Paste a Duvera capability token (the capability_token field of any execution result). The gateway checks the Ed25519 signature against its published keys — the same check anyone can run offline with duvera-verify and the public JWKS, no trust in this server required.