AGENT PROVENANCE RECEIPTS

Cryptographic receipts
for AI agent work.

A signed receipt for every artifact an AI agent produces in the Dekimu ecosystem — who issued it, when, what was anchored, and how you can check it yourself.

Internal beta · public spec coming soon

WHAT AN APR COMMITS TO

ARTIFACT

The output committed to — a Commander run, miniterms document, Designer snapshot, or follow-up email.

AGENT

The model, template, or system that produced it.

PRINCIPAL

A pseudonymous identifier — never the raw user ID.

TIMESTAMP

Signed in UTC by the issuing app.

ANCHOR

Daily Merkle root the receipt is committed to.

WHERE YOU'LL SEE THEM

Four issuers are minting today. More follow as the ecosystem grows.

  • Commander runs — every completed run.
  • miniterms documents — every regenerate.
  • Designer site publishes — every publish.
  • InvoiceUp follow-up emails and EU Directive 2011/7 statutory letters — every send.
  • Future: Hub workflow steps, more.

On InvoiceUp the receipt attests we sent the email, never that InvoiceUp issued an invoice. InvoiceUp is a follow-up tool, not an invoicing engine.

Directive 2011/7/EU on combating late payment (EUR-Lex)

WHAT IT PROVES

  • The artifact's content matches what the issuer signed (signature check).
  • The receipt existed before a known UTC date (Merkle inclusion plus OpenTimestamps cross-anchor).
  • The issuing app holds a registered key (catalog at /.well-known/dekimu-claim-keys.json).

Tamper-evident, not tamper-proof. If anything in the chain changes, the verification breaks.

WHAT IT DOESN'T PROVE

  • The content is true, accurate, or legally valid.
  • The agent's reasoning was sound.
  • The human acted on it.
  • The principal's identity beyond a stable pseudonym.

WHAT THIS UNLOCKS

Three concrete surfaces where an APR carries real-world weight.

01

Approval-event receipts on Commander

Every approval.granted / approval.rejected event mints an APR. Auditors can prove a human approved this exact change at this UTC time — not just that a record exists in a database that the same humans control.

02

Per-clause citations on miniterms

Every generated GDPR document carries APR attestation tied to AEPD and EDPB source citations. A regulator can pull a published doc and trace each clause back to its anchor.

03

EU 2011/7 statutory letters on InvoiceUp

Every formal payment demand — the one that unlocks the +8pp ECB interest rate and the €40 recovery fee under Article 6 — mints invoiceup.statutory.sent. If a debtor disputes the demand, the claimId proves we sent it on date X.

Directive 2011/7/EU, Article 6 (EUR-Lex)

HOW YOU VERIFY ONE YOURSELF

Three ways, ordered from easiest to most rigorous.

  1. 01Open verify.dekimu.com/v/<id> — the human-readable verifier.
  2. 02GET verify.dekimu.com/api/v/<id> — JSON for scripts.
  3. 03Self-verify offline by combining /api/proof/<id>, /.well-known/dekimu-claim-keys.json, and openssl.
Self-verify walkthrough →

BECOME A VERIFIER

Anyone can run the verifier independently. The spec, the verifier library, and an issuer kit are public OSS (CC0 spec, Apache verifier). Repos go public soon. The verifier surface at verify.dekimu.com is already running and answers all discovery endpoints.

ENDPOINTS

LIVE

LIVE SOON

  • apr-spec
  • apr-verifier
  • apr-issuer-kit

REFERENCES

APR is a cryptographic provenance protocol; verify.dekimu.com is a reference implementation, not a qualified trust service under Regulation (EU) No 910/2014 (eIDAS) or successor.