hex JSON fields into bytes.
-2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
-3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
-4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
-5. For each signature (65 bytes), recover the signing address. Require at least **f+1** addresses from the authorized signer set.
+   ```bash
+   mkdir verify-report && cd verify-report
+   go mod init verify-report
+   go get github.com/ethereum/go-ethereum
+   ```
 
-The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go) for the exact call and decoding logic.
+2. Save the following as `main.go`.
 
-```go
-package main
+   Parses the 109-byte report header to identify the DON, reads the authorized signer list and fault tolerance `f` from the Capability Registry on Ethereum Mainnet, then recovers each signature and requires at least `f+1` to match. The ABI layout mirrors [`report_verification.go` in cre-sdk-go](https://github.com/smartcontractkit/cre-sdk-go).
 
-import (
-	"encoding/binary"
-	"encoding/hex"
-	"fmt"
+   ```go
+   // verify-report/main.go
+   package main
 
-	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/ethclient"
-)
+   import (
+   	"context"
+   	"encoding/binary"
+   	"encoding/hex"
+   	"fmt"
+   	"math/big"
+   	"sync"
+
+   	"github.com/ethereum/go-ethereum"
+   	"github.com/ethereum/go-ethereum/common"
+   	"github.com/ethereum/go-ethereum/crypto"
+   	"github.com/ethereum/go-ethereum/ethclient"
+   )
 
-const (
-	reportHeaderLength = 109
-	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
-)
+   const (
+   	reportHeaderLength = 109
+   	capabilityRegistry = "0x76c9cf548b4179F8901cda1f8623568b58215E62"
+   )
 
-// parseHeader extracts key fields from the 109-byte rawReport metadata header.
-func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
-	if len(rawReport) < reportHeaderLength {
-		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
-	}
-	donId = binary.BigEndian.Uint32(rawReport[37:41])
-	workflowId = hex.EncodeToString(rawReport[45:77])
-	body = rawReport[reportHeaderLength:]
-	return
-}
+   // parseHeader extracts key fields from the 109-byte rawReport metadata header.
+   func parseHeader(rawReport []byte) (donId uint32, workflowId string, body []byte, err error) {
+   	if len(rawReport) < reportHeaderLength {
+   		return 0, "", nil, fmt.Errorf("rawReport too short: need %d bytes, got %d", reportHeaderLength, len(rawReport))
+   	}
+   	donId = binary.BigEndian.Uint32(rawReport[37:41])
+   	workflowId = hex.EncodeToString(rawReport[45:77])
+   	body = rawReport[reportHeaderLength:]
+   	return
+   }
 
-// reportHash computes keccak256(keccak256(rawReport) || reportContext).
-func reportHash(rawReport, reportContext []byte) []byte {
-	inner := crypto.Keccak256(rawReport)
-	return crypto.Keccak256(append(inner, reportContext...))
-}
+   // reportHash computes keccak256(keccak256(rawReport) || reportContext).
+   func reportHash(rawReport, reportContext []byte) []byte {
+   	inner := crypto.Keccak256(rawReport)
+   	return crypto.Keccak256(append(inner, reportContext...))
+   }
 
-// fetchSigners calls the Capability Registry on Ethereum Mainnet to get
-// the fault tolerance f and authorized signer addresses for the given DON.
-// Use go-ethereum's ethclient and ABI encoding.
-// See report_verification.go in cre-sdk-go for the exact call and decoding logic.
-func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
-	// TODO: implement using your Ethereum Mainnet RPC
-	// 1. ABI-encode getDON(donId), call capabilityRegistry, decode f and nodeP2PIds
-	// 2. ABI-encode getNodesByP2PIds(nodeP2PIds), call capabilityRegistry, decode signer addresses
-	return 0, nil, fmt.Errorf("implement: call getDON then getNodesByP2PIds on the Capability Registry")
-}
+   // padUint256 encodes a uint64 as a big-endian 32-byte ABI word.
+   func padUint256(v uint64) []byte {
+   	b := make([]byte, 32)
+   	binary.BigEndian.PutUint64(b[24:], v)
+   	return b
+   }
 
-// verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
-func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
-	donId, _, _, err := parseHeader(rawReport)
-	if err != nil {
-		return err
-	}
-	f, signers, err := fetchSigners(client, donId)
-	if err != nil {
-		return err
-	}
-	hash := reportHash(rawReport, reportContext)
-	required := f + 1
-	valid := 0
+   type donInfo struct {
+   	f       int
+   	signers map[common.Address]bool
+   }
 
-	for _, sig := range signatures {
-		if len(sig) != 65 {
-			continue
-		}
-		norm := make([]byte, 65)
-		copy(norm, sig)
-		if norm[64] >= 27 {
-			norm[64] -= 27 // normalize recovery byte
-		}
-		pubKey, err := crypto.SigToPub(hash, norm)
-		if err != nil {
-			continue
-		}
-		addr := crypto.PubkeyToAddress(*pubKey)
-		if signers[addr] {
-			valid++
-		}
-		if valid >= required {
-			return nil
-		}
-	}
-	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
-}
-```
+   // signerCache caches registry lookups by DON ID. Registry data only changes
+   // during DON reconfiguration; clear and retry if you see unexpected signer errors after a DON upgrade.
+   var signerCache sync.Map
+
+   // fetchSigners calls the Capability Registry on Ethereum Mainnet to get
+   // the fault tolerance f and authorized signer addresses for the given DON.
+   // Makes two eth_call reads: getDON(donId) then getNodesByP2PIds(nodeP2PIds).
+   // Result is cached by DON ID.
+   func fetchSigners(client *ethclient.Client, donId uint32) (f int, signers map[common.Address]bool, err error) {
+   	if cached, ok := signerCache.Load(donId); ok {
+   		info := cached.(donInfo)
+   		return info.f, info.signers, nil
+   	}
 
+   	registry := common.HexToAddress(capabilityRegistry)
+   	ctx := context.Background()
 
-<Aside type="caution" title="Cache registry results">
-  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
-</Aside>
+   	// Step 1: getDON(uint32 donId) — selector keccak256("getDON(uint32)")[0:4] = 0x23537405
+   	var donIdPadded [32]byte
+   	binary.BigEndian.PutUint32(donIdPadded[28:], donId)
+   	getDONCalldata := append([]byte{0x23, 0x53, 0x74, 0x05}, donIdPadded[:]...)
 
-## CRE receiver workflow
+   	getDONBytes, err := client.CallContract(ctx, ethereum.CallMsg{To: &registry, Data: getDONCalldata}, nil)
+   	if err != nil {
+   		return 0, nil, fmt.Errorf("getDON call failed: %w", err)
+   	}
+   	if len(getDONBytes) < 224 {
+   		return 0, nil, fmt.Errorf("getDON response too short: %d bytes", len(getDONBytes))
+   	}
 
-Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles registry reads and caching automatically.
+   	// Response layout (see report_verification.go in cre-sdk-go for full ABI documentation):
+   	//   slot 3 (bytes  96-127): f               (uint8, zero-padded to 32)
+   	//   slot 6 (bytes 192-223): ptr[nodeP2PIds] relative to tupleStart = 32
+   	f = int(new(big.Int).SetBytes(getDONBytes[96:128]).Int64())
+   	nodeP2PIdsPtr := int(new(big.Int).SetBytes(getDONBytes[192:224]).Int64())
+   	nodeCountOff := 32 + nodeP2PIdsPtr
+   	nodeCount := int(new(big.Int).SetBytes(getDONBytes[nodeCountOff : nodeCountOff+32]).Int64())
+
+   	nodeP2PIds := make([][]byte, nodeCount)
+   	for i := 0; i < nodeCount; i++ {
+   		start := nodeCountOff + 32 + i*32
+   		id := make([]byte, 32)
+   		copy(id, getDONBytes[start:start+32])
+   		nodeP2PIds[i] = id
+   	}
 
+   	if nodeCount == 0 {
+   		info := donInfo{f: f, signers: nil}
+   		signerCache.Store(donId, info)
+   		return f, nil, nil
+   	}
 
-<Aside type="note" title="Using the private registry?">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
-</Aside>
+   	// Step 2: getNodesByP2PIds(bytes32[]) — selector 0x05a51966
+   	// ABI-encode bytes32[]: [ptr=32][count][id0]...[idN]
+   	getNodesCalldata := append([]byte{0x05, 0xa5, 0x19, 0x66}, padUint256(32)...)
+   	getNodesCalldata = append(getNodesCalldata, padUint256(uint64(nodeCount))...)
+   	for _, id := range nodeP2PIds {
+   		getNodesCalldata = append(getNodesCalldata, id...)
+   	}
 
+   	getNodesBytes, err := client.CallContract(ctx, ethereum.CallMsg{To: &registry, Data: getNodesCalldata}, nil)
+   	if err != nil {
+   		return 0, nil, fmt.Errorf("getNodesByP2PIds call failed: %w", err)
+   	}
+   	if len(getNodesBytes) < 64 {
+   		return 0, nil, fmt.Errorf("getNodesByP2PIds response too short: %d bytes", len(getNodesBytes))
+   	}
 
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+   	// Response layout: [outerPtr][count][elem0-ptr][elem1-ptr]...[tuple0][tuple1]...
+   	// Each NodeInfo tuple (9 slots × 32 bytes): slot 3 = signer bytes32, first 20 bytes = address
+   	outerPtr := int(new(big.Int).SetBytes(getNodesBytes[0:32]).Int64())
+   	returnedCount := int(new(big.Int).SetBytes(getNodesBytes[outerPtr : outerPtr+32]).Int64())
+   	const nodeTupleHead = 288 // 9 slots × 32 bytes
+
+   	signers = make(map[common.Address]bool, returnedCount)
+   	for i := 0; i < returnedCount; i++ {
+   		elemPtrOff := outerPtr + 32 + i*32
+   		elemPtr := int(new(big.Int).SetBytes(getNodesBytes[elemPtrOff : elemPtrOff+32]).Int64())
+   		tupleBase := outerPtr + 32 + elemPtr
+   		if tupleBase+nodeTupleHead > len(getNodesBytes) {
+   			break
+   		}
+   		signerSlot := tupleBase + 3*32
+   		addr := common.BytesToAddress(getNodesBytes[signerSlot : signerSlot+20])
+   		signers[addr] = true
+   	}
 
-### Testing locally with simulation
+   	signerCache.Store(donId, donInfo{f: f, signers: signers})
+   	return f, signers, nil
+   }
 
-After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+   // verifyReport checks that ≥ f+1 signatures are from authorized DON signers.
+   func verifyReport(rawReport []byte, signatures [][]byte, reportContext []byte, client *ethclient.Client) error {
+   	donId, _, _, err := parseHeader(rawReport)
+   	if err != nil {
+   		return err
+   	}
+   	f, signers, err := fetchSigners(client, donId)
+   	if err != nil {
+   		return err
+   	}
+   	hash := reportHash(rawReport, reportContext)
+   	required := f + 1
+   	valid := 0
+
+   	for _, sig := range signatures {
+   		if len(sig) != 65 {
+   			continue
+   		}
+   		norm := make([]byte, 65)
+   		copy(norm, sig)
+   		if norm[64] >= 27 {
+   			norm[64] -= 27 // normalize recovery byte
+   		}
+   		pubKey, err := crypto.SigToPub(hash, norm)
+   		if err != nil {
+   			continue
+   		}
+   		addr := crypto.PubkeyToAddress(*pubKey)
+   		if signers[addr] {
+   			valid++
+   		}
+   		if valid >= required {
+   			return nil
+   		}
+   	}
+   	return fmt.Errorf("insufficient valid signatures: %d/%d", valid, required)
+   }
 
-1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
-2. Register `http.Trigger(&http.Config{})` (empty config) for simulation.
-3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+   // Usage — create the client once for your server, reuse it across requests:
+   //
+   //   client, err := ethclient.Dial(os.Getenv("ETH_MAINNET_RPC_URL"))
+   //
+   // For each incoming report POST:
+   //   if err := verifyReport(rawReport, signatures, reportContext, client); err != nil {
+   //       // reject the request
+   //   }
+   //   // verified: use parseHeader(rawReport) to read the payload body
+   ```
 
