learn

Policy, consent and attribution

How publishers declare what agents may do with their content (AIPREF, peac.txt) and how agents prove they followed those terms. The gap between robots.txt and what AI actually needs.
2 min read

Key takeaways

  • Consent must be machine-readable for agents to respect it automatically.
  • Attribution is recorded in signed records, creating verifiable credit chains.
  • AIPREF (aipref.json) lets sites declare AI interaction preferences.
  • Proper consent and attribution protects both content owners and AI operators.

The problem

The web was built for humans browsing with web browsers. Terms of service are written in legal English. robots.txt was designed for search engine crawlers, not AI agents that consume and transform content.

This creates two problems:

  • Content owners cannot express preferences that agents understand. "Training: no, RAG: yes, summary: yes with attribution" is not something robots.txt supports.
  • Agents cannot demonstrate compliance. Even well-intentioned AI systems have no way to show they respected consent or provided proper attribution.

Machine-readable consent

Machine-readable consent means expressing permissions in formats that agents can parse and act on automatically. Key formats:

  • AIPREF (aipref.json). A JSON file at /.well-known/aipref.json that declares AI interaction preferences: training permissions, RAG access, summarization rights, required attribution, and pricing.
  • peac.txt. The PEAC policy file at /.well-known/peac.txt references aipref.json and adds payment requirements, verification endpoints, and public keys.
  • HTTP headers. Per-request consent can be signaled via headers, allowing dynamic permissions based on the requesting agent's identity or payment status.

Attribution in practice

Attribution records where content came from and who produced it. In PEAC, this is captured through:

  • Source recording. Records include the exact resource URL, timestamp, and content hash of accessed material.
  • Credit chains. When Agent B uses output from Agent A, the record chain traces back to original sources.
  • License compliance. Attribution requirements from AIPREF are embedded in signed records as verifiable commitments.
  • Payment proof. When attribution includes compensation, payment evidence is cryptographically linked.

Standards and protocols

The consent and attribution ecosystem includes several complementary standards:

  • AIPREF. AI preferences standard for declaring training, RAG, and usage permissions.
  • PEAC Protocol. Policy discovery and signed records for agent interactions.
  • C2PA. Content provenance standard for media authenticity and attribution.
  • robots.txt. Legacy crawler control. Still useful but insufficient for AI agents.

Implementation

Get started with consent and attribution using Originary's tools:

related