A verifiable receipt for autonomous actions—not just payments.
ARS gives you a signed JSON document that proves what an agent did, who authorized it, and what settled—without handing verifiers your raw prompts or tenant secrets. Anyone can check the Gateway signature offline.
This receipt proves
- What happened — tool, operation, and outcome
- Who authorized it — principal, model configuration, and policy match
- Which policy applied — spend decision digest bound at authorize time
- What evidence exists — Harbor completion and payee signature digests
- What was ultimately settled — funding transport and final outcome references
Kind paybond.agent_receipt_v1, signed by the Gateway with ed25519-sha256-json-v1 over canonical JSON.
Happy path
- Prompt / agent intent
- Policy authorization
- Tool execution
- Evidence + payment digests
- Signed ARS receipt
From agent intent to a signed Agent Receipt Standard document: policy gates the tool, execution and evidence bind digests, Gateway composes the receipt.
What is ARS?
One envelope, many proofs
ARS composes existing Paybond artifacts into a single portable document. It complements—not replaces—settlement receipts, Harbor evidence, and funding credentials.
The Agent Receipt Standard (ARS) answers one question for auditors, downstream agents, and compliance tooling:
This action happened, under this policy, by this model configuration, with this payment and evidence proof—and here is the Gateway signature.
ARS composes authorization decisions, execution digests, evidence bindings, and funding receipts into one offline-verifiable envelope. Verifiers correlate the story without calling Paybond's live API for every field.
Digest-only privacy
ARS never carries raw prompts, tool arguments, tool results, or evidence payloads. Sensitive material appears only as SHA-256 digests (prompt_hash_sha256_hex, arguments_digest_sha256_hex, evidence.payload_digest_sha256_hex, and similar). Verifiers prove what was bound without receiving tenant secrets.
Why ARS exists
Portable proof for multi-tool agents
Side-effecting agents produce many calls per intent. Operators and partners need stable, handoff-friendly proof.
Multi-tool agents produce many side-effecting calls per intent. Operators and partners need:
- Portable proof they can verify outside Paybond's live API
- Stable correlation across authorization, Harbor evidence, funding transport, and settlement
- Agent-to-agent handoff without embedding full JSON in prompts
ARS ships that proof as a Gateway-signed JSON document with a published JSON Schema and public verify endpoint.
Where should I start?
I'm emitting receipts
I'm consuming / verifying
I'm auditing
Interactive example
Travel booking → signed receipt
A hotel booking agent matches policy, submits evidence, records settlement, and Gateway emits one portable ARS document.
Example scenario
Travel booking agent
- Policy matched (spend cap $150)
- Evidence submitted (hotel confirmation)
- Settlement recorded
How ARS relates to other artifacts
ARS links what you already have
Each proof type already exists in Paybond. ARS references them by digest so one document tells the full story.
Proves funding transport (MPP / x402)
- Evidence
Proves execution — Harbor completion and payee signature digests
- Policy decision
Proves authorization — spend decision digest at verify time
- Agent Receipt Standard (ARS)
Links them in one signed, offline-verifiable envelope
Full artifact reference
| Artifact | What it proves |
|---|---|
| Protocol settlement receipt | Final outcome for AP2/mandate flows |
| Harbor completion evidence | Payee-signed predicate satisfaction |
| MPP / x402 funding headers | Funding transport credentials |
| Spend authorization decision | Per-verify policy decision (not exported as a receipt) |
| Agent run trace | Operator observability timeline |
| Agent receipt (paybond.agent_receipt_v1) | Per-action composite of the above by digest |
How it works
From prompt to signed receipt
Most integrations follow the middleware path: policy gates the tool, evidence submits, Gateway composes the receipt.
- Authorize — Kit middleware checks spend policy and records a spend decision digest.
- Execute — The guarded tool runs; argument and result digests bind what happened.
- Submit evidence — Harbor evaluates the predicate; evidence and payee signature digests are recorded.
- Compose receipt — Gateway assembles authorization, execution, evidence, payment, and outcome blocks, then signs canonical JSON.
For a hands-on walkthrough without writing integration code, use sandbox smoke (see API below) or Agent middleware.
Receipt structure
For implementers — full block reference
Expand each block when you need field-level detail. Middleware integrations usually touch authorization, execution, and evidence first.
Start simple
You don't need every field on day one. Start with action-scope receipts from middleware; add intent_terminal when you need terminal settlement wrapping.
Every paybond.agent_receipt_v1 document composes the blocks below. Each row shows its purpose collapsed — expand for key fields.