-### Minimal receiver for simulation
+3. Set your RPC URL and run:
 
-Use an empty HTTP trigger for sim. Set `SkipSignatureVerification: true` in staging config (or pass it to [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig)). The CLI delivers `--http-payload` file contents as `payload.Input` bytes.
+   ```bash
+   export ETH_MAINNET_RPC_URL=https://your-mainnet-rpc-endpoint
+   go run main.go
+   ```
 
-`config.staging.json`:
+4. Check the output.
 
-```json
-{
-  "skipSignatureVerification": true
-}
-```
+   With a **sim-signed report** (from the submit guide sender simulation):
 
-`main.go`:
+   ```
+   insufficient valid signatures: 0/4
+   ```
 
-```go
-//go:build wasip1
+   This is correct. Simulation uses local test keys that are not registered in the mainnet Capability Registry. The registry call succeeded and returned the real signer list; none of the sim signatures matched it. The verification logic is working as intended.
 
-package main
+   With a **production-signed report** from a deployed sender, `verifyReport` returns `nil`. Read the payload:
 
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
+   ```go
+   donId, workflowId, body, err := parseHeader(rawReport)
+   // body is the ABI-encoded payload the sender embedded
+   ```
 
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
 
-type Config struct {
-	SkipSignatureVerification bool `json:"skipSignatureVerification"`
-}
+<Aside type="caution" title="Cache registry results">
+  `fetchSigners` caches by DON ID using a `sync.Map` for the lifetime of the process. Registry data only changes during DON reconfiguration. If you see unexpected `ErrUnknownSigner` errors after a DON upgrade, clear the cache (for example, by restarting the process) and retry.
+</Aside>
 
-type parsedPayload struct {
-	Report     string   `json:"report"`
-	Context    string   `json:"context"`
-	Signatures []string `json:"signatures"`
-}
+## CRE receiver workflow
 
-func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{}), run),
-	}, nil
-}
+Use this path if you want the receiver itself to be a CRE workflow with an HTTP trigger. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) handles Capability Registry reads and caching automatically.
 
-func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	var parsed parsedPayload
-	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
-		return false, err
-	}
 
-	rawReport, err := hex.DecodeString(parsed.Report)
-	if err != nil {
-		return false, err
-	}
-	reportContext, err := hex.DecodeString(parsed.Context)
-	if err != nil {
-		return false, err
-	}
-	sigs := make([][]byte, len(parsed.Signatures))
-	for i, sigHex := range parsed.Signatures {
-		sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return false, err
-		}
-	}
+<Aside type="caution" title="Educational Example Disclaimer">
+  This page includes an educational example to use a Chainlink system, product, or service and is provided to
+  demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
+  template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
+  missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
+  code in this example in a production environment without completing your own audits and application of best practices.
+  Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
+  that are generated due to errors in code.
+</Aside>
 
-	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
-		SkipSignatureVerification: cfg.SkipSignatureVerification,
-	})
-	if err != nil {
-		return false, err
-	}
 
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-		"donId", report.DONID(),
-	)
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-go#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
 
-	_ = report.Body()
-	return true, nil
-}
+### Testing with simulation
 
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
+If you ran the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example), you already copied JSON from webhook.site. Use that payload here.
 
