peac.txt Policy File

Enterprise-grade policy coordination for agents and automated systems. Standardizes access control, compliance requirements, and cryptographic verification using proven web protocols.

View Examples Validation Tools Specification

Current version: 0.12.0 • Primary header: PEAC-Receipt

Wire format peac-receipt/0.1 (normalized baseline)

How peac.txt works

Policy discovery - Agents read your policy file at /.well-known/peac.txt

Purpose declaration - Specify allowed uses (indexing, research) and restricted uses (training)

Access control - Set rate limits, quotas, and attribution requirements

Receipt verification - Agents provide cryptographic proof of compliance

Relationship to robots.txt

robots.txt provides basic crawler directives. It is advisory and cannot verify compliance.

peac.txt extends this model with verifiable receipts, purpose-based access control, attribution tracking, and optional payment flows.

Files work together. Use robots.txt for basic crawling rules and peac.txt for agent coordination.

Policy Examples

Basic policy

Allows indexing and research with attribution. Other purposes require negotiation.

/.well-known/peac.txt

version: peac-policy/0.1
usage: conditional
purposes: [indexing, research]
control_purposes: [train, search, user_action, inference, index]
attribution: required
attribution_format: "Source: {url} via PEAC"

Complete policy

Includes rate limits, retention policies, payment endpoints, and contact information.

/.well-known/peac.txt

# PEAC policy for yourdomain.com
version: peac-policy/0.1
usage: conditional

# Basic usage - indexing and research allowed
purposes: [indexing, research]
control_purposes: [train, search, user_action, inference, index]
licensing: open
attribution: required
attribution_format: "Source: {url} via PEAC"

# Privacy and retention
consent: optional
privacy_policy: https://yourdomain.com/privacy
data_retention: P30D

# Access limits
rate_limit: 600/hour
daily_limit: 3000
free_quota: 1000

# Enforcement and payments
enforcement: http-402
payment_methods: [x402]
receipts: required

# Contacts
contact: hello@yourdomain.com
support: https://yourdomain.com/contact

Research-only policy

Restricts access to research purposes only. All other uses require explicit negotiation.

/.well-known/peac.txt

version: peac-policy/0.1
usage: conditional
purposes: [research]
control_purposes: [index]
licensing: subscription
attribution: required
consent: required
receipts: required

File placement: Primary location /.well-known/peac.txt, with optional fallback at /peac.txt

Protocol Flow

Discovery: Agent reads policy at /.well-known/peac.txt

Negotiation: Agent calls negotiate endpoint if required

Receipt: Agent obtains signed receipt with terms/payment proof

Access: Agent includes receipt in PEAC-Receipt header

Protocol Headers

PEAC-Receipt:Cryptographic proof of compliance

HTTP Status Codes

200 Access granted, receipt valid

401 Receipt missing or invalid

402 Payment required

403 Purpose not permitted

429 Rate limit exceeded

Server Integration

Nginx Configuration

nginx.conf

# Nginx: serve peac.txt with proper caching
location = /.well-known/peac.txt {
  try_files /peac.txt =404;
  add_header Cache-Control "public, max-age=3600";
}

# Optionally gate a path by receipt
location /api/protected/ {
  if ($http_peac_receipt = "") { return 401; }
  proxy_pass http://app;
}

Node.js Express

server.js

// Node.js Express: receipt validation
import express from 'express'
import { verifyReceipt } from '@peac/protocol'

const app = express()

app.get('/protected', async (req, res) => {
  const receipt = req.header('PEAC-Receipt')
  if (!receipt) {
    return res.status(402).json({ 
      type: 'https://www.peacprotocol.org/errors/payment-required',
      title: 'Payment Required',
      status: 402,
      detail: 'Valid PEAC receipt required'
    })
  }
  
  try {
    const claims = await verifyReceipt(receipt)
    return res.json({ ok: true, claims })
  } catch (err) {
    return res.status(401).json({ 
      error: 'invalid_receipt',
      details: err.message 
    })
  }
})

Client Request

terminal

# Client: fetch with a PEAC receipt
curl -H "PEAC-Receipt: <jwt-or-compact-receipt>" \
     -H "User-Agent: MyAgent/1.0 (+https://example.org/agent)" \
     https://yourdomain.com/api/data

Policy Validation

Validate syntax and test conformance using the PEAC CLI tools

terminal

# Install PEAC CLI (v0.9.23+)
pnpm add -g @peac/cli

# Initialize a new peac.txt using Policy Kit
npx peac policy init

# Validate your policy file
npx peac policy validate peac.txt

# Explain policy decisions
npx peac policy explain peac.txt

# Generate artifacts (peac.txt, robots snippet, etc.)
npx peac policy generate policy.yaml --out public

Integrate validation into CI/CD pipelines to prevent invalid policy deployments

CLI Documentation Receipts API

Reference

File location requirements

Primary: /.well-known/peac.txt
Fallback: /peac.txt

Payment integration

Optional. Begin with attribution-only policies. Add payment endpoints when monetization is required.

Training data restrictions

Exclude training from purposes list. Return 403 status for training requests.

Privacy and retention

Specify retention periods using data_retention. Link privacy policy for compliance.

Protocol evolution

Headers use PEAC-Receipt for verification and proof.

Policy enforcement

Servers validate receipts and return appropriate HTTP status codes for policy violations.

Receipt technology

Uses cryptographically signed JWS receipts to provide verifiable evidence of compliance with declared terms and payments.

Testing and development

Generate test receipts locally. Validate policies before deployment using the CLI toolkit.

Implementation Resources

Access policy templates, validation tools, and technical documentation

View Policy File Technical Support

Technical questions: Community • Protocol specification: GitHub