Action → Signed Receipt
Agent proposes an action. PFC evaluates it and returns a signed receipt bound to that exact payload.
Receipt Verifier
PFC Receipt Verifier
Portable proof for governed actions: verify locally, reject missing or invalid receipts, and only execute when the receipt matches the exact payload.
View Developer Quickstart
Use this page with the developer quickstart to wire downstream enforcement.
Offline verification does not require a PFC API key. Downstream systems only need the receipt, the action payload, and a pinned public key.
Offline Verification
The verifier recomputes the payload hash, checks the Ed25519 signature, and validates timestamp or TTL fields. No API call required.
Pinned Public Key
The verifier uses the receipt key_id and a pinned public key to validate the signature. Public keys are safe to distribute. Private signing keys must never be exposed.
Enforced Outcome
No valid receipt, no action. Missing, expired, tampered, or invalid receipts are rejected before execution.
Change the payload. Watch it fail.
The receipt is cryptographically bound to the exact payload. Any change invalidates it.
Valid
{
"amount": 100,
"recipient": "acct_123"
}
→ receipt verifies
Tampered
{
"amount": 10000,
"recipient": "acct_123"
}
→ verification fails
signature mismatch
result = verify_receipt(...) # result.valid == False
No valid receipt, no action.
Validate your receipt
Paste a receipt JSON object to check whether it matches the canonical PFC receipt structure before running cryptographic verification.
This schema check validates structure only. It does not verify the signature, payload binding, TTL, or policy correctness. The validator runs locally in your browser, does not call the PFC API, and does not fetch keys.
Paste a receipt JSON object and run the schema check.
The schema validator checks whether a receipt is shaped correctly. The offline verifier proves whether the receipt is authentic and bound to the supplied action payload.
Canonical receipt fields
payloadpayload_hashsignaturepayload.policy_hashpayload.receipt_idpayload.decision_idpayload.allow
Minimal code
from pfc.verifier import verify_receipt
result = verify_receipt(
receipt=attached_receipt,
payload=incoming_action_payload,
public_key=pinned_pfc_public_key_pem,
)
if not result.valid:
raise PermissionError(f"No valid PFC receipt: {result.reason_code}")
execute_protected_action(incoming_action_payload)
Receipt shape
{
"payload": {
"v": 1,
"receipt_id": "rct_123",
"decision_id": "dec_123",
"request_id": "req_123",
"payload_hash": "sha256-of-canonical-action-payload",
"decision_status": "allow",
"allow": true,
"reason_code": "OK",
"policy_id": "payment-policy",
"policy_hash": "sha256-of-policy",
"issued_at": "2026-04-01T12:00:00Z",
"expires_at": "2026-04-01T12:10:00Z",
"key_id": "pfc-api-ed25519-example",
"runtime_version": "pfc-runtime-1",
"engine_version": "pfc-engine-1"
},
"payload_hash": "sha256-of-canonical-receipt-payload",
"signature": "base64-ed25519-signature"
}
Developer quickstart
Call /v1/evaluate, keep the returned receipt with the action payload, and require downstream services to verify the receipt before execution.
Repository docs
For implementation details in the source tree, see docs/RECEIPT_VERIFIER.md and docs/DOWNSTREAM_RECEIPT_ENFORCEMENT.md. These docs describe the Python verifier API and the downstream enforcement pattern.