-### Sim wiring vs full verify
 
-| Mode                   | Config                                                                                                              | What it validates                                                                             |
-| ---------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) | JSON + hex decode, metadata accessors, `Body()`                                               |
-| **Full crypto verify** | Default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) (production registry)                      | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification. |
+<Aside type="note" title="CRE project required">
+  The directory you run `cre` from must contain a `project.yaml`. If you do not have one, run `cre init` from your project folder or follow the [Getting Started guide](/cre/getting-started/overview).
+</Aside>
 
-```bash
-cre workflow simulate verify-report-receiver \
-  --target staging-settings \
-  --non-interactive \
-  --trigger-index 0 \
-  --http-payload verify-report-receiver/test-report-payload.json
-```
+1. Save the webhook JSON as `test-report-payload.json` inside your receiver workflow folder:
 
-**Pass criteria**
+   ```
+   verify-report-receiver/test-report-payload.json
+   ```
 
-- **Sim wiring:** `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig): logs show metadata and a successful handler return.
-- **Full crypto verify:** default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+2. Create a `verify-report-receiver/` folder in your CRE project with the following files.
 
-`project.yaml` needs **`ethereum-mainnet` RPC** for default verify (registry reads).
+   `config.staging.json` — enables wiring tests without mainnet signer validation:
 
-## Complete example: HTTP receiver workflow (deploy)
+   ```json
+   {
+     "skipSignatureVerification": true
+   }
+   ```
 
-Once simulation is working, update the trigger config for deployment with `AuthorizedKeys`.
+   `main.go` — uses an empty HTTP trigger (add `AuthorizedKeys` before deploying):
 
-It accepts JSON with hex `report`, `context`, and `signatures` from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-go#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-for-offchain-verification-hex), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-go#pattern-4-json-formatted-report) unless you change decoding.
+   ```go
+   // verify-report-receiver/main.go
+   //go:build wasip1
 
-```go
-//go:build wasip1
+   package main
 
-package main
+   import (
+   	"encoding/hex"
+   	"encoding/json"
+   	"log/slog"
 
-import (
-	"encoding/hex"
-	"encoding/json"
-	"log/slog"
+   	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
+   	"github.com/smartcontractkit/cre-sdk-go/cre"
+   	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
+   )
 
-	"github.com/smartcontractkit/cre-sdk-go/capabilities/networking/http"
-	"github.com/smartcontractkit/cre-sdk-go/cre"
-	"github.com/smartcontractkit/cre-sdk-go/cre/wasm"
-)
+   type Config struct {
+   	SkipSignatureVerification bool `json:"skipSignatureVerification"`
+   }
 
-type Config struct {
-	AuthorizedKey string `json:"authorized_key"`
-}
+   type parsedPayload struct {
+   	Report     string   `json:"report"`
+   	Context    string   `json:"context"`
+   	Signatures []string `json:"signatures"`
+   }
 
-func InitWorkflow(cfg *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
-	return cre.Workflow[*Config]{
-		cre.Handler(http.Trigger(&http.Config{AuthorizedKeys: []*http.AuthorizedKey{{PublicKey: cfg.AuthorizedKey}}}), run),
-	}, nil
-}
+   func InitWorkflow(_ *Config, _ *slog.Logger, _ cre.SecretsProvider) (cre.Workflow[*Config], error) {
+   	return cre.Workflow[*Config]{
+   		cre.Handler(http.Trigger(&http.Config{}), run),
+   	}, nil
+   }
 
-type ParsedPayload struct {
-	Report  string   `json:"report"`
-	Context string   `json:"context"`
-	Sigs    []string `json:"signatures"`
-}
+   func run(cfg *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
+   	var parsed parsedPayload
+   	if err := json.Unmarshal(payload.Input, &parsed); err != nil {
+   		return false, err
+   	}
 
-func (p *ParsedPayload) Decode() (*DecodedReport, error) {
-	report := &DecodedReport{}
-	var err error
+   	rawReport, err := hex.DecodeString(parsed.Report)
+   	if err != nil {
+   		return false, err
+   	}
+   	reportContext, err := hex.DecodeString(parsed.Context)
+   	if err != nil {
+   		return false, err
+   	}
+   	sigs := make([][]byte, len(parsed.Signatures))
+   	for i, sigHex := range parsed.Signatures {
+   		sigs[i], err = hex.DecodeString(sigHex)
+   		if err != nil {
+   			return false, err
+   		}
+   	}
 
-	if report.Report, err = hex.DecodeString(p.Report); err != nil {
-		return nil, err
-	}
-	if report.Context, err = hex.DecodeString(p.Context); err != nil {
-		return nil, err
-	}
+   	report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
+   		SkipSignatureVerification: cfg.SkipSignatureVerification,
+   	})
+   	if err != nil {
+   		return false, err
+   	}
 
-	report.Sigs = make([][]byte, len(p.Sigs))
-	for i, sigHex := range p.Sigs {
-		report.Sigs[i], err = hex.DecodeString(sigHex)
-		if err != nil {
-			return nil, err
-		}
-	}
+   	runtime.Logger().Info("Verified report",
+   		"workflowId", report.WorkflowID(),
+   		"executionId", report.ExecutionID(),
+   		"donId", report.DONID(),
+   	)
 
-	return report, nil
-}
+   	_ = report.Body()
+   	return true, nil
+   }
 
-type DecodedReport struct {
-	Report  []byte
-	Context []byte
-	Sigs    [][]byte
-}
+   func main() {
+   	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
+   }
+   ```
 
-func run(_ *Config, runtime cre.Runtime, payload *http.Payload) (bool, error) {
-	parsed := &ParsedPayload{}
-	if err := json.Unmarshal(payload.Input, parsed); err != nil {
-		return false, err
-	}
+3. From the CRE project root, run the simulation:
 
-	decoded, err := parsed.Decode()
-	if err != nil {
-		return false, err
-	}
+   ```bash
+   cre workflow simulate verify-report-receiver \
+     --target staging-settings \
+     --non-interactive \
+     --trigger-index 0 \
+     --http-payload verify-report-receiver/test-report-payload.json
+   ```
 
-	report, err := cre.ParseReport(runtime, decoded.Report, decoded.Sigs, decoded.Context)
-	if err != nil {
-		return false, err
-	}
+4. Check the output.
 
-	runtime.Logger().Info("Verified report",
-		"workflowId", report.WorkflowID(),
-		"executionId", report.ExecutionID(),
-	)
+   A successful wiring run logs the decoded report metadata and returns successfully:
 
-	// Use report.Body() for your application logic (ABI-encoded payload from the sender workflow)
-	_ = report.Body()
+   ```
+   [USER LOG] msg="Verified report" workflowId=... executionId=... donId=1
+   ✓ Workflow Simulation Result: true
+   ```
 
-	return true, nil
-}
+   This confirms JSON decoding, hex parsing, and [`cre.ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) are wired correctly. Signatures are not verified against the mainnet registry in this mode — that requires a production-signed report from a deployed sender.
 
-func main() {
-	wasm.NewRunner(cre.ParseJSON[Config]).Run(InitWorkflow)
-}
-```
+### Deploying to production
 
-**What's happening:**
+The `run` handler you simulated is the same code you deploy. For production, make two configuration changes:
 
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) verifies signatures against the production CRE registry.
-3. On success, you read metadata and `Body()` safely.
+1. **Remove `skipSignatureVerification`** from your target config (or omit it; the default is `false`). Reports from a deployed sender must pass real signature verification.
+2. **Add `AuthorizedKeys`** to your HTTP trigger — required for deployed workflows, not just simulation. See [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-go).
 
