paybondpaybond
Sign in

Agent Receipt Standard (ARS)

A verifiable receipt for autonomous actions—not just payments. A signed receipt anyone can verify—even without Paybond.

A verifiable receipt for autonomous actions—not just payments.

ARS gives you a signed JSON document that proves what an agent did, who authorized it, and what settled—without handing verifiers your raw prompts or tenant secrets. Anyone can check the Gateway signature offline.

This receipt proves

  • What happened — tool, operation, and outcome
  • Who authorized it — principal, model configuration, and policy match
  • Which policy applied — spend decision digest bound at authorize time
  • What evidence exists — Harbor completion and payee signature digests
  • What was ultimately settled — funding transport and final outcome references

Kind paybond.agent_receipt_v1, signed by the Gateway with ed25519-sha256-json-v1 over canonical JSON.

From agent intent to a signed Agent Receipt Standard document: policy gates the tool, execution and evidence bind digests, Gateway composes the receipt.

Happy path

  1. Prompt / agent intent
  2. Policy authorization
  3. Tool execution
  4. Evidence + payment digests
  5. Signed ARS receipt

From agent intent to a signed Agent Receipt Standard document: policy gates the tool, execution and evidence bind digests, Gateway composes the receipt.

What is ARS?

One envelope, many proofs

ARS composes existing Paybond artifacts into a single portable document. It complements—not replaces—settlement receipts, Harbor evidence, and funding credentials.

The Agent Receipt Standard (ARS) answers one question for auditors, downstream agents, and compliance tooling:

This action happened, under this policy, by this model configuration, with this payment and evidence proof—and here is the Gateway signature.

ARS composes authorization decisions, execution digests, evidence bindings, and funding receipts into one offline-verifiable envelope. Verifiers correlate the story without calling Paybond's live API for every field.

Digest-only privacy

ARS never carries raw prompts, tool arguments, tool results, or evidence payloads. Sensitive material appears only as SHA-256 digests (prompt_hash_sha256_hex, arguments_digest_sha256_hex, evidence.payload_digest_sha256_hex, and similar). Verifiers prove what was bound without receiving tenant secrets.

Why ARS exists

Portable proof for multi-tool agents

Side-effecting agents produce many calls per intent. Operators and partners need stable, handoff-friendly proof.

Multi-tool agents produce many side-effecting calls per intent. Operators and partners need:

  • Portable proof they can verify outside Paybond's live API
  • Stable correlation across authorization, Harbor evidence, funding transport, and settlement
  • Agent-to-agent handoff without embedding full JSON in prompts

ARS ships that proof as a Gateway-signed JSON document with a published JSON Schema and public verify endpoint.

Where should I start?

I'm emitting receipts

Wire Kit middleware so authorize → execute → evidence produces an action-scope receipt automatically.

I'm consuming / verifying

Fetch signed JSON by receipt id, then verify signatures—online or offline.

I'm auditing

Export compliance bundles, map receipts to OTEL spans, and trace intent lifecycle.

Interactive example

Travel booking → signed receipt

A hotel booking agent matches policy, submits evidence, records settlement, and Gateway emits one portable ARS document.

Travel booking agent example showing policy, evidence, settlement, and the resulting Agent Receipt Standard document.

Example scenario

Travel booking agent

  • Policy matched (spend cap $150)
  • Evidence submitted (hotel confirmation)
  • Settlement recorded

How ARS relates to other artifacts

ARS links what you already have

Each proof type already exists in Paybond. ARS references them by digest so one document tells the full story.

How Agent Receipt Standard composes payment receipts, evidence, and policy decisions into one signed envelope.
  1. Proves funding transport (MPP / x402)

  2. Evidence

    Proves execution — Harbor completion and payee signature digests

  3. Policy decision

    Proves authorization — spend decision digest at verify time

  4. Agent Receipt Standard (ARS)

    Links them in one signed, offline-verifiable envelope

Full artifact reference
ArtifactWhat it proves
Protocol settlement receiptFinal outcome for AP2/mandate flows
Harbor completion evidencePayee-signed predicate satisfaction
MPP / x402 funding headersFunding transport credentials
Spend authorization decisionPer-verify policy decision (not exported as a receipt)
Agent run traceOperator observability timeline
Agent receipt (paybond.agent_receipt_v1)Per-action composite of the above by digest

How it works

From prompt to signed receipt

Most integrations follow the middleware path: policy gates the tool, evidence submits, Gateway composes the receipt.

  1. Authorize — Kit middleware checks spend policy and records a spend decision digest.
  2. Execute — The guarded tool runs; argument and result digests bind what happened.
  3. Submit evidence — Harbor evaluates the predicate; evidence and payee signature digests are recorded.
  4. Compose receipt — Gateway assembles authorization, execution, evidence, payment, and outcome blocks, then signs canonical JSON.

For a hands-on walkthrough without writing integration code, use sandbox smoke (see API below) or Agent middleware.

Receipt structure

For implementers — full block reference

Expand each block when you need field-level detail. Middleware integrations usually touch authorization, execution, and evidence first.

Start simple

You don't need every field on day one. Start with action-scope receipts from middleware; add intent_terminal when you need terminal settlement wrapping.

Every paybond.agent_receipt_v1 document composes the blocks below. Each row shows its purpose collapsed — expand for key fields.

