Policy (peac.txt)
A PEAC policy file is a machine-readable document published at /.well-known/peac.txt that declares the terms governing AI agent interactions with your service.
Where robots.txt tells crawlers what they can index, peac.txt tells AI agents what they can do -- and under what terms. It covers consent, pricing, attribution, access controls, and compliance requirements in a single discoverable file.
Discovery
Agents and clients discover policies by fetching the well-known endpoint.
GET https://api.example.com/.well-known/peac.txt HTTP/1.1
Accept: text/yaml
The server responds with a YAML document containing all applicable policy declarations. Discovery is automatic -- any PEAC-aware agent will check for this file before interacting with your service.
Format
The policy file uses YAML format with a structured schema.
version: 0.9.2
protocol: peac
peac:
consent:
ai_training: conditional
scraping: denied
economics:
pricing: $0.01/gb
payment_rails:
- x402
- stripe
attribution:
required: true
format: citation
access:
rate_limit: 1000/hour
compliance:
jurisdictions:
- US
- EU
Policy sections
Each section of the policy file governs a specific aspect of the interaction terms.
consent
Declares what the service allows regarding data use by AI systems.
| Field | Values | Description |
|---|---|---|
ai_training | allowed, conditional, denied | Whether data can be used for AI model training |
scraping | allowed, conditional, denied | Whether content can be scraped or bulk-downloaded |
A value of conditional means the action is permitted only when accompanied by a valid receipt proving the terms were accepted.
economics
Declares pricing and supported payment methods for paid interactions.
| Field | Type | Description |
|---|---|---|
pricing | String | Human-readable pricing string (e.g., $0.01/gb, $0.001/request) |
payment_rails | String array | Supported payment rail identifiers (e.g., x402, stripe, razorpay) |
attribution
Declares attribution requirements for content use.
| Field | Type | Description |
|---|---|---|
required | Boolean | Whether attribution is required (true or false) |
format | String | Attribution format -- citation, link, notice, or custom |
access
Declares access control terms and rate limits.
| Field | Type | Description |
|---|---|---|
rate_limit | String | Rate limit expression (e.g., 1000/hour, 10/second) |
authentication | String | Required authentication method (e.g., bearer, api_key) |
compliance
Declares compliance-relevant metadata for regulatory alignment.
| Field | Type | Description |
|---|---|---|
jurisdictions | String array | Applicable jurisdictions (ISO 3166-1 codes) |
data_retention | String | Data retention policy (e.g., 90d, 1y, none) |
Purpose tokens
Policy files can declare purpose-based access control using canonical purpose tokens. Each token represents a distinct intent for the interaction.
| Token | Meaning | Example use |
|---|---|---|
train | AI model training | Fine-tuning on scraped content |
search | Search indexing | Building a search index |
inference | Real-time inference | Answering a user query |
index | Content indexing | Cataloging available resources |
user_action | Direct user-initiated action | User clicks "summarize this page" |
Purpose rules are evaluated in declaration order using first-match-wins semantics. Place more specific rules before general ones. If no rule matches, the default is denied.
Issuer configuration
Alongside the policy, services publish their verification keys at a separate well-known endpoint. This enables offline receipt verification without contacting the issuer.
{
"keys": [
{
"kty": "OKP",
"crv": "Ed25519",
"use": "sig",
"kid": "peac-2026-02",
"x": "<base64url-encoded-public-key>",
"alg": "EdDSA"
}
]
}
This JWKS (JSON Web Key Set) is served at:
https://api.example.com/.well-known/peac-issuer.json
The kid values in receipts must match a key in this set for verification check #4 to pass.