An audit trail your agent can't tamper with

A separate daemon signs and stores a tamper-evident receipt for every tool call your agent makes. The signing keys and the receipt store live outside the agent process, so the audit trail holds up even if the agent is compromised.

Built for platform and security teams approving agentic deployments.

Start with a real agent workflow

If you want to try Agent Receipts in minutes, start with the MCP Proxy.

It sits in front of an MCP server you already use and gives you:

Signed receipts for every tool call
A tamper-evident audit chain
Risk scoring and cryptographic receipts, without modifying the client or server

Best first paths

What you will do

Install the daemon and mcp-proxy
Wrap one MCP server
Make a few tool calls from your agent
Inspect and verify the signed receipts

Conceptual overview. Signing and storage happen inside the agent-receipts daemon — the agent process sends events over a Unix socket and never touches the keys.

AI agents are increasingly acting on behalf of humans — sending emails, modifying documents, making purchases, managing files. Observability platforms like LangSmith and Arize provide valuable operational telemetry but are designed for debugging and monitoring, not cryptographic proof of authorization or identity. Agent Receipts produces a tamper-evident record using the same Ed25519 and SHA-256 primitives the space already converged on, wrapped in the W3C Verifiable Credentials envelope — reusing standards, not authoring a new one. The EU AI Act mandates traceability for high-risk AI systems (Article 12); Agent Receipts produces a record that meets that bar.

What is an Agent Receipt?

An Agent Receipt is a cryptographically signed record of a single action taken by an AI agent on behalf of a human. Each receipt is structured as a W3C Verifiable Credential with type AgentReceipt, signed with Ed25519, and hash-chained into a tamper-evident log.

Think of it as C2PA Content Credentials, but for agent actions instead of media assets. Where C2PA provides signed provenance manifests for photos, videos, and documents, Agent Receipts provide signed provenance records for things agents do.

What a receipt records

Every Agent Receipt captures:

Who — the agent that acted and the human who authorized it
What — the action type (from a standardized taxonomy) and its risk level
When — timestamps, optionally backed by a trusted third-party timestamp authority
Outcome — success, failure, or pending — and whether the action is reversible
Chain position — a hash link to the previous receipt, forming a tamper-evident sequence

Parameters are hashed, not stored in plaintext. The operator controls what is disclosed. Sensitive data never appears in receipts.

Why the daemon matters

The signing keys and receipt store live in the agent-receipts daemon — a separate process that is the sole writer to the chain. The agent sends events over a Unix socket; keys and database handles never enter the agent process.

The daemon records caller peer credentials (pid, uid, executable path) at connect time — captured by the OS, not self-reported by the agent.

For the strongest tamper-evidence guarantee, deploy the daemon as a dedicated OS user so the key file is inaccessible to the agent’s account. See Daemon Setup.

Design principles

The protocol is privacy-preserving by default, built on existing standards (W3C VCs, Ed25519, SHA-256, RFC 3161), agent-agnostic, and minimal by default with room for domain-specific extensions. See the Specification Overview for the full set of design principles.

Choose your next step

Want the fastest hands-on experience? Start with the MCP Proxy overview.
Want to create receipts directly in your app? Use the TypeScript SDK, Python SDK, or Go SDK.
Want the protocol details first? Read the Specification Overview.