Top-levelDocument identity and tenant binding
Key fields
- kind
- schema_version
- scope
- receipt_id
- issued_at
- tenant_id
authorizationWho authorized the action and which policy matched
Key fields
- principal
- agent model family
- config_hash_sha256_hex
- prompt_hash_sha256_hex
- policy digest
- spend decision
executionWhat tool ran (action scope)
Key fields
- run_id
- tool_call_id
- tool_name
- operation
- arguments_digest_sha256_hex
- result_digest_sha256_hex
- timestamps
evidenceHarbor completion and payee signature digests — not raw payloads
Key fields
- evidence.payload_digest_sha256_hex
- payee signature digest
paymentFunding transport proof
Key fields
- MPP Payment-Receipt digest
- x402 delivery receipt digest
outcomeTerminal Harbor state or partner-equivalent status
Key fields
- terminal state
- partner status reference
referencesCross-artifact correlation
Key fields
- intent_id
- settlement_receipt_id (optional)
- audit correlation
SignatureGateway attestation over canonical JSON
Key fields
- ed25519-sha256-json-v1
- message_digest_sha256_hex
operator_attestationOptionalDetached operator counter-signature over the Gateway digest
Key fields
- operator Ed25519 signature
- model attestation metadata
external_attestationsOptionalPartner-native proofs without making them canonical
Key fields
- SEP-2828
- x402 partner attestations
Scopes: per action vs final outcome
Two emission points
Action receipts cover one guarded tool call. Final-outcome receipts wrap the intent when Harbor reaches a terminal state.
Per action
action- When emitted
- After evidence submit for a side-effecting tool call
- receipt_id
- sha256(intent_id + "\x00" + tool_call_id) hex
- Status
- Shipped — Gateway compose, fetch, verify, audit export
Final outcome
intent_terminal- When emitted
- Harbor reaches terminal state (final outcome)
- receipt_id
- receipt_id = intent_id (UUID)
- Status
- References references.settlement_receipt_id; compose follows protocol settlement receipts
Most integrations start with action receipts — one signed envelope per guarded tool call. Add intent_terminal when you need a single receipt that summarizes the settled intent.
API
Fetch and verify signed receipts
Tenant-bound fetch for your receipts; public verify accepts the full JSON body without a live session.
After middleware evidence submit
Gateway composes and persists action receipts when Kit middleware completes the authorize → execute → evidence path. Fetch by receipt id or by intent + tool call:
HTTP (tenant-bound):
GET /protocol/v2/agent-receipts/{receipt_id}
GET /protocol/v2/agent-receipts?intent_id={uuid}&tool_call_id={id}
Kit:
paybond-session.ts
const receipt = await paybond.agent.getReceipt({
intentId: "…",
toolCallId: "…",
});
// or: await paybond.agent.getReceipt({ receiptId: "…" });CLI:
terminal
paybond login
paybond receipts get <receipt_id> --kind agent --format json
paybond receipts verify <receipt_id> --kind agent --format jsonOffline verify (no tenant fetch): POST /protocol/v2/agent-receipts/verify with the full receipt JSON body, or Kit verifyAgentReceiptV1 / Python parity.
Sandbox-friendly workflow
Run a local middleware smoke path, then inspect receipts:
terminal
paybond dev loop --offline # terminal 1
paybond dev trace # terminal 2 — timeline at http://127.0.0.1:9477Or explicit smoke:
terminal
paybond login
paybond agent sandbox smoke \
--operation paid-tool \
--requested-spend-cents 100 \
--evidence-preset cost_and_completion \
--result-body '{"status":"ok","cost_cents":100}' \
--format jsonAfter evidence submit, use paybond receipts get … --kind agent with the returned receipt_id or derived id from intent + tool call. See Agent middleware for the full bind → execute → evidence flow.
MCP resource handoff
Agent-to-agent receipt fetch
Hosts read signed JSON via MCP without embedding receipts in prompts. Always verify signatures before trusting contents.
The Paybond MCP server publishes a resource template for agent-to-agent receipt handoff:
| Item | Value |
|---|---|
| URI template | paybond://receipt/{receipt_id} |
| MIME type | application/json |
| Source | Tenant-bound GET /protocol/v2/agent-receipts/{receipt_id} |
Hosts call resources/read on paybond://receipt/{receipt_id} to fetch signed JSON without embedding it in prompts. Details: MCP server — agent receipt resources. For MCP spend setup, see MCP agent spend controls.
Operator counter-signature (optional)
When present, operator_attestation is a detached Ed25519 signature over the Gateway message_digest_sha256_hex — not a second canonical body. Verifiers must confirm the attestation digest matches the Gateway digest before checking the operator key.
Gateway compose does not require this block. Kit attach helpers add it when an operator signing key is available (model attestation for downstream trust registries).
Audit export and Signal inputs
- Compliance bundles — opt-in
agent_receiptsinclude stores each receipt atagent_receipts/{receipt_id}.json. Verify withpaybond receipts verify --kind agentorPOST /protocol/v2/agent-receipts/verify. See Audit export compliance. - Signal fraud inputs —
AGENT_RECEIPT_VOLUME_SPIKEandAGENT_RECEIPT_POLICY_DRIFTderive from gateway receipt rows (score-neutral operator signals).
Derived views
| View | Doc |
|---|---|
| Human-readable PDF | Agent receipt PDF export |
| OpenTelemetry span attributes | Agent receipt OTEL mapping |
PDFs are presentation-only; signed JSON remains canonical.
Specification
Normative references
This guide is product-oriented. Implementers should use the platform doc and published schema for field-level contracts.
- Platform reference: Agent receipts
- Design doc:
designs/agent-receipt-v1.md(repository) - JSON Schema:
GET /.well-known/agent-receipt-v1.json