Skip to content
Agent Receipts

Specification Overview

v0.1.0 Draft

The Agent Receipt Protocol defines a standard format for cryptographically signed records of AI agent actions. This page covers the design principles and core concepts. For the full specification, see the spec source on GitHub.

Design principles

Section titled “Design principles”

  1. Privacy-preserving by default. Parameters are hashed, not stored in plaintext. The human principal controls what is disclosed. Sensitive data never appears in receipts — only hashes and user-controlled previews.

  2. Built on existing standards. W3C Verifiable Credentials Data Model 2.0 for structure. Ed25519 for signing. SHA-256 for hashing. RFC 3161 for trusted timestamps. No novel cryptographic primitives.

  3. Hash-chained for integrity. Each receipt includes the hash of the previous receipt, forming a tamper-evident chain. Breaking the chain is detectable.

  4. Agent-agnostic. The spec does not assume MCP, OpenAI function calling, or any specific agent framework. Any agent that can produce JSON and sign it can emit receipts.

  5. Human-readable and machine-verifiable. Receipts can be displayed as a timeline to end users and cryptographically verified by auditors and compliance tools.

  6. Reversibility-aware. Every receipt declares whether the action can be undone, and if so, how. This enables downstream tooling to offer “undo” capabilities.

  7. Minimal by default, extensible by design. The core schema is small. Domain-specific extensions (financial actions, healthcare, etc.) can be layered on via additional @context URIs.

Core concepts

Section titled “Core concepts”
Agent Receipt (W3C Verifiable Credential)idissuervalidFromversioncredentialSubjectprincipalid, typeactiontype, risk, timestampoutcomestatus, reversiblechainsequence, prev_hashintentprompt, reasoningauthorizationscopes, grantdelegationparent chain refproof — Ed25519Signature2020 (signs canonical receipt)requiredoptional

Agent Receipt

Section titled “Agent Receipt”

A cryptographically signed record of a single action taken by an AI agent on behalf of a human principal. Modeled as a W3C Verifiable Credential with type AgentReceipt.

Receipt Chain

Section titled “Receipt Chain”

An ordered sequence of Agent Receipts linked by hash references. Each receipt contains the hash of the previous receipt in the chain, creating a tamper-evident log. The first receipt in a chain has a null previous hash.

Action Taxonomy

Section titled “Action Taxonomy”

A standardized vocabulary of action types, organized by domain and risk level. The taxonomy enables cross-agent comparison and risk classification. See Action Taxonomy.

Principal

Section titled “Principal”

The human (or organization) on whose behalf the agent acted. Identified by a DID or URI. The principal is the entity who authorized the action, not the entity that built or operates the agent.

Issuer

Section titled “Issuer”

The agent (or agent platform) that performed the action and produced the receipt. The issuer signs the receipt with its private key.

Relationship to existing work

Section titled “Relationship to existing work”
ProjectRelationship
C2PA / Content CredentialsInspiration. Extends signed provenance from media assets to agent actions.
W3C Verifiable CredentialsAgent Receipts are W3C VCs using Data Model 2.0 as the envelope.
W3C DIDsAgent and principal identities are expressed as DIDs.
GrantexComplementary. Grantex handles authorization; Agent Receipts handle audit. (Early-stage IETF draft — not yet widely adopted.)
AgentStampOverlapping in audit trail. AgentStamp is narrower (trust verification only). (Research proposal — no public implementation.)
MolTrustComplementary. Could serve as the identity layer for agent DIDs. (Research proposal — no public implementation.)