Receipt Verifier
Paste a receipt. Verify it instantly.
Use this page with the developer quickstart to wire downstream enforcement.
Paste a pfc_verifier_receipt JSON object from /v1/evaluate. This tool sends the receipt to /v1/verify-receipt and returns the same verification fields used by the hosted verifier and Swift CLI.
For privacy, only the pasted receipt object is sent. Private signing keys are never exposed by the verifier endpoint.
Offline verification does not require a PFC API key. Downstream systems only need the receipt, the action payload, and a pinned public key.
Agent proposes an action. PFC evaluates it and returns a signed receipt bound to that exact payload.
The verifier recomputes the payload hash, checks the Ed25519 signature, and validates timestamp or TTL fields. No API call required.
The verifier uses the receipt key_id and a pinned public key to validate the signature. Public keys are safe to distribute. Private signing keys must never be exposed.
No valid receipt, no action. Missing, expired, tampered, or invalid receipts are rejected before execution.
The receipt is cryptographically bound to the exact payload. Any change invalidates it.
Valid
{
"amount": 100,
"recipient": "acct_123"
}
→ receipt verifies
Tampered
{
"amount": 10000,
"recipient": "acct_123"
}
→ verification fails
signature mismatch
result = verify_receipt(...) # result.valid == False
No valid receipt, no action.
from pfc.verifier import verify_receipt
result = verify_receipt(
receipt=attached_receipt,
payload=incoming_action_payload,
public_key=pinned_pfc_public_key_pem,
)
if not result.valid:
raise PermissionError(f"No valid PFC receipt: {result.reason_code}")
execute_protected_action(incoming_action_payload)
{
"decision_id": "dec_123",
"timestamp": "2026-05-03T16:31:32Z",
"payload": {
"decision_id": "dec_123",
"request_id": "req_123",
"decision_status": "allow",
"allow": true,
"reason_code": "OK",
"policy_id": "payment-policy",
"policy_hash": "sha256-of-policy"
},
"payload_hash": "sha256-of-canonical-payload",
"signature": "base64-ed25519-signature-over-payload-hash",
"public_key": "base64-ed25519-public-key",
"key_id": "owner-key",
"signature_algorithm": "ed25519",
"trust_mode": "strict",
"verification_version": "1.0"
}
The API recomputes the canonical payload hash, verifies the Ed25519 signature over payload_hash, checks the trusted issuer, and fails closed on malformed input.
PFC verifier receipt fields
decision_idtimestamppayloadpayload_hashsignaturepublic_keykey_idsignature_algorithmCall /v1/evaluate, keep the returned receipt with the action payload, and require downstream services to verify the receipt before execution.
For implementation details in the source tree, see docs/RECEIPT_VERIFIER.md and docs/DOWNSTREAM_RECEIPT_ENFORCEMENT.md. These docs describe the Python verifier API and the downstream enforcement pattern.