v0.15.2Package availableRecord category

API Call Records

Record evidence for HTTP API calls: what terms applied, what was requested, and what the outcome was. The API server is the issuer; any downstream party with the issuer's public key can verify the record offline. No wire-format change to your API is required.

Packages: @peac/protocol, @peac/middleware-express

How It Works

Your API server signs a compact record on each response and returns it in a standard HTTP header. Verifiers need only your public key, with no callback to your service.

1. Publish an issuer config

Your server holds an Ed25519 signing key and publishes /.well-known/peac-issuer.json pointing to a JWKS, so verifiers can resolve your public key by iss.

2. Issue a record per response

Call issue() from @peac/protocol to produce a signed interaction-record+jwt JWS, then return it in the PEAC-Receipt response header.

3. Verify offline anywhere

Any party with your public key can confirm the record with verifyLocal(), with no network call and no shared secret.

Install

pnpm add @peac/protocol @peac/crypto

Issue a record on each response

issue() takes the claims and your private key and returns a compact JWS. Set it on the PEAC-Receipt header.

issue-api-record.tsTypeScript

import { issue } from '@peac/protocol';

const record = await issue({
  iss: 'https://api.example.com',
  sub: 'user:abc123',
  typ: 'access',
}, privateKey);

res.setHeader('PEAC-Receipt', record);

Automatic issuance with Express middleware

For Express APIs, @peac/middleware-express issues a signed PEAC-Receipt on every response in three lines.

app.tsTypeScript

import { peacMiddleware } from '@peac/middleware-express';

app.use(peacMiddleware({
  privateKey,
  issuer: 'https://api.example.com',
}));

What gets recorded

Claim	What it records
`iss`	Issuer identity: the canonical HTTPS origin that signed the record
`sub`	Subject: the caller or resource identifier
`typ`	Interaction type: access, attribution, consent, commerce, and others
`ext[]`	Structured evidence from registered extension groups, plus timestamps and optional expiry

Semantic Boundary

PEAC records structured interaction evidence. It does not store raw request bodies, response payloads, session tokens, or credentials, and it does not replace your API, gateway, auth system, or logs. An API call record proves what the issuer attested about the interaction, not more.

Links

Express Integration

Automatic header issuance

Source

packages/protocol

Verifier

Try a record in the browser

Portable API Evidence

A signed API record travels across MCP, A2A, ACP, x402, and HTTP. A verifier needs only the issuer's public key to confirm it offline.

Quickstart All Record Categories Docs

Back to Record Categories