API Call Records

PEAC records evidence for HTTP API calls: what terms applied, what was requested, and what the outcome was. The issuer is the server; verifiers are any downstream party with the issuer's public key.

How it works

1. Your API server has an Ed25519 signing key and publishes a JWKS at /.well-known/peac-issuer.json
2. On each response, call issue() from @peac/protocol to produce a signed JWS
3. Return the JWS in the PEAC-Receipt response header
4. Any party with your public key can verify the record offline

import { issue } from '@peac/protocol';

const record = await issue({
  iss: 'https://api.example.com',
  sub: 'user:abc123',
  typ: 'access',
}, privateKey);

res.setHeader('PEAC-Receipt', record);

Express middleware (automatic issuance)

npm install @peac/middleware-express

import { peacMiddleware } from '@peac/middleware-express';

app.use(peacMiddleware({ privateKey, issuer: 'https://api.example.com' }));

Every response automatically gets a signed PEAC-Receipt header.

What gets recorded

• Issuer identity (iss) -- who signed the record
• Subject (sub) -- caller or resource identifier
• Interaction type (typ) -- access, attribution, consent, commerce, etc.
• Extension claims in ext[] -- structured evidence from registered extension groups
• Timestamp and optional expiry

What does NOT get recorded

PEAC does not store raw request bodies, response payloads, session tokens, or credentials. It records structured interaction evidence only.

Related

• Express middleware guide
• Core concepts: receipts
• Core concepts: verification
• Quickstart