What PEAC verifies
PEAC produces signed, portable evidence across ten verification domains. Each domain maps to specific receipt types, policy fields, and packages.
Access
Discovery and authorization
Standardized discovery via peac.txt and AIPREF headers. Control Abstraction Layer (CAL) evaluation with DPoP L3/L4 binding for secure request authorization.
- peac.txt discovery at /.well-known/peac.txt
- AIPREF HTTP headers for policy signaling
- Control Abstraction Layer evaluation
- DPoP proof-of-possession (L3/L4)
@peac/policy-kit@peac/control@peac/protocol// Fetch and evaluate policy
const policy = await fetchPeacTxt(
'https://example.com'
);
const decision = await evaluate(policy, {
purpose: 'inference',
subject_type: 'agent',
});
if (decision.allowed) {
// Proceed with request
}Attribution
Provenance tracking
Track content usage with cryptographic attribution chains. Bind content hashes to receipts for verifiable provenance across AI workflows.
- Attribution attestations with content hashes
- Chain resolution up to 8 levels deep
- Usage type tracking (quote, derive, summarize)
- Weight-based contribution scoring
@peac/attribution@peac/protocol@peac/schema// Create attribution attestation
const attribution = createAttribution({
sources: [{
receipt_ref: 'jti:abc123',
content_hash: 'sha256:...',
usage: 'quote',
weight: 0.3,
}],
issued_at: Date.now(),
});Consent
Policy-based authorization
Policy Kit evaluation with purpose tracking. GDPR-compliant consent revocation with deterministic first-match-wins semantics.
- Policy Kit YAML configuration
- Purpose-based access control (train, search, inference, index)
- Subject type filtering (human, org, agent)
- Revocation tracking with audit trails
@peac/policy-kit@peac/control@peac/privacy// Policy Kit evaluation
const result = await evaluate(policy, {
purpose: 'train',
subject_type: 'agent',
subject_id: 'openai-crawler',
});
// result.allowed: false
// result.reason: "Training requires
// explicit agreement"Commerce
Multi-rail payments
HTTP 402 payment flow with cryptographic receipts. Support for x402, Stripe, card, and Razorpay payments with unified receipt format.
- HTTP 402 Payment Required flow
- x402 blockchain payments (USDC)
- Stripe SaaS billing + crypto payments
- Card and Razorpay rail adapters
@peac/rails-x402@peac/rails-stripe@peac/rails-card@peac/protocol// Handle HTTP 402 response
const receipt = await acquire402Receipt({
offer: response.headers['x-402-offer'],
rail: 'x402',
wallet: agentWallet,
});
// Retry with receipt
headers['PEAC-Receipt'] = receipt.jws;Compliance
Audit and evidence
Audit bundles for regulatory compliance. SOC2 and EU AI Act ready exports with deterministic verification and portable evidence.
- Audit bundles with signed manifests
- Offline-verifiable evidence packages
- SOC2 control mapping
- EU AI Act transparency reports
@peac/audit@peac/protocol@peac/schema// Create audit bundle
const bundle = await createAuditBundle({
receipts: verifiedReceipts,
policy_snapshot: currentPolicy,
time_range: { start, end },
signing_key: auditKey,
});
// Export for SOC2 auditPrivacy
Data protection
Privacy-preserving hashing with evidence redaction. k-anonymity >= 20 for aggregated metrics with minimal data exposure.
- Privacy-preserving content hashing
- Evidence redaction for sensitive fields
- k-anonymity (k >= 20) for metrics
- Minimal PII exposure design
@peac/privacy@peac/crypto@peac/protocol// Privacy-preserving hash
const hash = privacyHash(content, {
algorithm: 'sha256',
salt: ephemeralSalt,
});
// Redact sensitive evidence
const safe = redactEvidence(evidence, {
fields: ['email', 'ip'],
});Provenance
Verifiable records
Deterministic verification with dispute bundles. C2PA integration for media provenance with cryptographic proof chains.
- Deterministic receipt verification
- Dispute resolution workflow
- C2PA media provenance integration
- Cryptographic proof chains
@peac/protocol@peac/crypto@peac/audit// Verify receipt chain
const result = await verifyChain({
receipt: signedReceipt,
jwks_uri: issuerJwks,
require_attribution: true,
});
// Deterministic verification
assert(result.valid === true);Safety
AI safety evidence
Portable evidence for AI safety reviews, incident response, and governance workflows. Receipts capture what terms applied and what happened for post-hoc analysis.
- Incident response evidence bundles
- Safety review audit trails
- Governance workflow artifacts
- Post-hoc interaction analysis
@peac/audit@peac/protocol@peac/control// Generate incident evidence
const bundle = await createAuditBundle({
receipts: incidentReceipts,
policy_snapshot: activePolicy,
time_range: incidentWindow,
});
// Portable evidence for review
// No trust in issuer requiredIdentity
Agent identity verification
Cryptographic proof-of-control for agent identity. Key lifecycle management with operator and user-delegated identity bindings.
- Agent identity attestations (peac/agent-identity)
- Proof-of-control binding (operator vs delegated)
- Key lifecycle (PENDING, ACTIVE, DEPRECATED, RETIRED, REVOKED)
- Ed25519 identity keys with RFC 9421 signatures
@peac/crypto@peac/protocol@peac/schema// Agent identity attestation
const identity = createAttestation({
type: 'peac/agent-identity',
agent_id: 'agent-xyz',
proof_of_control: 'ed25519',
operator: 'https://org.example',
delegation: 'user-delegated',
});Purpose
Intent declaration and enforcement
Purpose-based access control with canonical purpose tokens. Agents declare intent, services enforce terms, and receipts record what purpose was applied.
- Canonical purpose tokens (train, search, inference, index)
- Purpose declaration via PEAC-Purpose header
- Purpose enforcement in control chains
- Purpose audit trail in receipts (purpose_declared, purpose_enforced)
@peac/control@peac/policy-kit@peac/protocol// Purpose-based access
const receipt = await issue({
iss: 'https://api.example.com',
purpose_declared: ['inference'],
purpose_enforced: 'inference',
purpose_reason: 'policy_match',
privateKey,
kid: 'key-2026-02',
});Ready to implement?
Start with the quickstart guide or explore the full documentation.