Enterprise-grade policy coordination for agents and automated systems. Standardizes access control, compliance requirements, and cryptographic verification using proven web protocols.
peac-version is debug-only (non-normative)/.well-known/peac.txtrobots.txt provides basic crawler directives. It is advisory and cannot verify compliance.
peac.txt extends this model with verifiable receipts, purpose-based access control, attribution tracking, and optional payment flows.
Files work together. Use robots.txt for basic crawling rules and peac.txt for agent coordination.
Allows indexing and research with attribution. Other purposes require negotiation.
version: 0.9.14
usage: conditional
purposes: [indexing, research]
attribution: required
attribution_format: "Source: {url} via PEAC"Includes rate limits, retention policies, payment endpoints, and contact information.
# PEAC policy for yourdomain.com
version: 0.9.14
usage: conditional
# Basic usage - indexing and research allowed
purposes: [indexing, research]
attribution: required
attribution_format: "Source: {url} via PEAC"
# Privacy and retention
consent: optional
privacy_policy: https://yourdomain.com/privacy
data_retention: P30D
# Access limits
rate_limit: 600/hour
daily_limit: 3000
free_quota: 1000
# Receipts validation
receipts: required
# Contacts
contact: hello@yourdomain.com
support: https://yourdomain.com/contactRestricts access to research purposes only. All other uses require explicit negotiation.
version: 0.9.14
usage: conditional
purposes: [research]
attribution: required
consent: required
receipts: requiredFile placement: Primary location /.well-known/peac.txt, with optional fallback at /peac.txt
/.well-known/peac.txtnegotiate endpoint if requiredPEAC-Receipt headerPEAC-Receipt:Cryptographic proof of compliance# Nginx: serve peac.txt with proper caching
location = /.well-known/peac.txt {
try_files /peac.txt =404;
add_header Cache-Control "public, max-age=3600";
}
# Optionally gate a path by receipt
location /api/protected/ {
if ($http_peac_receipt = "") { return 401; }
proxy_pass http://app;
}// Node.js Express: receipt validation
import express from 'express'
import { verifyReceipt } from '@peac/core'
const app = express()
app.get('/protected', async (req, res) => {
const receipt = req.header('PEAC-Receipt')
if (!receipt) {
return res.status(402).json({
type: 'https://peacprotocol.org/errors/payment-required',
title: 'Payment Required',
status: 402,
detail: 'Valid PEAC receipt required'
})
}
try {
const claims = await verifyReceipt(receipt)
return res.json({ ok: true, claims })
} catch (err) {
return res.status(401).json({
error: 'invalid_receipt',
details: err.message
})
}
})# Client: fetch with a PEAC receipt
curl -H "PEAC-Receipt: <jwt-or-compact-receipt>" \
-H "User-Agent: MyAgent/1.0 (+https://example.org/agent)" \
https://yourdomain.com/api/dataValidate syntax and test conformance using the PEAC CLI tools
# Install PEAC CLI
pnpm add -g @peac/cli @peac/core
# Initialize a new peac.txt
npx peac init
# Validate your policy file
npx peac validate peac.txt
# Test conformance level
npx peac test --level L2
# Generate test receipt
npx peac sign --purpose research --quota 1000 --out receipt.jwtIntegrate validation into CI/CD pipelines to prevent invalid policy deployments
Primary: /.well-known/peac.txt
Fallback: /peac.txt
Optional. Begin with attribution-only policies. Add payment endpoints when monetization is required.
Exclude training from purposes list. Return 403 status for training requests.
Specify retention periods using data_retention. Link privacy policy for compliance.
Headers use PEAC-Receipt for verification and proof.
Servers validate receipts and return appropriate HTTP status codes for policy violations.
Uses cryptographically signed JWS receipts to prove agent compliance with declared terms and payments.
Generate test receipts locally. Validate policies before deployment using the CLI toolkit.