Agent Receipts — cryptographic audit trails for AI agents
An agent runs overnight. By morning, a customer’s production data is gone — the agent called a cleanup tool with the wrong scope and deleted records it was never meant to touch. The first question everyone asks is the simplest one: what exactly did it do, on whose authority, and with what inputs? You open the logs and find a single line — “maintenance task completed.” Nothing about the destructive call. Nothing about who approved it. And no way to prove the log itself wasn’t edited afterward.
Agent Receipts closes that gap. A separate daemon records a tamper-evident receipt for every tool call your agent makes. The signing keys and the receipt store live outside the agent process, so the audit trail holds up even if the agent is compromised.
Use it today
Section titled “Use it today”This isn’t just a spec — there’s working tooling at obsigna.dev you can drop in right now:
- Hook — the fastest path: capture native tool calls in Claude Code and other runtimes.
- MCP proxy — sit it in front of any MCP server and sign a receipt for every tool call, with no code changes.
- SDKs for Go, TypeScript, and Python — emit receipts directly from your own code.
- Dashboard — browse and verify the receipt chain.
The protocol
Section titled “The protocol”An Agent Receipt is a cryptographically signed record of a single action taken by an AI agent on behalf of a human. Each receipt is structured as a W3C Verifiable Credential with type AgentReceipt, signed with Ed25519, and hash-chained into a tamper-evident log.
Every receipt captures:
- Who — the agent that acted and the human who authorized it
- What — the action type (from a standardized taxonomy) and its risk level
- When — timestamps, optionally backed by a trusted third-party timestamp authority
- Outcome — success, failure, or pending — and whether the action is reversible
- Chain position — a hash link to the previous receipt, forming a tamper-evident sequence
Parameters are hashed, not stored in plaintext. The operator controls what is disclosed.
Design principles
Section titled “Design principles”The protocol is privacy-preserving by default, built on existing standards (W3C VCs, Ed25519, SHA-256, RFC 3161), agent-agnostic, and minimal by default with room for domain-specific extensions. The EU AI Act mandates traceability for high-risk AI systems (Article 12); Agent Receipts is designed to produce records suited to that requirement.
See the Specification Overview for the full design.
Explore the spec
Section titled “Explore the spec”- How It Works — architecture and flow
- Trust Model — threat model and guarantees
- Agent Receipt Schema — the full receipt structure
- Action Taxonomy — standardized action types and risk levels
- Receipt Chain Verification — tamper-evidence guarantees
- Parameter Disclosure — privacy-preserving payload handling
- Spec (full text) — versioned canonical specification
- Conformance — cross-language SDK interop verified against a shared corpus, CI-enforced
Ecosystem
Section titled “Ecosystem”For the agent security tooling landscape — how Agent Receipts fits alongside observability platforms, policy engines, and other approaches — see the Ecosystem.