diff --git a/bare_minimum_crypto/cpp/bmc_test.cpp b/bare_minimum_crypto/cpp/bmc_test.cpp
index f93e2bf..ad81768 100644
--- a/bare_minimum_crypto/cpp/bmc_test.cpp
+++ b/bare_minimum_crypto/cpp/bmc_test.cpp
@@ -139,7 +139,7 @@ int happy_path () {
 	// even though the receiver has never seen the sub-key.
 	
 	const auto root_pubkey = root_key.pubkey ();
-	auto verified_opt = Receiver::verify_cert_and_data (cert, signed_data, root_pubkey);
+	auto verified_opt = Receiver::verify_cert_and_data (root_pubkey, cert, signed_data);
 	if (! verified_opt) {
 		cerr << "Receiver couldn't verify cert and data" << endl;
 		return 1;
diff --git a/bare_minimum_crypto/cpp/receiver.cpp b/bare_minimum_crypto/cpp/receiver.cpp
index daee131..aa0ca46 100644
--- a/bare_minimum_crypto/cpp/receiver.cpp
+++ b/bare_minimum_crypto/cpp/receiver.cpp
@@ -67,9 +67,9 @@ namespace BareMinimumCrypto::Receiver {
 	}
 	
 	optional <vector <uint8_t>> verify_cert_and_data (
+		const vector <uint8_t> & root_pubkey,
 		const ExpiringSignature & signed_cert,
 		const ExpiringSignature & signed_data,
-		const vector <uint8_t> & root_pubkey,
 		Instant now
 	) {
 		auto subkey_opt = verify_signed_data (signed_cert, root_pubkey, now);
@@ -82,10 +82,10 @@ namespace BareMinimumCrypto::Receiver {
 	}
 	
 	optional <vector <uint8_t>> verify_cert_and_data (
+		const vector <uint8_t> & root_pubkey,
 		const ExpiringSignature & signed_cert,
-		const ExpiringSignature & signed_data,
-		const vector <uint8_t> & root_pubkey
+		const ExpiringSignature & signed_data
 	) {
-		return verify_cert_and_data (signed_cert, signed_data, root_pubkey, Instant::now ());
+		return verify_cert_and_data (root_pubkey, signed_cert, signed_data, Instant::now ());
 	}
 }
diff --git a/bare_minimum_crypto/cpp/receiver.h b/bare_minimum_crypto/cpp/receiver.h
index d495c03..e5cf525 100644
--- a/bare_minimum_crypto/cpp/receiver.h
+++ b/bare_minimum_crypto/cpp/receiver.h
@@ -2,6 +2,7 @@
 
 #include <optional>
 #include <stdint.h>
+#include <string>
 #include <vector>
 
 namespace BareMinimumCrypto {
@@ -17,15 +18,20 @@ just compile them into the receiver app, too.
 
 All the receiver does is receive combined cert-and-data messages,
 and attempt to verify them. The subkeys used to directly sign the
-data don't need to be saved, but should be logged.
+data are disposable and not exposed to callers.
 */
 
 namespace BareMinimumCrypto::Receiver {
 	using namespace std;
 	
 	optional <vector <uint8_t>> verify_cert_and_data (
+		const vector <uint8_t> & root_pubkey,
 		const ExpiringSignature & signed_cert,
-		const ExpiringSignature & signed_data,
-		const vector <uint8_t> & root_pubkey
+		const ExpiringSignature & signed_data
+	);
+	
+	optional <vector <uint8_t>> verify_cert_and_data (
+		const vector <uint8_t> & root_pubkey,
+		const string & json_string
 	);
 }