 
 <Aside type="caution" title="Hex encoding">
@@ -16394,7 +16441,7 @@ func main() {
 
 ## Report payload format
 
-When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `ReportContext`. See [Payload contract](/cre/guides/workflow/using-http-client/submitting-reports-http-go#payload-contract-if-you-verify-offchain) in the submit guide for how the sender produces these fields.
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -16402,26 +16449,13 @@ When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for
 | `context`    | `ReportContext` | Hex-encoded config digest + sequence number                     |
 | `signatures` | `Sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
-The `reportContext` layout used by the SDK:
-
-- Bytes 0–31: config digest
-- Bytes 32–39: sequence number (big-endian `uint64`)
-
 ## API reference
 
-See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification) for full signatures, types, and errors.
-
-### `cre.ParseReport()`
-
-```go
-func ParseReport(runtime Runtime, rawReport []byte, signatures [][]byte, reportContext []byte) (*Report, error)
-```
-
-Parses and verifies a report against the production CRE environment. Use [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig) for custom environments or zones.
+For full signatures, types, and `ReportParseConfig` options (including deferred verification), see [SDK Reference: Core: Report verification](/cre/reference/sdk/core-go#report-verification).
 
 ### `*cre.Report` accessors
 
-After a successful parse:
+After a successful [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport):
 
 | Method            | Description                               |
 | ----------------- | ----------------------------------------- |
@@ -16435,46 +16469,6 @@ After a successful parse:
 | `SeqNr()`         | Sequence number from report context       |
 | `ConfigDigest()`  | Config digest from report context         |
 
-### `cre.ReportParseConfig`
-
-```go
-config := cre.ReportParseConfig{
-    AcceptedZones: []cre.Zone{
-        cre.ZoneFromEnvironment(cre.ProductionEnvironment(), 1),
-    },
-    AcceptedEnvironments: []cre.Environment{cre.ProductionEnvironment()},
-    SkipSignatureVerification: false,
-}
-report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, config)
-```
-
-| Field                       | Description                                                                                                |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------- |
-| `AcceptedEnvironments`      | Registry environments to check (defaults to production)                                                    |
-| `AcceptedZones`             | Restrict to specific DON IDs within an environment                                                         |
-| `SkipSignatureVerification` | Parse header only; call `report.VerifySignatures()` or `VerifySignaturesWithConfig()` afterward when ready |
-
-### Deferred verification
-
-This is a **different pattern** from the simulation testing use of `SkipSignatureVerification`. In testing, you skip verification permanently. Here, you parse the header first to inspect metadata (such as `WorkflowID()` or `DONID()` for filtering), then call `VerifySignatures` in a separate step — useful when you want to gate registry reads on workflow identity checks.
-
-If you set `SkipSignatureVerification: true` in [`ParseReportWithConfig`](/cre/reference/sdk/core-go#creparsereportwithconfig), parse the header first, then verify:
-
-```go
-report, err := cre.ParseReportWithConfig(runtime, rawReport, sigs, reportContext, cre.ReportParseConfig{
-    SkipSignatureVerification: true,
-})
-if err != nil {
-    return false, err
-}
-
-// Optional: inspect report.WorkflowID(), report.DONID(), etc. before registry reads
-
-if err := report.VerifySignatures(runtime); err != nil {
-    return false, err
-}
-```
-
 ## Best practices
 
 1. **Verify before side effects**: Call [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport) before writing to databases, chains, or external systems.
@@ -16506,9 +16500,9 @@ if err := report.VerifySignatures(runtime); err != nil {
 
 - At least **f+1** valid signatures are required.
 
-**`could not read from chain ...`**
+**`could not read from chain ...`** *(CRE receiver workflow only)*
 
-- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim).
+- Registry read failed (RPC/network). Configure an **`ethereum-mainnet` RPC** in `project.yaml` — required for default [`cre.ParseReport()`](/cre/reference/sdk/core-go#creparsereport), including during sim.
 
 **`ErrRawReportTooShort`**
 
diff --git a/src/content/cre/llms-full-ts.txt b/src/content/cre/llms-full-ts.txt
index faa30f6ad84..8760219aa06 100644
--- a/src/content/cre/llms-full-ts.txt
+++ b/src/content/cre/llms-full-ts.txt
@@ -15712,16 +15712,16 @@ const onCronTrigger = (runtime: Runtime<Config>): MyResult => {
 Source: https://docs.chain.link/cre/guides/workflow/using-http-client/verifying-reports-offchain-ts
 Last Updated: 2026-05-20
 
-This guide is for the **receiver** side: you already received a CRE report package (usually via HTTP) and need to **prove it is authentic** before using the payload.
+This guide is for the **receiver** side: you already received a CRE report package — typically via HTTP from a [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) sender workflow — and need to **prove it is authentic** before using the payload.
 
 When a workflow delivers results via HTTP (or another offchain channel), nothing onchain automatically validates the report. **You must verify signatures before trusting the data.**
 
 There are two ways to verify, depending on who receives the POST:
 
-| My receiver is...                                            | Use                                                                                                                                                                                                                    |
-| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                                                                                                                         |
-| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [Testing locally with simulation](#testing-locally-with-simulation) and the [deploy example](#complete-example-http-receiver-workflow-deploy) |
+| My receiver is...                                            | Use                                                                                                                      |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ |
+| **My own API or server** (Express, FastAPI, Go server, etc.) | [Verifying outside CRE](#verifying-outside-cre) — standard crypto libraries, no CRE SDK needed                           |
+| **A CRE workflow** with an HTTP trigger                      | [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) — see [CRE receiver workflow](#cre-receiver-workflow) |
 
 Both paths run the same cryptographic checks against the same onchain Capability Registry. The difference is whether you use the CRE SDK's helper (which requires `runtime`) or implement it yourself with standard libraries.
 
@@ -15748,8 +15748,8 @@ See [Key Terms: Report](/cre/key-terms#report-cre-report) for how reports are cr
 
 ## Prerequisites
 
-- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (report verification support)
-- Familiarity with [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) (report structure and JSON payload patterns)
+- **A report payload to verify** — three hex fields: `report`, `context`, `signatures`. If you don't have one yet, follow [Submitting Reports via HTTP](/cre/guides/workflow/using-http-client/submitting-reports-http-ts) to create a sender workflow and capture its output first.
+- **SDK**: `@chainlink/cre-sdk` v1.8.0 or later (for the CRE receiver workflow path)
 - For HTTP-triggered receivers: [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts)
 
 ## Onchain vs offchain verification
@@ -15770,6 +15770,8 @@ Default (`productionEnvironment()`):
 
 ## How verification works
 
+At its core, verification answers one question: did enough authorized nodes from the right DON sign this exact report? To answer it, the receiver decodes the report's metadata header to find which DON produced it, asks the onchain Capability Registry for that DON's authorized signers and quorum threshold (`f`), then checks that at least `f+1` of the provided signatures come from those addresses. Both paths in this guide — the outside-CRE script and the CRE receiver workflow — run this same sequence:
+
 1. **Parse the report header** from `rawReport` (109-byte metadata + body).
 2. **Fetch DON info** from the registry (if not cached): fault tolerance `f` and signer addresses.
 3. **Verify signatures**: compute `keccak256(keccak256(rawReport) || reportContext)`, recover signers, require **f+1** valid signatures from authorized nodes.
@@ -15779,291 +15781,353 @@ If verification fails, [`Report.parse()`](/cre/reference/sdk/core-ts#report-veri
 
 ## Verifying outside CRE
 
-[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object, so it can only run inside a CRE workflow callback. If your API server receives reports directly, you can implement the same verification steps with standard libraries — no CRE SDK required.
-
-**What you need:**
-
-- An Ethereum Mainnet RPC endpoint (for Capability Registry reads)
-- `viem` for the cryptographic primitives (`keccak256`, `recoverAddress`)
+[`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) requires the CRE `runtime` object and can only run inside a CRE workflow callback. If your API server receives reports directly, you can verify without the CRE SDK using standard libraries.
 
