v0.10.0Latest Release

Open standard for verifiable interaction records

Prove what happened between agents, APIs, tools, and partners. Portable records you can verify anywhere, even offline.

Logs are local. Records are cross-boundary.Internal logs tell you what happened. PEAC records prove it to auditors, partners, and regulators.

Tamper-evident signatures. Independent verification. No central authority required.

Read Specification Get Started GitHub

Sources

Agent

API

Tool

PEAC

Process

1. Discover

2. Enforce

3. Sign

Outputs

Receipt

Verify

Audit

What

PEAC standardizes a file-discoverable policy surface and a signed receipt format that make automated interactions provable (consent, attribution, settlement references, decisions, outcomes).

Who

APIs, gateways, tool servers, agent platforms, and compliance/security teams operating automated traffic across org boundaries.

Why

Internal logs are not neutral proof and integrations do not interoperate. PEAC makes terms machine-readable and outcomes cryptographically verifiable.

Where PEAC Fits

System of record

Your existing logs, traces, and databases continue as-is

PEAC record attached

Portable signed receipt emitted alongside response

Partner verification

Independent verification without shared infrastructure

Dispute Bundle export

Package evidence for audits, escalation, or arbitration

Quick Glossary

Record

A portable interaction record that can be independently verified

Receipt

The signed, serialized form of a record (the file)

Dispute Bundle

A packaged export (records + policy/keys + signatures) for audits, disputes, escalation

Tamper-evident•Independently verifiable•Offline verification•Open spec + conformance vectors

The Problem

Why Verifiable Records?

Logs are local. Records are cross-boundary.

Internal logs tell you what happened. PEAC records prove it to auditors, partners, and regulators.

As AI agents operate across systems and organizational boundaries, verifiable evidence becomes critical for:

Accountability

Through decentralized verification

Incident Response

Across independent organizations

Regulatory Compliance

With machine-verifiable proof

PEAC records are portable, tamper-evident, and independently verifiable - no central authority required.

Who Benefits

Value for every stakeholder

PEAC layers on existing protocols without replacement. Just verifiable records.

Security & Compliance

Audit agent interactions with verifiable proof. Verify attribution and consent with independently verifiable records.

AI Agents

Discover terms before access. Retain verifiable records proving policy compliance.

API Providers

Issue tamper-proof records for every interaction. Enable cross-org incident response.

Publishers

Declare access terms. Receive verifiable proof of policy compliance.

The Protocol

Universal evidence layer for automated interactions

PEAC provides three core primitives for verifiable proof across systems and organizational boundaries:

1. Declare terms

Publish machine-readable terms via /.well-known/peac.txt and policy kit rules.

2. Record outcomes

Issue signed receipts for every interaction with tamper-evident evidence.

3. Verify and bundle

Independently verify receipts offline. Package disputes as deterministic bundles.

HTTP/REST is the default binding: Records are serialized as signed receipt files returned in PEAC-Receipt headers. Other transports (MCP, A2A, gRPC, WebSocket) carry the same envelope in their native metadata.

Ed25519 Signatures

Compact 64-byte signatures verified in microseconds.

Offline Verification

Deterministic, no network required, cross-language parity.

Dispute Bundles

ZIP packages with receipts, policy, and verification reports.

TypeScript + Go

Cross-language SDKs with type safety and conformance vectors.

PEAC-Receipt (JWS)

{
  "typ": "peac-receipt/0.1",
  "alg": "EdDSA",
  "kid": "peac-2025-12"
}
.
{
  "iss": "https://api.example.com",
  "aud": "https://agent.client.io",
  "iat": 1735689600,
  "amt": 50,
  "cur": "USD",
  "payment": {
    "rail": "x402",
    "reference": "pay_abc123"
  }
}
.
[Ed25519 signature]

The Flow

Five steps from policy to verified receipt

From policy discovery to verifiable proof in a single HTTP exchange.

Discover

Agent fetches policy file

/.well-known/peac.txt

Request

Agent includes intent in headers

PEAC-Purpose: index

Settle

Server enforces policy

402 Payment Required

Sign

Server issues receipt

PEAC-Receipt: eyJ...

Verify

Agent verifies and stores

Ed25519 verified

Positioning

Where PEAC fits (and where it does not)

PEAC is the evidence layer, not a replacement for identity, payment, or observability systems.

How it integrates with your existing systems

Your system logs the call

Existing logs/traces stay

PEAC record is emitted

Portable artifact

Partner/verifier checks it

No shared database required

If escalated: export a Dispute Bundle

Audit/dispute/reconciliation

PEAC Provides

•Policy surfaces (/.well-known/peac.txt)
•Signed receipts (Ed25519 JWS)
•Verification rules (offline, deterministic)
•Evidence bundles (dispute packages)
•Adapters/mappings (protocol bridges)

PEAC Does Not Replace

OpenTelemetry: OTel is observability; PEAC is portable proof that can correlate to traces
MCP / A2A: These coordinate tool use and agent exchanges; PEAC carries proof alongside them
AP2 / ACP / UCP: These authorize and orchestrate commerce flows; PEAC provides verifiable evidence
C2PA: C2PA is media provenance; PEAC is access and interaction receipts
Payment rails: Rails move funds; PEAC records settlement references

Interoperability

Layers on protocols you already use

No replacement, just verifiable records. PEAC integrates with existing standards.

UCP mapping (v0.10.0)

Map UCP commerce semantics into PEAC records so the same interaction can be reconciled across systems. PEAC stays the neutral proof layer.

View UCP mapping docs →

Crypto & Signing

Ed25519JWS RFC 7515RFC 8032RFC 9449

Payment Settlement

x402StripeHTTP 402

Commerce & Agent Protocols

UCPMCPA2AACPTAPRSL 1.0

Applications

Built for real problems

Verifiable records solve accountability, incident response, and compliance across AI agents and APIs.

