Skip to content
Agent Receipts

Introduction

Principal1. AUTHORIZEfile.deleteAgent2. ACTaction: file.deleteoutcome: successrisk: highproof: Ed25519 ✓Receipt3. SIGN#1#2#3sha256 linkedChain4. LINKtamper-evidentVerify5. AUDITHuman authorizes → Agent acts → Receipt signed → Chain linked → Independently verifiableEvery step is cryptographically bound. Breaking any link is detectable.

AI agents are increasingly acting on behalf of humans — sending emails, modifying documents, making purchases, managing files. But there is no widely adopted open standard for recording what an agent did, why it did it, whether it succeeded, and whether it can be undone.

Observability platforms like LangSmith and Arize provide valuable operational telemetry, but are designed for debugging and monitoring — not cryptographic proof of authorization or identity. No project today produces an audit trail that links a specific action to a specific agent, user authorization, and set of scopes. The EU AI Act mandates traceability for high-risk AI systems (Article 12), but leaves the record format to implementers.

What is an Agent Receipt?

Section titled “What is an Agent Receipt?”

An Agent Receipt is a cryptographically signed record of a single action taken by an AI agent on behalf of a human. Each receipt is structured as a W3C Verifiable Credential with type AgentReceipt, signed with Ed25519, and hash-chained into a tamper-evident log.

Think of it as C2PA Content Credentials, but for agent actions instead of media assets. Where C2PA provides signed provenance manifests for photos, videos, and documents, Agent Receipts provide signed provenance records for things agents do.

What a receipt records

Section titled “What a receipt records”

Every Agent Receipt captures:

  • Who — the agent that acted and the human who authorized it
  • What — the action type (from a standardized taxonomy) and its risk level
  • When — timestamps, optionally backed by a trusted third-party timestamp authority
  • Outcome — success, failure, or pending — and whether the action is reversible
  • Chain position — a hash link to the previous receipt, forming a tamper-evident sequence

Parameters are hashed, not stored in plaintext. The human principal controls what is disclosed. Sensitive data never appears in receipts.

Design principles

Section titled “Design principles”

The protocol is privacy-preserving by default, built on existing standards (W3C VCs, Ed25519, SHA-256, RFC 3161), agent-agnostic, and minimal by default with room for domain-specific extensions. See the Specification Overview for the full set of design principles.