-**Verification steps:**
+If you followed the [submit guide](/cre/guides/workflow/using-http-client/submitting-reports-http-ts), you already have a JSON payload with `report`, `context`, and `signatures` as hex strings — this section shows how to verify it.
 
-1. Decode the hex JSON fields into bytes.
-2. Parse the **109-byte metadata header** from `rawReport` to extract `donId`, `workflowId`, `workflowOwner`, and `body`.
-3. Compute the message hash: `keccak256(keccak256(rawReport) || reportContext)`.
-4. Fetch the DON's fault tolerance `f` and authorized signer addresses from the **Capability Registry** on Ethereum Mainnet (`0x76c9cf548b4179F8901cda1f8623568b58215E62`): call `getDON(donId)` then `getNodesByP2PIds(p2pIds)`.
-5. For each signature (65 bytes), `ecrecover` the signing address. Require at least **f+1** addresses from the authorized signer set.
+1. Create a new folder for your verification script and install `viem`:
 
-The following sketch shows the crypto steps. The Capability Registry call (step 4) follows the same `getDON` → `getNodesByP2PIds` ABI logic used in the CRE SDK; see [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript) for the exact ABI encoding and decoding.
+   ```bash
+   mkdir verify-report && cd verify-report
+   npm init -y
+   npm install viem
+   ```
 
-```typescript
-import { keccak256, concatHex, toHex, recoverAddress } from "viem"
+2. Save the following as `verify.ts`.
 
-const REPORT_HEADER_LENGTH = 109
+   Parses the 109-byte report header to identify the DON, reads the authorized signer list and fault tolerance `f` from the Capability Registry on Ethereum Mainnet, then ecrecovers each signature and requires at least `f+1` to match. The ABI layout mirrors [`report.ts` in cre-sdk-typescript](https://github.com/smartcontractkit/cre-sdk-typescript).
 
