Open standard for verifiable interaction records
Portable, signed evidence of what happened between agents, APIs, and services. Verify anywhere, once you have the issuer's public key.
Logs are local. PEAC records are cross-boundary evidence that auditors, partners, and regulators can verify independently.
import { verifyLocal } from '@peac/protocol'
const receipt = response.headers.get('PEAC-Receipt')
const result = await verifyLocal(receipt, publicKey, {
issuer: 'https://api.example.com',
audience: 'https://client.example.com',
})
if (result.valid) {
console.log('Issuer:', result.claims.iss)
console.log('Kind:', result.claims.kind)
console.log('Type:', result.claims.type)
}Start here
Choose your path. Each guide takes under 5 minutes.
Key Concepts
Record
PeacRecordThe portable interaction artifact: a structured claim set that can be independently verified by any party.
Receipt
PEAC-ReceiptThe signed file format: an Ed25519 JWS returned in an HTTP header or transport metadata.
Evidence Bundle
peac-bundle/0.1A ZIP package containing receipts, policy snapshots, public keys, and verification reports for audit.
Why verifiable records?
Internal logs tell you what happened. PEAC records prove it to auditors, partners, and regulators across organizational boundaries.
Accountability
Decentralized verification without shared databases
Incident Response
Trace agent actions across independent organizations
Compliance
Machine-verifiable proof for regulatory evidence
Five steps from policy to verified receipt
From policy discovery to verifiable proof in a single HTTP exchange.
Discover
Agent fetches policy file
/.well-known/peac.txtRequest
Agent includes intent in headers
PEAC-Purpose: indexSettle
Server enforces policy
402 Payment RequiredSign
Server issues receipt
PEAC-Receipt: eyJ...Verify
Agent verifies locally
Ed25519 verifiedWhere PEAC fits (and where it does not)
PEAC is the evidence layer. It complements identity, payment, and observability systems.
PEAC Provides
- Policy surfaces (/.well-known/peac.txt)
- Signed receipts (Ed25519 JWS)
- Offline verification (deterministic, no issuer callback)
- Evidence bundles (audit and dispute packages)
- Transport adapters (MCP, A2A, ACP, x402, HTTP)
PEAC Does Not Replace
- OpenTelemetry: OTel is observability; PEAC is portable proof that can correlate to traces
- MCP / A2A: These coordinate tool use and agent exchanges; PEAC carries proof alongside them
- C2PA: C2PA is media provenance; PEAC is interaction evidence
- Payment rails: Rails move funds; PEAC records settlement references
Built for real problems
Audit and Incident Review
Trace agent actions back to specific decisions. Generate evidence bundles for investigation.
Policy-Bound Access
Machine-readable terms with cryptographic proof that policy was applied.
Agent Commerce Evidence
Autonomous agents discover pricing, negotiate terms, and retain verifiable payment proof.
Compliance Evidence Trails
Support regulatory programs (EU AI Act, NIST). Policy binding creates machine-verifiable audit trails.
Works with your stack
Adapters and mappings for agent protocols, payment rails, and developer tools.
Security and verification
Cryptographic Foundations
Ed25519Compact 64-byte signatures, verified in microsecondsJWSRFC 7515: JSON Web Signature envelope formatRFC 8032EdDSA algorithm specificationRFC 8785Canonical JSON for deterministic policy bindingVerification Guarantees
- Offline verification once keys are acquired
- Deterministic output (canonical JSON)
- Cross-language parity (TypeScript and Go)
- JWKS discovery with SSRF protection
- Replay protection via nonce and timestamp
- Fail-closed by default
Common questions
Do I need a central service or account to use PEAC?
No. PEAC is an open standard: you publish policy and keys on your own domain, issue signed records alongside your responses, and anyone can verify them independently. There is no central authority required.
What exactly is a PEAC receipt?
A record is the portable interaction artifact. A receipt is the signed file format: an Ed25519 JWS returned in the PEAC-Receipt HTTP header. Verification is deterministic and offline once the verifier has the issuer's public key.
Is PEAC a payment protocol?
No. PEAC is an evidence layer: it records what terms applied and what happened, and can carry settlement references from existing payment rails (x402, Stripe, card billing). Your auth, payment, and observability systems stay as they are. PEAC adds portable proof you can share across organizational boundaries.
How does verification work? Is it really offline?
Verification is deterministic and offline once the verifier has the issuer's public key or a bundled verification artifact. Key acquisition may involve a network call (fetching JWKS from the issuer's domain), but the verification algorithm itself requires zero network calls: decode the JWS, validate the signature against the public key, check timestamps and claims.
Is PEAC production ready?
The current stable release is v0.12.0, published on npm as latest. Interaction Record Format 0.2 is stable with structured kinds, typed extensions, and policy binding. 5,654 tests, 146 normative requirement IDs, OIDC trusted publishing. Libraries are pre-1.0 and may still evolve.
How do I integrate PEAC?
Install @peac/protocol and @peac/crypto, publish a policy file at /.well-known/peac.txt, issue receipts via issueWire02(), and return them in the PEAC-Receipt header. For Express apps, use @peac/middleware-express (3 lines). For AI agents in Claude Desktop or Cursor, use @peac/mcp-server. See the quickstart for step-by-step instructions.
For researchers, policymakers, and institutions
Verifiable interaction records for accountability
PEAC is an open standard with evaluation artifacts, governance documentation, and conformance test vectors for institutional review.
Open protocol. Active development.
PEAC is in active development. Library APIs may evolve before v1.0.