Cross-Org Accountability

When agents act across systems and organizational boundaries, records provide verifiable evidence of what policy was applied and what was accessed.

Learn more

Incident Response

Trace agent actions back to specific decisions. Generate audit bundles for investigation and regulatory evidence.

View API reference

Regulated Provenance

Prove compliant data access for EU AI Act and similar frameworks. Policy binding creates machine-verifiable audit trails.

View policy guide

Agent Commerce

Autonomous agents discover pricing, negotiate terms, and retain verifiable payment proof. Integrates with MCP, ACP, UCP, and custom protocols.

View adapters

Common Deployments

Works across HTTP APIs, tool calls, data licensing, and streaming sessions

APIs & Gateways

HTTP receipts

Tool Calls

MCP, A2A

Data Licensing

Training access

Sessions

WebSocket, gRPC

Integration

Get started in minutes

Install the SDK, verify receipts, or implement the spec directly.

verify.tsTypeScript

import { verify } from '@peac/protocol'

const receipt = response.headers.get('PEAC-Receipt')

const result = await verify(receipt, {
  issuerAllowlist: ['https://api.example.com']
})

if (result.ok) {
  console.log('Issuer:', result.claims.iss)
  console.log('Amount:', result.claims.amt)
  console.log('Rail:', result.claims.payment.rail)
}

terminalInstallation

# Install core packages
pnpm add @peac/protocol @peac/crypto

# Or install with a payment rail
pnpm add @peac/rails-x402
pnpm add @peac/rails-stripe

# Use the CLI
pnpm add -g @peac/cli

# Initialize policy
peac policy init

View full quickstart guide

Roles

Four roles in the PEAC protocol

Every participant has a clear responsibility in the evidence chain.

Issuer

Services, gateways, or tool servers that issue signed records for completed interactions.

Client/Agent

Callers who make requests, receive records, and retain them as portable proof.

Verifier

Auditors, counterparties, regulators, or arbitrators who verify records offline.

Facilitator

Payment rails, risk attesters, or gateways that provide evidence for receipt claims.

Ecosystem

Works with your stack

Integrations for payment rails, agent protocols, commerce orchestration, and edge platforms.

MCP

Tool call receipts in Model Context Protocol

ACP

Commerce evidence in Agent Commerce Protocol

A2A

Agent identity and proof of control

TAP

Trusted Agent Protocol with RFC 9421 signatures

UCP

Universal Commerce Protocol webhook verification

x402

HTTP 402 settlement with stablecoin rails

Stripe

Traditional card payment evidence

RSL

Robots Specification Language policy mapping

OTel

OpenTelemetry trace correlation

View all integrations

Technical Foundation

Security & Verification

Built on proven cryptographic standards with deterministic verification.

Cryptographic Foundations

Ed25519Compact 64-byte signatures, verified in microseconds

JWSRFC 7515 - JSON Web Signature envelope format

RFC 8032EdDSA algorithm specification

RFC 8785Canonical JSON for deterministic bundles

Verification Guarantees

•Offline verification (no network required)
•Cross-language parity (TypeScript and Go)
•Deterministic output (RFC 8785 canonical JSON)
•JWKS discovery with SSRF protection
•Replay protection via nonce + timestamp
•Fail-closed by default (no silent fallbacks)

View full security model

FAQ

Common Questions

Do I need a central service or account to use PEAC?

No. PEAC is an open standard: you publish policy and keys on your own domain, issue signed records alongside your responses, and anyone can verify them independently. There is no central authority required for verification.

What exactly is a "PEAC receipt", and how do people verify it?

A PEAC receipt is a signed interaction record returned in the PEAC-Receipt HTTP header, encoded as a JWS (Ed25519). Verifiers decode the JWS, check alg/typ/kid, fetch your public key from /.well-known/jwks.json, validate the signature, then apply timestamp and policy-binding checks.

Is PEAC a payment protocol, or does it replace my auth/observability stack?

Neither. PEAC is an evidence layer: it records what terms applied and what happened, and can carry settlement references from existing payment rails (x402, Stripe, card billing bridges). Your auth, payment, and observability systems remain the source of execution; PEAC adds portable proof you can share across org boundaries.

How do policy files work, and how is this different from robots.txt?

Agents discover terms via /.well-known/peac.txt (with /peac.txt as a fallback). Unlike robots.txt (advisory, non-verifiable), peac.txt pairs declared terms with verifiable receipts, purpose-based access control, attribution requirements, and optional payment flows.

What can PEAC prove (and what can't it)? What happens in disputes?

PEAC proves the receipt was signed by the issuer, within a validity window, and bound to a specific policy snapshot (plus optional payment/consent/attribution claims). It does not prove the client actually honored the policy, and it's not a content provenance system by itself. For audits or escalation, you can export deterministic "dispute bundles" that package the receipts plus the material needed for verification.

Is PEAC production ready?

Yes. The wire format (peac-receipt/0.1), HTTP headers (PEAC-Receipt), and discovery paths (/.well-known/peac.txt) are stable. Library APIs are maturing but may still evolve. Several production deployments are in progress.

How do I integrate PEAC?

Install the SDK (pnpm add @peac/protocol @peac/crypto), publish a policy file at /.well-known/peac.txt, issue receipts via the issue() function, and return them in the PEAC-Receipt header. See the quickstart guide for step-by-step instructions.

View full documentation

v0.10.0Latest Release

Open protocol. Active development.

PEAC is in active development. Library APIs may evolve.

Read Specification Contribute

Apache-2.0•Stewarded by Originary•Governance