An agent receipt (paybond.agent_receipt_v1) is Paybond's portable signed JSON artifact for a single autonomous action (or, in a later scope, an intent-terminal outcome). It answers:
This action happened, under this policy, by this model configuration, with this payment and evidence proof — and here is the Gateway signature.
Public guide: Agent Receipt Standard (ARS).
Agent receipts complement — they do not replace — existing Paybond artifacts:
| Artifact | What it proves today |
|---|---|
| Protocol settlement receipt | Intent-terminal outcome for AP2/mandate flows |
| Harbor completion evidence | Payee-signed predicate satisfaction |
| MPP / x402 funding headers | Funding transport credentials |
| Spend authorization decision | Per-verify policy decision (not exported as a receipt) |
| Agent run trace | Operator observability timeline |
Agent receipts compose those pieces into one offline-verifiable envelope using digests and references.
When receipts are emitted
| Scope | When | Status |
|---|---|---|
action | After evidence submit for a side-effecting tool call | Shipped — Gateway compose, persist, fetch, verify, audit export |
intent_terminal | Harbor reaches terminal state | References references.settlement_receipt_id; follows protocol settlement receipt path |
Runtime compose runs in Gateway after Kit middleware completes the authorize → execute → evidence path for action scope. Receipt ids are deterministic: sha256(intent_id + "\x00" + tool_call_id) hex for action scope.
Privacy model
Receipts are hash-only for prompts, tool arguments, tool results, and evidence payloads. The schema rejects raw sensitive fields. Tenants can require prompt_hash_sha256_hex and config_hash_sha256_hex without exposing prompt text to verifiers.
Trust model
- Gateway signature — Composite receipts are signed by Paybond Gateway with a dedicated agent-receipt key (same rotation posture as other Gateway signing keys).
- Payee evidence — Referenced by
evidence.payee_signature_digest_sha256_hex; Gateway does not re-sign payee evidence. - Operator counter-signature (optional) —
operator_attestationsigns the Gatewaymessage_digest_sha256_hexfor model attestation; Kit attach helpers add it when an operator signing key is available. - Offline verify — Kit, Gateway, Rust (
paybond-agent-receipt), and Go (agentreceipt) expose verify helpers; Gateway publishes the JSON Schema atGET /.well-known/agent-receipt-v1.json.
Discovery and API routes
| Route | Auth | Purpose |
|---|---|---|
GET /.well-known/agent-receipt-v1.json | Public | JSON Schema for paybond.agent_receipt_v1 |
POST /protocol/v2/agent-receipts/verify | Public | Verify a signed receipt JSON body |
GET /protocol/v2/agent-receipts/{receipt_id} | Tenant-bound | Fetch one signed receipt |
GET /protocol/v2/agent-receipts | Tenant-bound | List or resolve by intent_id + tool_call_id query params |
See also v2 protocol trust for related discovery routes and Gateway API reference for the full route table.
Developer surfaces
| Surface | Capability |
|---|---|
Rust paybond-agent-receipt | Types, hash helpers, verify |
Go go/gateway/internal/agentreceipt | Types, hash helpers, verify, compose |
Kit TS/Python verifyAgentReceiptV1 | Offline verify |
Kit paybond.agent.getReceipt() | Tenant-bound fetch after evidence submit |
CLI paybond receipts get|verify --kind agent | Fetch and verify action receipts |
MCP paybond://receipt/{receipt_id} | Agent-to-agent handoff via resources/read |
Audit export agent_receipts include | Compliance bundle copies at agent_receipts/{receipt_id}.json |
| Signal fraud inputs | AGENT_RECEIPT_VOLUME_SPIKE, AGENT_RECEIPT_POLICY_DRIFT (score-neutral) |
Normative details: designs/agent-receipt-v1.md. Conformance vectors: kit/agent-receipt/conformance/.