Six workflows. One way to verify them.
Every record below carries the same skeleton: facts, policy, result, time, issuer, signature. Read one and you can read them all, and each verifies offline with a single command. Records can also be linked: an approval to the execution it authorized, an acknowledgment to the record it references, a run summary sealing a set, so a sequence becomes verifiable, not just a single event.
Prove what your API did, without opening your logs.
Answers which endpoint was called, which terms applied, and what result the API returned.
npx -y @peac/cli verify ./api-call.jws --public-key ./jwks.json
- Issuer
- https://api.vendor.example
- Action
- POST /v1/market-data/search
- Policy
- terms:v3 sha256:81af2c...
- Result
- 200 sha256:9a3c1d...
- Time
- 2026-06-12T14:08:11Z
- Signature
- Ed25519 b2c1a4e8...
{
"iss": "https://api.vendor.example",
"action": "POST /v1/market-data/search",
"policy": { "ref": "terms:v3", "digest": "sha256:81af2c..." },
"result": { "status": 200, "digest": "sha256:9a3c1d..." },
"occurred_at": "2026-06-12T14:08:11Z"
}When an MCP tool runs, proof can leave the server.
Answers which tool was called, under what policy, and what result digest came back. Full MCP page.
npx -y @peac/cli verify ./mcp-tool-run.jws --public-key ./jwks.json
Change the tool name, the result digest, or one character of the signature and verification fails with E_INVALID_SIGNATURE.
- Issuer
- https://mcp.vendor.example
- Tool
- tools.call search_docs
- Policy
- tool-policy:v2 sha256:4e21b8...
- Result
- ok sha256:9a3c1d...
- Time
- 2026-06-12T14:08:11Z
- Signature
- Ed25519 7d40e2c9...
What did the agent do, and what was it bound to?
Answers which agent acted, which input digests, and which mandate or policy version the action was bound to.
npx -y @peac/cli verify ./agent-action.jws --public-key ./jwks.json
Swap the mandate digest for a newer version after the fact and the record still shows the digest that was actually bound at signing time.
- Issuer
- https://runtime.vendor.example
- Agent
- research-agent-v3
- Action
- summarize_filing
- Input
- sha256:c41b09...
- Policy
- mandate:v2 sha256:5fe013...
- Time
- 2026-06-12T14:09:02Z
- Signature
- Ed25519 91bc44a0...
A deny is evidence too.
Answers what happened at the boundary before a request was routed, throttled, or refused. A denied call is still a signed, verifiable event: reviewers see what was refused without reading your gateway logs.
npx -y @peac/cli verify ./gateway-deny.jws --public-key ./jwks.json
- Issuer
- https://gateway.vendor.example
- Request
- tools.call export_billing
- Policy
- tool-policy:v2 sha256:4e21b8...
- Result
- denied - policy_violation
- Time
- 2026-06-12T14:10:40Z
- Signature
- Ed25519 e02d7f15... valid
Payment rails move value. Records prove context.
Answers what a payment was tied to. The rail proves value moved; the record binds the action, the mandate, and the observed state to one signed artifact. Agentic commerce page.
npx -y @peac/cli verify ./payment-event.jws --public-key ./jwks.json
Point the record at a different payment reference after settlement and the original reference stays bound under the signature.
- Issuer
- https://api.vendor.example
- Event
- authorized
- Action
- POST /v1/market-data/search
- Ref
- rail reference - x402-style
- Mandate
- sha256:77ab90...
- Time
- 2026-06-12T14:08:12Z
- Signature
- Ed25519 30cf81d6...
Who changed what, and which system says so.
Answers which account, resource, credential, or subscription event occurred, and who issued it. Useful long after dashboards and sessions are gone. Full provisioning page.
npx -y @peac/cli verify ./provisioning-event.jws --public-key ./jwks.json
Backdate the rotation in a spreadsheet all you want: the signed time in the record is the time the issuer asserted.
- Issuer
- https://ci.vendor.example
- Event
- credential.rotated
- Resource
- deploy-key-7
- Actor
- release-pipeline
- Time
- 2026-06-12T03:00:00Z
- Signature
- Ed25519 4ab2c7e1...
Broader evidence coverage, same wire format.
Portable evidence beyond single signed records: the wire format stays stable while evidence coverage broadens.
Broader evidence coverage, not a new payment rail, gateway, or policy engine.
Generate these yourself in one command.
pnpm dlx @peac/cli samples generate -o ./s pnpm dlx @peac/cli verify ./s/valid/basic-record.jws --public-key ./s/bundles/sandbox-jwks.json
Signature valid (offline) - PEAC v0.16.2