SoR for Agents | Originary

Open System of Record for AI Agents

Verifiable evidence of what agents did, under what policy, provable later.

View demoRead the spec

Introduction

AI agents are crossing organizational boundaries at scale: calling APIs, accessing tools, making purchases, retrieving content. The core question is no longer “Can the agent do this?” but:

  • Should it have been allowed to do the action?
  • Under what terms did it do the action?
  • Who (or what) authorized it?
  • Was it paid for?
  • Can we prove it later without trusting a single vendor?

Without durable, portable evidence, the agent web either centralizes behind gatekeepers or collapses into disputes. An open system of record provides verifiable evidence that works across vendors, frameworks, and trust boundaries.

Why agent interactions break today

The current internet was not designed for autonomous clients operating at machine speed. We built strong primitives for transport (HTTP), identity (TLS), and content addressing (URLs). But agent interactions introduce missing primitives:

1. Policy is not machine-enforceable by default

robots.txt was built for crawling. It is a binary allow/deny mechanism, not an economic and consent policy layer. Agents need “allow, but under these terms.”

Robots.txt says “stop/go.” A system of record needs “go, under this policy hash, with this entitlement/payment proof.”

2. Payment evidence is not naturally tied to access

Even when something is paid for, the proof is often separated from the request and the response. That separation creates disputes.

3. Audit trails are internal and non-portable

Logs help internally, but they are unilateral evidence: one party controls them, their schema varies, and their integrity is hard to prove externally. Receipts create portable, cryptographically verifiable evidence that can be checked by third parties.

4. Consent, provenance, and attribution are not captured

Agents act under constraints (privacy, retention, purpose, jurisdiction) but without a snapshot at access time, you cannot prove what was agreed to. Attribution and provenance remain ad hoc.

In short: agents are arriving with no shared proof layer.

The model: policy + receipts

The simplest way to make the web auditable is to standardize two things:

  1. A discoverable policy file that tells agents what is allowed and under what terms.
  2. A signed receipt returned with responses that proves what happened.

That is the heart of the PEAC Protocol (Portable Evidence for Agent Coordination), an open standard.

Policy: peac.txt

A site or API publishes a machine-readable policy at a well-known path (commonly /.well-known/peac.txt). The policy can express:

  • access rules
  • pricing and entitlements
  • rate limits
  • consent requirements
  • attribution/provenance expectations
  • negotiation or enterprise overrides

This shifts “terms” from PDFs into a format that agents can actually follow.

peac.txt
preferences: /.well-known/aipref.json
access_control: http-402
payments: [x402, stripe]
receipts: required
verify: /.well-known/peac-issuer.json

Receipts: PEAC-Receipt

When an agent makes a request, the server can return a receipt (typically via a header such as PEAC-Receipt) that contains a signed evidence object.

At minimum, a receipt is:

  • tied to the request and response
  • bound to the effective policy (usually via a policy hash)
  • signed by the issuer so it can be verified later

Think of it as the missing primitive for the agent web: a portable, verifiable “event record” for access.

Response Header
HTTP/1.1 200 OK
PEAC-Receipt: eyJhbGciOiJFZERTQSIsInR5cCI6...
Content-Type: application/json

What does a receipt actually prove?

A well-designed receipt should let a verifier prove statements like:

  • This response was issued by this service at this time.
  • This request matched policy version X (or policy hash X).
  • This access was allowed under the declared terms.
  • If payment was required, payment evidence exists and is referenced.
  • The response returned was associated with those terms.
  • Optional: an attribution/provenance pointer was asserted.

It does not need to reveal user identity. It can prove correctness without becoming a tracking vector.

This matters because the future is not “agents doing things,” it is “agents doing things and everyone being able to prove what happened.”

That is what makes commerce, compliance, and trust possible at scale.

A simple end-to-end flow

Here is the basic lifecycle that an open system of record enables:

1Request2Policy3Challenge4Satisfy5Response6ReceiptVerify
  1. Agent requests a resource.
  2. Server resolves peac.txt and determines the effective terms.
  3. If payment/authorization is required, the server challenges (often via HTTP 402 patterns).
  4. Agent satisfies the requirement.
  5. Server returns the response plus a cryptographic receipt.
  6. Any verifier (enterprise, auditor, marketplace, dispute resolver, internal compliance team) can validate the receipt later.

The important shift is step (5): proof is emitted at the time of interaction, not reconstructed later from logs.

What Originary is building

PEAC is an open protocol. Originary stewards the spec and builds tools and services, but any team can implement and verify PEAC receipts independently. Openness is non-negotiable: evidence must be portable across vendors, verifiable by multiple parties, and scalable across millions of agent endpoints.

PEAC Protocol

The open spec: policy discovery, receipt formats, signing rules, verification, and integration profiles. Apache-2.0.

Developer tooling

SDKs to issue and verify records, middleware for APIs and gateways, edge adapters, and conformance tooling.

Verification services

Optional hosted verification, record storage, and audit-ready evidence bundles for teams that do not want to run their own infrastructure.

The protocol stays open. Self-host, use Originary, or use any other provider.

Start here

  1. Publish a policy file (peac.txt) that expresses access terms in a machine-readable way.
  2. Return signed records (PEAC-Receipt) for agent interactions.
  3. Verify records inside your own systems and export them to your existing compliance pipelines.
Start hereView demoContact us

Frequently asked questions

What is a system of record for AI agents?

A system of record for AI agents is verifiable evidence of agent interactions: what was requested, what policy applied, what consent preferences were active, what was paid, what was returned, and what attribution obligations were asserted - all without leaking private identity.

How is PEAC different from logs?

Logs are unilateral and mutable - one party controls them, their schema varies, and their integrity is hard to prove externally. PEAC receipts are portable and cryptographically verifiable evidence that can be checked by third parties independently.

Does PEAC replace payment rails like x402 or Stripe?

No. PEAC is designed to sit above payment rails and alongside provenance/preference standards. It standardizes the evidence object that can reference x402, L402, Stripe, or any other payment system.

Can I verify PEAC receipts offline?

Yes. Receipts are signed JWS (Ed25519) and can be verified offline by any party with access to the issuer public keys via JWKS. No vendor API is required for verification.

Is Originary required to use PEAC?

No. PEAC is an open protocol. Originary stewards the spec and builds tools and services, but any team can implement and verify PEAC receipts independently. The protocol is Apache-2.0 licensed.

How does PEAC relate to robots.txt?

robots.txt was built for crawling with binary allow/deny. PEAC extends this for the agent economy: instead of just stop/go, it enables "go, under this policy hash, with this entitlement/payment proof."

How does PEAC work with AIPREF and C2PA?

PEAC complements these standards. It can snapshot AIPREF preferences into receipts for auditability, and reference C2PA provenance data. PEAC does not compete with these standards - it provides the evidence binding layer.