-/** Parse key fields from the 109-byte rawReport metadata header. */
-function parseHeader(rawReport: Uint8Array) {
-  if (rawReport.length < REPORT_HEADER_LENGTH) {
-    throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
-  }
-  const view = new DataView(rawReport.buffer, rawReport.byteOffset)
-  return {
-    donId: view.getUint32(37, false), // bytes 37–40
-    workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
-    workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
-    body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
-  }
-}
+   ```typescript
+   // verify-report/verify.ts
+   import { keccak256, concatHex, toHex, recoverAddress, hexToBytes, createPublicClient, http } from "viem"
+   import { mainnet } from "viem/chains"
 
-/** keccak256(keccak256(rawReport) || reportContext) */
-function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
-  return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
-}
+   const REPORT_HEADER_LENGTH = 109
+   const CAPABILITY_REGISTRY = "0x76c9cf548b4179F8901cda1f8623568b58215E62" as const
 
-/**
- * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
- * Calls getDON(donId) → getNodesByP2PIds(p2pIds) on Ethereum Mainnet.
- * Use viem's createPublicClient + readContract, or any Ethereum JSON-RPC client.
- * See report.ts in cre-sdk-typescript for the exact ABI encoding/decoding.
- */
-async function fetchSigners(donId: number): Promise<{ f: number; signers: Set<string> }> {
-  // TODO: implement using your Ethereum Mainnet RPC
-  // Registry: 0x76c9cf548b4179F8901cda1f8623568b58215E62
-  throw new Error("implement: call getDON(donId) then getNodesByP2PIds(p2pIds)")
-}
-
-/** Verify that ≥ f+1 signatures are from authorized DON signers. */
-async function verifyReport(rawReport: Uint8Array, signatures: Uint8Array[], reportContext: Uint8Array): Promise<void> {
-  const { donId } = parseHeader(rawReport)
-  const { f, signers } = await fetchSigners(donId)
-  const hash = reportHash(rawReport, reportContext)
-  const required = f + 1
-  let valid = 0
-
-  for (const sig of signatures) {
-    if (sig.length !== 65) continue
-    const normalized = new Uint8Array(sig)
-    if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
-    try {
-      const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
-      if (signers.has(recovered.toLowerCase().slice(2))) valid++
-    } catch {
-      /* malformed signature — skip */
-    }
-    if (valid >= required) return
-  }
-  throw new Error(`insufficient valid signatures: ${valid}/${required}`)
-}
+   /** Parse key fields from the 109-byte rawReport metadata header. */
+   function parseHeader(rawReport: Uint8Array) {
+     if (rawReport.length < REPORT_HEADER_LENGTH) {
+       throw new Error(`rawReport too short: need ${REPORT_HEADER_LENGTH} bytes, got ${rawReport.length}`)
+     }
+     const view = new DataView(rawReport.buffer, rawReport.byteOffset)
+     return {
+       donId: view.getUint32(37, false), // bytes 37–40
+       workflowId: toHex(rawReport.slice(45, 77)), // bytes 45–76
+       workflowOwner: toHex(rawReport.slice(87, 107)), // bytes 87–106
+       body: rawReport.slice(REPORT_HEADER_LENGTH), // bytes 109+
+     }
+   }
 
-// Usage — given hex fields from your API POST body:
-const rawReport = hexToBytes(`0x${payload.report}`)
-const reportContext = hexToBytes(`0x${payload.context}`)
-const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
+   /** keccak256(keccak256(rawReport) || reportContext) */
+   function reportHash(rawReport: Uint8Array, reportContext: Uint8Array): `0x${string}` {
+     return keccak256(concatHex([keccak256(toHex(rawReport)), toHex(reportContext)]))
+   }
 
-await verifyReport(rawReport, signatures, reportContext)
-// If it doesn't throw, the report is authentic.
-// Read the payload: parseHeader(rawReport).body
-```
+   /** Read the last 4 bytes of a 32-byte uint256 ABI slot as a JS number. */
+   function readSlot(bytes: Uint8Array, offset: number): number {
+     return new DataView(bytes.buffer, bytes.byteOffset + offset + 28, 4).getUint32(0, false)
+   }
 
+   // In-process cache: registry data only changes during DON reconfiguration.
+   const signerCache = new Map<number, { f: number; signers: Set<string> }>()
+
+   type PublicClient = ReturnType<typeof createPublicClient>
+
+   /**
+    * Fetch fault tolerance f and authorized signer addresses from the Capability Registry.
+    * Makes two eth_call reads: getDON(donId) then getNodesByP2PIds(nodeP2PIds).
+    * Result is cached by DON ID.
+    */
+   async function fetchSigners(client: PublicClient, donId: number): Promise<{ f: number; signers: Set<string> }> {
+     const cached = signerCache.get(donId)
+     if (cached) return cached
+
+     // Step 1: getDON(uint32 donId) — selector keccak256("getDON(uint32)")[0:4] = 0x23537405
+     const donIdPadded = new Uint8Array(32)
+     new DataView(donIdPadded.buffer).setUint32(28, donId, false)
+     const getDONCalldata = concatHex(["0x23537405", toHex(donIdPadded)])
+
+     const getDONResult = await client.call({ to: CAPABILITY_REGISTRY, data: getDONCalldata })
+     if (!getDONResult.data) throw new Error("getDON returned empty response")
+     const getDONBytes = hexToBytes(getDONResult.data)
+     if (getDONBytes.length < 224) throw new Error(`getDON response too short: ${getDONBytes.length} bytes`)
+
+     // Response layout (see report.ts in cre-sdk-typescript for full ABI documentation):
+     //   slot 3 (bytes  96-127): f               (uint8, zero-padded to 32)
+     //   slot 6 (bytes 192-223): ptr[nodeP2PIds] relative to tupleStart = 32
+     const f = readSlot(getDONBytes, 96)
+     const nodeP2PIdsPtr = readSlot(getDONBytes, 192)
+     const nodeCountOff = 32 + nodeP2PIdsPtr
+     const nodeCount = readSlot(getDONBytes, nodeCountOff)
+
+     const nodeP2PIds: `0x${string}`[] = []
+     for (let i = 0; i < nodeCount; i++) {
+       const start = nodeCountOff + 32 + i * 32
+       nodeP2PIds.push(toHex(getDONBytes.slice(start, start + 32)))
+     }
 
-<Aside type="caution" title="Cache registry results">
-  The Capability Registry read for a DON ID is expensive (two onchain calls). Cache the result by DON ID in your server — it changes only when DON configuration changes. The CRE SDK does this automatically; in your own code you are responsible for invalidating the cache if you observe unexpected signer changes.
-</Aside>
+     if (nodeCount === 0) {
+       const result = { f, signers: new Set<string>() }
+       signerCache.set(donId, result)
+       return result
+     }
 
-## CRE receiver workflow
+     // Step 2: getNodesByP2PIds(bytes32[]) — selector 0x05a51966
+     // ABI-encode bytes32[]: [ptr=32][count][id0]...[idN]
+     const ptrBytes = new Uint8Array(32)
+     new DataView(ptrBytes.buffer).setUint32(28, 32, false)
+     const countBytes = new Uint8Array(32)
+     new DataView(countBytes.buffer).setUint32(28, nodeCount, false)
+     const getNodesCalldata = concatHex(["0x05a51966", toHex(ptrBytes), toHex(countBytes), ...nodeP2PIds])
+
+     const getNodesResult = await client.call({ to: CAPABILITY_REGISTRY, data: getNodesCalldata })
+     if (!getNodesResult.data) throw new Error("getNodesByP2PIds returned empty response")
+     const getNodesBytes = hexToBytes(getNodesResult.data)
+     if (getNodesBytes.length < 64)
+       throw new Error(`getNodesByP2PIds response too short: ${getNodesBytes.length} bytes`)
+
+     // Response layout: [outerPtr][count][elem0-ptr][elem1-ptr]...[tuple0][tuple1]...
+     // Each NodeInfo tuple (9 slots × 32 bytes): slot 3 = signer bytes32, first 20 bytes = address
+     const outerPtr = readSlot(getNodesBytes, 0)
+     const returnedCount = readSlot(getNodesBytes, outerPtr)
+     const NODE_TUPLE_HEAD = 288 // 9 slots × 32 bytes
+
+     const signers = new Set<string>()
+     for (let i = 0; i < returnedCount; i++) {
+       const elemPtr = readSlot(getNodesBytes, outerPtr + 32 + i * 32)
+       const tupleBase = outerPtr + 32 + elemPtr
+       if (tupleBase + NODE_TUPLE_HEAD > getNodesBytes.length) break
+       const addrBytes = getNodesBytes.slice(tupleBase + 3 * 32, tupleBase + 3 * 32 + 20)
+       signers.add(toHex(addrBytes).slice(2).toLowerCase()) // 40-char hex, no 0x prefix
+     }
 
-Use this path if you want the receiver itself to be a CRE workflow (with an HTTP trigger). The CRE SDK's [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles registry reads and caching automatically.
+     const result = { f, signers }
+     signerCache.set(donId, result)
+     return result
+   }
 
+   /** Verify that ≥ f+1 signatures are from authorized DON signers. */
+   async function verifyReport(
+     rawReport: Uint8Array,
+     signatures: Uint8Array[],
+     reportContext: Uint8Array,
+     client: PublicClient
+   ): Promise<void> {
+     const { donId } = parseHeader(rawReport)
+     const { f, signers } = await fetchSigners(client, donId)
+     const hash = reportHash(rawReport, reportContext)
+     const required = f + 1
+     let valid = 0
+
+     for (const sig of signatures) {
+       if (sig.length !== 65) continue
+       const normalized = new Uint8Array(sig)
+       if (normalized[64] >= 27) normalized[64] -= 27 // normalize recovery byte
+       try {
+         const recovered = await recoverAddress({ hash, signature: toHex(normalized) })
+         if (signers.has(recovered.toLowerCase().slice(2))) valid++
+       } catch {
+         /* malformed signature — skip */
+       }
+       if (valid >= required) return
+     }
+     throw new Error(`insufficient valid signatures: ${valid}/${required}`)
+   }
 
-<Aside type="note" title="Using the private registry?">
-  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
-</Aside>
+   // Usage — create the client once for your server, reuse it across requests:
+   const client = createPublicClient({
+     chain: mainnet,
+     transport: http(process.env.ETH_MAINNET_RPC_URL!),
+   })
 
+   // For each incoming report POST:
+   const rawReport = hexToBytes(`0x${payload.report}`)
+   const reportContext = hexToBytes(`0x${payload.context}`)
+   const signatures = payload.signatures.map((s: string) => hexToBytes(`0x${s}`))
 
-<Aside type="note" title="Onchain verification is different">
-  When you submit reports onchain through the `KeystoneForwarder`, the forwarder contract verifies signatures before calling `onReport`. See [Submitting Reports Onchain](/cre/guides/workflow/using-evm-client/onchain-write/submitting-reports-onchain).
-</Aside>
+   await verifyReport(rawReport, signatures, reportContext, client)
+   // If it doesn't throw, the report is authentic.
+   // Read the payload: parseHeader(rawReport).body
+   ```
 
-### Testing locally with simulation
+3. Set your RPC URL and run the script:
 
-After you run the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) and copy JSON from webhook.site, use this section to exercise a receiver workflow in simulation.
+   ```bash
+   export ETH_MAINNET_RPC_URL=https://your-mainnet-rpc-endpoint
+   npx tsx verify.ts
+   ```
 
-1. Save the webhook JSON as `test-report-payload.json` in your receiver workflow folder.
-2. Use the minimal receiver below with an **empty HTTP trigger config** (no `authorizedKeys` until deploy).
-3. From the **CRE project root**, run `cre workflow simulate` with `--http-payload verify-report-receiver/test-report-payload.json` (path relative to where you invoke `cre`).
+4. Check the output.
 
-### Sim wiring vs full verify
+   With a **sim-signed report** (from the submit guide sender simulation):
 
-| Mode                   | Config                                                                                           | What it validates                                                                                                                                                                                                                        |
-| ---------------------- | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Wiring / decode**    | `skipSignatureVerification: true` in staging config                                              | JSON + hex decode, `workflowId()`, `executionId()`, `donId()`, `body()`                                                                                                                                                                  |
-| **Full crypto verify** | Default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) (production registry) | Reports from a **deployed/production DON**. Sim-signed reports **fail** default verification: simulation uses local DON keys; [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) checks the mainnet Capability Registry. |
+   ```
+   Error: insufficient valid signatures: 0/4
+   ```
 
-### Minimal receiver for simulation
+   This error is the expected output for this example. The registry call succeeded and returned the real mainnet signer list (`f=3, signers=10` for this DON), but the simulation generated its signatures with local test keys that don't appear on that list. The verification logic ran correctly and rejected the unrecognized signatures. When you switch to a production-signed report from a deployed sender, `verifyReport` will return without throwing.
 