Agent Receipt Standard paybond.agent_receipt_v1 block reference for implementers.
Top-levelDocument identity and tenant binding

Key fields

  • kind
  • schema_version
  • scope
  • receipt_id
  • issued_at
  • tenant_id
authorizationWho authorized the action and which policy matched

Key fields

  • principal
  • agent model family
  • config_hash_sha256_hex
  • prompt_hash_sha256_hex
  • policy digest
  • spend decision
executionWhat tool ran (action scope)

Key fields

  • run_id
  • tool_call_id
  • tool_name
  • operation
  • arguments_digest_sha256_hex
  • result_digest_sha256_hex
  • timestamps
evidenceHarbor completion and payee signature digests — not raw payloads

Key fields

  • evidence.payload_digest_sha256_hex
  • payee signature digest
paymentFunding transport proof

Key fields

  • MPP Payment-Receipt digest
  • x402 delivery receipt digest
outcomeTerminal Harbor state or partner-equivalent status

Key fields

  • terminal state
  • partner status reference
referencesCross-artifact correlation

Key fields

  • intent_id
  • settlement_receipt_id (optional)
  • audit correlation
SignatureGateway attestation over canonical JSON

Key fields

  • ed25519-sha256-json-v1
  • message_digest_sha256_hex
operator_attestationOptionalDetached operator counter-signature over the Gateway digest

Key fields

  • operator Ed25519 signature
  • model attestation metadata
external_attestationsOptionalPartner-native proofs without making them canonical

Key fields

  • SEP-2828
  • x402 partner attestations

Scopes: per action vs final outcome

Two emission points

Action receipts cover one guarded tool call. Final-outcome receipts wrap the intent when Harbor reaches a terminal state.

Comparison of action-scope and intent_terminal Agent Receipt Standard emission points.

Per action

action
When emitted
After evidence submit for a side-effecting tool call
receipt_id
sha256(intent_id + "\x00" + tool_call_id) hex
Status
Shipped — Gateway compose, fetch, verify, audit export

Final outcome

intent_terminal
When emitted
Harbor reaches terminal state (final outcome)
receipt_id
receipt_id = intent_id (UUID)
Status
References references.settlement_receipt_id; compose follows protocol settlement receipts

Most integrations start with action receipts — one signed envelope per guarded tool call. Add intent_terminal when you need a single receipt that summarizes the settled intent.

API

Fetch and verify signed receipts

Tenant-bound fetch for your receipts; public verify accepts the full JSON body without a live session.

After middleware evidence submit

Gateway composes and persists action receipts when Kit middleware completes the authorize → execute → evidence path. Fetch by receipt id or by intent + tool call:

HTTP (tenant-bound):

GET /protocol/v2/agent-receipts/{receipt_id}
GET /protocol/v2/agent-receipts?intent_id={uuid}&tool_call_id={id}

Kit:

paybond-session.ts

Code exampleSwipe to inspect long lines
const receipt = await paybond.agent.getReceipt({
  intentId: "…",
  toolCallId: "…",
});
// or: await paybond.agent.getReceipt({ receiptId: "…" });

CLI:

Terminal
Terminal commandSwipe to inspect long lines
paybond login
paybond receipts get <receipt_id> --kind agent --format json
paybond receipts verify <receipt_id> --kind agent --format json

Offline verify (no tenant fetch): POST /protocol/v2/agent-receipts/verify with the full receipt JSON body, or Kit verifyAgentReceiptV1 / Python parity.

Sandbox-friendly workflow

Run a local middleware smoke path, then inspect receipts:

Terminal
Terminal commandSwipe to inspect long lines
paybond dev loop --offline   # terminal 1
paybond dev trace            # terminal 2 — timeline at http://127.0.0.1:9477

Or explicit smoke:

Terminal
Terminal commandSwipe to inspect long lines
paybond login
paybond agent sandbox smoke \
  --operation paid-tool \
  --requested-spend-cents 100 \
  --evidence-preset cost_and_completion \
  --result-body '{"status":"ok","cost_cents":100}' \
  --format json

After evidence submit, use paybond receipts get … --kind agent with the returned receipt_id or derived id from intent + tool call. See Agent middleware for the full bind → execute → evidence flow.

MCP resource handoff

Agent-to-agent receipt fetch

Hosts read signed JSON via MCP without embedding receipts in prompts. Always verify signatures before trusting contents.

The Paybond MCP server publishes a resource template for agent-to-agent receipt handoff:

ItemValue
URI templatepaybond://receipt/{receipt_id}
MIME typeapplication/json
SourceTenant-bound GET /protocol/v2/agent-receipts/{receipt_id}

Hosts call resources/read on paybond://receipt/{receipt_id} to fetch signed JSON without embedding it in prompts. Details: MCP server — agent receipt resources. For MCP spend setup, see MCP agent spend controls.

Operator counter-signature (optional)

When present, operator_attestation is a detached Ed25519 signature over the Gateway message_digest_sha256_hex — not a second canonical body. Verifiers must confirm the attestation digest matches the Gateway digest before checking the operator key.

Gateway compose does not require this block. Kit attach helpers add it when an operator signing key is available (model attestation for downstream trust registries).

Audit export and Signal inputs

  • Compliance bundles — opt-in agent_receipts include stores each receipt at agent_receipts/{receipt_id}.json. Verify with paybond receipts verify --kind agent or POST /protocol/v2/agent-receipts/verify. See Audit export compliance.
  • Signal fraud inputsAGENT_RECEIPT_VOLUME_SPIKE and AGENT_RECEIPT_POLICY_DRIFT derive from gateway receipt rows (score-neutral operator signals).

Derived views

ViewDoc
Human-readable PDFAgent receipt PDF export
OpenTelemetry span attributesAgent receipt OTEL mapping

PDFs are presentation-only; signed JSON remains canonical.

Specification

Normative references

This guide is product-oriented. Implementers should use the platform doc and published schema for field-level contracts.

  • Platform reference: Agent receipts
  • Design doc: designs/agent-receipt-v1.md (repository)
  • JSON Schema: GET /.well-known/agent-receipt-v1.json