PEAC Receipts API
Complete reference for implementing cryptographic receipts. Every HTTP response becomes verifiable proof of content, consent, attribution, provenance, and payments.
Spec Snapshot (v0.9.14)
typ:“peac.receipt/0.9” (JWS protected header)
iat:Unix seconds (required in payload)
PEAC-Receipt:Single header (normative)
payment.scheme:“x402” (if present)
Media types:application/peac+json, application/problem+json, application/jwk-set+json
JWS Header Fields
| Field | Type | Status | Description |
|---|---|---|---|
| alg | string | Required | Must be "EdDSA" for Ed25519 signatures |
| typ | string | Required | Must be "peac.receipt/0.9" |
| kid | string | Required | Key identifier for signature verification |
Receipt Payload Fields
| Field | Type | Status | Description |
|---|---|---|---|
| iat | number | Required | Issued at time (Unix timestamp) |
| hash | string | Recommended | Content hash (e.g., "sha256:abc123...") |
| aipref | object | Optional | AI preferences compliance reference |
| payment | object | Optional | Payment scheme details (e.g., x402) |
| prov | object | Optional | Provenance metadata (e.g., C2PA) |
| aud | string | Optional | Intended audience for the receipt |
| sub | string | Optional | Subject of the content |
HTTP Headers
PEAC-ReceiptRequiredSingle HTTP response header containing the detached JWS compact serialization. This is the only normative header in PEAC Protocol v0.9.14.
Basic Example
HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
PEAC-Receipt: eyJhbGciOiJFZERTQSIsInR5cCI6InBlYWMucmVjZWlwdC8wLjkiLCJraWQiOiJwZWFjLTIwMjUtMDkifQ.eyJpYXQiOjE3Mjc1OTM4MDAsImhhc2giOiJzaGEyNTY6YTFiMmMzLi4uIiwiYWlwcmVmIjp7InVybCI6Ii4uLmFpLXByZWZlcmVuY2VzLnR4dCJ9LCJwYXltZW50Ijp7InNjaGVtZSI6Ing0MDIifSwicHJvdiI6eyJjMnBhIjoic2hhMjU2Oi4uLiJ9fQ.signature_base64url
{
"data": "Your content here",
"attribution": "Content provided under PEAC Protocol terms"
}Decoded JWS
Header
{
"alg": "EdDSA",
"typ": "peac.receipt/0.9",
"kid": "peac-2025-09"
}Payload
{
"iat": 1727593800,
"hash": "sha256:a1b2c3...",
"aipref": {
"url": "...ai-preferences.txt"
},
"payment": {
"scheme": "x402"
},
"prov": {
"c2pa": "sha256:..."
}
}API Endpoints (non-normative examples)
POST
/v1/receipts/:id/confirmExample (non-normative)Confirm and validate a PEAC receipt for resource access.
Request Headers
PEAC-Receipt: rcpt_01HZY3Z3V7C7 Accept: application/json Content-Type: application/json
Request Body
{
"jws": "<detached JWS compact serialization>",
"kid": "peac_pub_2025_08",
"policy_hash": "7K2dmfqM5JdCiQ_9gTXeYZRqh8L_2vKxg3BjPMvqWxA",
"agent_id": "agent_9f3b2"
}Response (202 Accepted)
{
"jti": "rcpt_9D328FC8",
"method": "peac.receipt",
"kid": "peac_pub_2025_08",
"sig_alg": "Ed25519",
"time": "2025-08-30T18:12:03Z",
"agent_id": "agent_9f3b2",
"resource": "https://example.com/api/data",
"status": "VALID",
"id": "rcpt_01HZY3Z3V7C7"
}Error Codes
| Code | Error | Description |
|---|---|---|
| 400 | INVALID_INPUT | Malformed payload or fields |
| 401 | UNAUTHORIZED | Missing or invalid auth on caller |
| 403 | POLICY_MISMATCH | Receipt policy does not match current peac.txt |
| 409 | REPLAY | Receipt previously used or nonce replay |
| 422 | SIG_INVALID | Signature or key reference invalid |
| 429 | RATE_LIMITED | Too many requests |
Security Requirements
⚠ Important
- • Receipt verification requires EdDSA signature validation
- • Receipt rid must use UUIDv7 (RFC 9562) for replay protection
- • JWKS must be served from issuer domain for verification
- • Timestamp validation with reasonable clock skew tolerance (<5 minutes)