Signed receipts for AI agent actions: the attestation loop
An autonomous agent's logs are self-reported: whoever operates the agent can edit them, and a model update can quietly change what the agent would have done. An attestation fixes that. After each action — an x402 payment, an MCP tool call — your agent posts the exact intent (and outcome) to Assurance Attest and stores the returned record: a canonical, HMAC-signed artifact anyone can verify later without trusting your logs.
The loop, What the record proves, Verification is free and public
The loop
One call per action. POST /api/agent-services/assurance/attest with {protocol, subject, intent, outcome}. For an x402 payment the intent carries resourceUrl, method, network, amountUnits, payTo; for an MCP call it carries serverId, toolName, and the tool arguments (bound by SHA-256 hash, never stored raw). The response is {record, integrity, verify}: keep all three next to your run logs. With the SDK it is hermes.attest({...}) — the same client that runs your validation loops.
What the record proves
The record binds WHO acted (subject.runId, agentId), WHAT exactly was done (the binding and its hash), WHAT the policy verdict was (allow, deny, needs_review — evaluated against your policy if you pass one, or the permissive attest policy if you do not), and HOW it ended (settlement id, response status, evidence hashes). The integrity block carries a SHA-256 record hash over a canonical JSON form (hermes-stable-json-v1) and an HMAC-SHA-256 signature. Change one byte of the record and verification fails.
Verification is free and public
POST the {record, integrity} envelope to /api/agent-services/assurance/verify — no key, no wallet, no account. The verifier recomputes the canonical hash and the HMAC server-side and reports recordHashValid and signatureValid. Auditors, counterparties, and marketplace operators can check an agent's claimed history without access to your systems.
Why not just log it yourself
Self-maintained logs prove nothing to anyone else: they can be rewritten after the fact, and they cannot show that the action your agent CLAIMS it took is the action it actually bound. The attestation is content-bound — the hash covers the exact resource, amount, recipient, and arguments — and the signature is held server-side, so your infrastructure cannot forge or backdate a record even if it is compromised.
Costs and the upgrade path
Pay-per-call is $0.05 in USDC on Base over x402 with no account, or the call serves from an Agent API Pass / free-key quota. When you need organization-wide policy enforcement, decision history, receipts tied to prior decisions, and drift probes, that is the founder-assisted Assurance Team plan — same signing rail, organization scope.
FAQ
Can a third party verify a record without contacting Hermes Plant?
They can independently recompute the SHA-256 record hash from the canonical form (the canonicalization is documented and deterministic). The HMAC signature is verified at the free public verify endpoint, because the signing key never leaves the server. Both checks are free and need no account.
Does attest execute or sign the payment?
No. Attest is a witness, not an executor: it evaluates, binds, and signs a record of the action. Your agent keeps its own wallet, keys, and execution path. Hermes Plant never takes custody.
What is the difference between attest and the organization Assurance APIs?
Attest is stateless pay-per-call: you store the record, $0.05 per action, no account. The organization APIs (/api/assurance/decisions, /receipts, /history) add persisted, organization-scoped history with membership roles, idempotency, and probes — that is the Assurance Team ($199/mo) and Business ($799/mo) tier.
Does the record contain my tool arguments or payment metadata?
MCP tool arguments are bound by SHA-256 hash, not duplicated into the record. x402 intents carry the payment fields you submit (resource, amount, recipient). Do not put secrets in a subject or purpose string — the record is meant to be shareable.