-Use an **empty HTTP trigger config** for sim (add `authorizedKeys` before deploy). Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) from your handler with the `runtime` parameter. The CLI delivers `--http-payload` file contents as `payload.input` bytes.
+   With a **production-signed report** from a deployed sender, `verifyReport` returns without throwing. Read the payload:
 
-`config.staging.json`:
+   ```typescript
+   const { body, workflowId, workflowOwner } = parseHeader(rawReport)
+   // body is the ABI-encoded payload the sender embedded
+   ```
 
-```json
-{
-  "skipSignatureVerification": true
-}
-```
 
-`main.ts`:
+<Aside type="caution" title="Cache registry results">
+  `fetchSigners` caches by DON ID in memory for the lifetime of the process. Registry data only changes during DON reconfiguration. If you see unexpected `invalid signature` errors after a DON upgrade, clear the cache and retry.
+</Aside>
 
-```typescript
-import {
-  decodeJson,
-  handler,
-  hexToBytes,
-  HTTPCapability,
-  Report,
-  Runner,
-  type HTTPPayload,
-  type Runtime,
-} from "@chainlink/cre-sdk"
+## CRE receiver workflow
 
-interface Config {
-  skipSignatureVerification?: boolean
-}
+Use this path if you want the receiver itself to be a CRE workflow with an HTTP trigger. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) handles Capability Registry reads and caching automatically.
 
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
 
-/** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
-const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
+<Aside type="caution" title="Educational Example Disclaimer">
+  This page includes an educational example to use a Chainlink system, product, or service and is provided to
+  demonstrate how to interact with Chainlink's systems, products, and services to integrate them into your own. This
+  template is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, it has not been audited, and it may be
+  missing key checks or error handling to make the usage of the system, product or service more clear. Do not use the
+  code in this example in a production environment without completing your own audits and application of best practices.
+  Neither Chainlink Labs, the Chainlink Foundation, nor Chainlink node operators are responsible for unintended outputs
+  that are generated due to errors in code.
+</Aside>
 
-/** AggregateError from Report.parse often has an empty .message in sim output. */
-const formatError = (err: unknown): string => {
-  if (err instanceof AggregateError) {
-    const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
-    return parts.join("; ") || "report verification failed"
-  }
-  if (err instanceof Error) return err.message
-  return String(err)
-}
 
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> {
-  try {
-    const parsed = decodeJson(payload.input) as ParsedPayload
+<Aside type="note" title="Using the private registry?">
+  This guide uses the **Capability Registry** (DON signers), not the **workflow registry** where you deploy. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) works the same way regardless of which registry you deployed with. For HTTP-triggered receivers, use the [enterprise gateway URL](/cre/guides/operations/deploying-to-private-registry-ts#http-triggers-with-the-private-registry). Local simulation may need an `ethereum-mainnet` RPC in `project.yaml` for registry reads.
+</Aside>
 
-    const rawReport = fromHexNoPrefix(parsed.report)
-    const reportContext = fromHexNoPrefix(parsed.context)
-    const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
+### Testing with simulation
 
-    runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
+If you ran the [submit guide complete example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example), you already copied JSON from webhook.site. Use that payload here.
 
-    const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
-      skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
-    })
 
-    runtime.log(
-      `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
-    )
-    report.body()
-    return { verified: true }
-  } catch (err) {
-    const msg = formatError(err)
-    runtime.log(`Report verification failed: ${msg}`)
-    throw new Error(msg)
-  }
-}
+<Aside type="note" title="CRE project required">
+  The directory you run `cre` from must contain a `project.yaml`. If you do not have one, run `cre init` from your project folder or follow the [Getting Started guide](/cre/getting-started/overview).
+</Aside>
 
-export const initWorkflow = () => {
-  const http = new HTTPCapability()
-  return [handler(http.trigger({}), run)]
-}
+1. Save the webhook JSON as `test-report-payload.json` inside your receiver workflow folder:
 
-export async function main() {
-  const runner = await Runner.newRunner<Config>()
-  await runner.run(initWorkflow)
-}
-```
+   ```
+   verify-report-receiver/test-report-payload.json
+   ```
 
-Save webhook JSON as `verify-report-receiver/test-report-payload.json`. From the **CRE project root**:
+2. Create a `verify-report-receiver/` folder in your CRE project with the following files.
 
-```bash
-cre workflow simulate verify-report-receiver \
-  --target staging-settings \
-  --non-interactive \
-  --trigger-index 0 \
-  --http-payload verify-report-receiver/test-report-payload.json
-```
+   `config.staging.json` — enables wiring tests without mainnet signer validation:
 
-**Pass criteria**
+   ```json
+   {
+     "skipSignatureVerification": true
+   }
+   ```
 
-- **Sim wiring:** `skipSignatureVerification: true`: logs show metadata and `{ verified: true }`.
-- **Full crypto verify:** default config with a **production-signed** report (not typical for sender-sim → receiver-sim alone).
+   `main.ts` — uses an empty HTTP trigger (add `authorizedKeys` before deploying):
 
-## Complete example: HTTP receiver workflow (deploy)
+   ```typescript
+   // verify-report-receiver/main.ts
+   import {
+     decodeJson,
+     handler,
+     hexToBytes,
+     HTTPCapability,
+     Report,
+     Runner,
+     type HTTPPayload,
+     type Runtime,
+   } from "@chainlink/cre-sdk"
+
+   interface Config {
+     skipSignatureVerification?: boolean
+   }
 
-Once simulation is working, update the trigger config for deployment with `authorizedKeys`.
+   type ParsedPayload = {
+     report: string
+     context: string
+     signatures: string[]
+   }
 
-It accepts JSON with hex `report`, `context`, and `signatures` (from the submit guide’s [complete working example](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#complete-working-example) or [Pattern 4 for offchain verification (hex)](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-for-offchain-verification-hex)), not base64 [Pattern 4](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#pattern-4-json-formatted-report) unless you change decoding.
+   /** Hex without 0x prefix in JSON → bytes (add 0x before decode). */
+   const fromHexNoPrefix = (hex: string): Uint8Array => hexToBytes(`0x${hex}`)
 
-```typescript
-import {
-  HTTPCapability,
-  handler,
-  Report,
-  type HTTPPayload,
-  type Runtime,
-  type SecretsProvider,
-} from "@chainlink/cre-sdk"
-import { hexToBytes } from "viem"
-import { z } from "zod"
+   /** AggregateError from Report.parse often has an empty .message in sim output. */
+   const formatError = (err: unknown): string => {
+     if (err instanceof AggregateError) {
+       const parts = err.errors.map((e) => (e instanceof Error ? e.message : String(e)))
+       return parts.join("; ") || "report verification failed"
+     }
+     if (err instanceof Error) return err.message
+     return String(err)
+   }
 
-export const configSchema = z
-  .object({
-    authorized_key: z.string(),
-  })
-  .transform((data) => ({
-    authorizedKey: data.authorized_key,
-  }))
+   const run = async (runtime: Runtime<Config>, payload: HTTPPayload): Promise<{ verified: boolean }> => {
+     try {
+       const parsed = decodeJson(payload.input) as ParsedPayload
+
+       const rawReport = fromHexNoPrefix(parsed.report)
+       const reportContext = fromHexNoPrefix(parsed.context)
+       const sigs = parsed.signatures.map((s) => fromHexNoPrefix(s))
+
+       runtime.log(`Parsing report (${rawReport.length} bytes, ${sigs.length} signatures)`)
+
+       const report = await Report.parse(runtime, rawReport, sigs, reportContext, {
+         skipSignatureVerification: runtime.config.skipSignatureVerification ?? false,
+       })
+
+       runtime.log(
+         `Verified report workflowId=${report.workflowId()} executionId=${report.executionId()} donId=${report.donId()}`
+       )
+       report.body()
+       return { verified: true }
+     } catch (err) {
+       const msg = formatError(err)
+       runtime.log(`Report verification failed: ${msg}`)
+       throw new Error(msg)
+     }
+   }
 
-export type Config = z.infer<typeof configSchema>
+   const initWorkflow = () => {
+     const http = new HTTPCapability()
+     return [handler(http.trigger({}), run)]
+   }
 
-type ParsedPayload = {
-  report: string
-  context: string
-  signatures: string[]
-}
+   export async function main() {
+     const runner = await Runner.newRunner<Config>()
+     await runner.run(initWorkflow)
+   }
+   ```
 
-export async function run(runtime: Runtime<Config>, payload: HTTPPayload): Promise<boolean> {
-  const parsed: ParsedPayload = JSON.parse(new TextDecoder().decode(payload.input))
+3. From the CRE project root, run the simulation:
 
-  const rawReport = hexToBytes(`0x${parsed.report}`)
-  const reportContext = hexToBytes(`0x${parsed.context}`)
-  const sigs = parsed.signatures.map((s) => hexToBytes(`0x${s}`))
+   ```bash
+   cre workflow simulate verify-report-receiver \
+     --target staging-settings \
+     --non-interactive \
+     --trigger-index 0 \
+     --http-payload verify-report-receiver/test-report-payload.json
+   ```
 
-  const report = await Report.parse(runtime, rawReport, sigs, reportContext)
+4. Check the output.
 
-  runtime.log(`Verified report from workflow ${report.workflowId()}, execution ${report.executionId()}`)
+   A successful wiring run logs the decoded report metadata and returns `{ verified: true }`:
 
-  // Use report.body() for your application logic (ABI-encoded payload from the sender workflow)
-  report.body()
+   ```
+   [USER LOG] Parsing report (141 bytes, 4 signatures)
+   [USER LOG] Verified report workflowId=... executionId=... donId=1
+   ✓ Workflow Simulation Result: { "verified": true }
+   ```
 
-  return true
-}
+   This confirms JSON decoding, hex parsing, and [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) are wired correctly. Signatures are not verified against the mainnet registry in this mode — that requires a production-signed report from a deployed sender.
 
-export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider) => {
-  const http = new HTTPCapability()
-  return [
-    handler(http.trigger({ authorizedKeys: [{ type: "KEY_TYPE_ECDSA_EVM", publicKey: config.authorizedKey }] }), run),
-  ]
-}
-```
+### Deploying to production
 
-**What's happening:**
+The `run` handler you simulated is the same code you deploy. For production, make two configuration changes:
 
-1. An external system POSTs hex-encoded `report`, `context`, and `signatures` to your HTTP trigger.
-2. [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) verifies signatures against the production CRE registry.
-3. On success, you read metadata and `body()` safely.
+1. **Remove `skipSignatureVerification`** from your target config (or omit it; the default is `false`). Reports from a deployed sender must pass real signature verification.
+2. **Add `authorizedKeys`** to your HTTP trigger — required for deployed workflows, not just simulation. See [HTTP Trigger configuration](/cre/guides/workflow/using-triggers/http-trigger/configuration-ts).
 
 
 <Aside type="caution" title="Hex encoding">
@@ -16072,7 +16136,7 @@ export const initWorkflow = (config: Config, _secretsProvider: SecretsProvider)
 
 ## Report payload format
 
-When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields (plus optional metadata your API may add). The JSON key is `context` even though the SDK field is `reportContext`:
+When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for offchain verification, receivers need three fields. The JSON key is `context` even though the SDK field is `reportContext`. See [Payload contract](/cre/guides/workflow/using-http-client/submitting-reports-http-ts#payload-contract-if-you-verify-offchain) in the submit guide for how the sender produces these fields.
 
 | JSON field   | SDK field       | Description                                                     |
 | ------------ | --------------- | --------------------------------------------------------------- |
@@ -16080,32 +16144,13 @@ When a sender POSTs a [CRE report](/cre/key-terms#report-cre-report) as JSON for
 | `context`    | `reportContext` | Hex-encoded config digest + sequence number                     |
 | `signatures` | `sigs`          | Array of hex-encoded 65-byte ECDSA signatures, no `0x`          |
 
-The `reportContext` layout used by the SDK:
-
-- Bytes 0–31: config digest
-- Bytes 32–39: sequence number (big-endian `uint64`)
-
 ## API reference
 
-See [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification) for full signatures, types, and configuration.
-
-### `Report.parse()`
-
-```typescript
-Report.parse(
-  runtime: Runtime,
-  rawReport: Uint8Array,
-  signatures: Uint8Array[],
-  reportContext: Uint8Array,
-  config?: ReportParseConfig,
-): Promise<Report>
-```
-
-Parses and verifies a report. Throws if verification fails.
+For full signatures, types, and `ReportParseConfig` options, see [SDK Reference: Core: Report verification](/cre/reference/sdk/core-ts#report-verification).
 
 ### `Report` accessors
 
-After a successful parse:
+After a successful [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification):
 
 | Method            | Description                               |
 | ----------------- | ----------------------------------------- |
@@ -16119,26 +16164,6 @@ After a successful parse:
 | `seqNr()`         | Sequence number from report context       |
 | `configDigest()`  | Config digest from report context         |
 
-### `ReportParseConfig`
-
-```typescript
-import { productionEnvironment, zoneFromEnvironment, type ReportParseConfig } from "@chainlink/cre-sdk"
-
-const config: ReportParseConfig = {
-  acceptedZones: [zoneFromEnvironment(productionEnvironment(), 1)],
-  acceptedEnvironments: [productionEnvironment()],
-  skipSignatureVerification: false,
-}
-```
-
-| Option                      | Description                                                                                                                                                                                                                                                                                                                  |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `acceptedEnvironments`      | Registry environments to check (defaults to production)                                                                                                                                                                                                                                                                      |
-| `acceptedZones`             | Restrict to specific DON IDs within an environment                                                                                                                                                                                                                                                                           |
-| `skipSignatureVerification` | Parse metadata only, without registry reads or signature checks. Use only for testing or when another layer verifies signatures. There is no separate `verifySignatures()` on `Report` in TypeScript; call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) without this flag for production verification. |
-
-Most workflows should use the default config (production environment only).
-
 ## Best practices
 
 1. **Verify before side effects**: Call [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification) before writing to databases, chains, or external systems.
@@ -16175,9 +16200,9 @@ Most workflows should use the default config (production environment only).
 
 - At least **f+1** valid signatures are required. Extra invalid signatures are skipped; too few valid ones fails verification.
 
-**`could not read from chain ...`**
+**`could not read from chain ...`** *(CRE receiver workflow only)*
 
-- Registry read failed (RPC/network). Configure **`ethereum-mainnet` RPC** in `project.yaml` (required for default verify, including sim). Sepolia-only RPC is not sufficient for default `Report.parse()`.
+- Registry read failed (RPC/network). Configure an **`ethereum-mainnet` RPC** in `project.yaml` — required for default [`Report.parse()`](/cre/reference/sdk/core-ts#report-verification), including during sim. Sepolia-only RPC is not sufficient.
 
 **`raw report too short`**
 

From 01d7fe97f6a47c8801f5e3ce8f0ec334b3c55b17 Mon Sep 17 00:00:00 2001
From: devin distefano <devin.distefano@smartcontract.com>
Date: Wed, 10 Jun 2026 22:57:30 -0500
Subject: [PATCH 9/9] chore: trigger Vercel deploy

Co-authored-by: Cursor <cursoragent@cursor.com>