What is PEAC Protocol?

PEAC is the open protocol for signed, portable interaction records. When AI agents interact with APIs, MCP servers, tools, and services, PEAC enables those services to return cryptographically signed proof of what happened. Any party can verify the record independently, offline once the issuer's public key is available.

How does PEAC verification work?

Interaction records are signed with Ed25519 and verified locally with the issuer's public key. There is no dependency on Originary or any central authority in the verification path. Verification is offline once public keys are available or bundled.

Agent actions need evidence

WTF did my agent just do?

Q: Do I need Originary to use PEAC?

No. PEAC is open-source and self-hostable under the Apache-2.0 license. There is no dependency on Originary in the verification path. Originary provides managed deployment and operational support for production teams.

Agents now touch APIs, MCP servers, workflows, and third-party systems. Logs can tell you what your stack saw. They cannot give another party portable proof of what happened. PEAC is the open standard for verifiable interaction records. Originary helps teams deploy and operate it in production.

Verify a sample receipt See how it works Talk to Originary

Apache-2.0

Self-hostable

Offline verification once keys are available

TypeScript + Go

Conformance fixtures

Agents are moving from chat into real systems. Once they cross organizational boundaries, logs stop being enough.

Who sent the request. What policy applied. What record exists afterward.

That is the operational question. PEAC standardizes the record. Originary helps teams run it in production.

The real gap

This is not another observability product

PEAC adds signed, portable records that travel across tools, vendors, and organizational boundaries. Another party can verify them independently.

Your system

app logs

trace spans

dashboard events

org boundary

What PEAC adds

signed interaction record

policy reference

independent verification

See the difference

An agent checks inventory via MCP. What do you get?

An agent invokes a tool on an MCP server. The tool calls an external API, policy is evaluated, and a result is returned.

Internal observability

Local only

14:23:01.2

Agent invoked MCP tool: check_inventory

tool_call_id: tc_82af → pending

14:23:01.8

Tool called external API

GET /api/v2/inventory/sku_47x → 200

14:23:02.1

Policy evaluated

policy: tools.check_inventory → allow

14:23:02.4

Tool returned result to agent

trace_id: 7f3a-b2c1-9e4d

Useful for debugging. Not portable proof for another party.

Signed interaction record

Portable proof

14:23:01.2

Issuer: tools.vendor.com

kid: vendor-ed25519-2026-03

14:23:01.2

Type: org.peacprotocol/access

kind: evidence

14:23:02.4

Policy binding: verified

sha256:3f8a...c7e1 matches published terms

14:23:02.4

Signature: Ed25519, valid

receipt_ref: sha256:a9b2...f4d8

verified

Verification: passed locally

offline once public key is available

Portable signed proof. Verifiable by any party.

Verified locally

No Originary callback required

Signature: Ed25519 valid

Issuer: tools.vendor.com

Policy hash: matched

Type: access (evidence)

Occurred: 2026-03-19 14:23

No Originary dependency

Illustrative receipt. Verified with issuer's public key only.

Decoded payload

interaction-record+jwt compact JWS

{
  "iss": "https://tools.vendor.com",
  "kind": "evidence",
  "type": "org.peacprotocol/access",
  "occurred_at": "2026-03-19T14:23:02Z",
  "policy": { "uri": "https://tools.vendor.com/.well-known/peac.txt" },
  "ext": { "access": { "action": "read", "resource": "inventory" } }
}

Load sample in verifier Read record structure

Verify a sample receipt See it in action

The real problem

The problem is not visibility. It is proof.

Agents cross boundaries

They call APIs, tools, and MCP servers outside your stack.

Logs stay local

Your trace is useful inside your stack. It is not evidence for a counterparty.

Disputes happen fast

A wrong call, a bad tool action, or a policy question all collapse into one question: what actually happened?

Logs are local.
Proof travels.

PEAC gives APIs, tools, and services a standard way to return signed interaction records. It adds portable proof across system and organizational boundaries.

Logs

Internal observation

Traces

Internal debugging

PEAC

Portable signed proof
another party can verify

See PEAC Protocol

Protocol

How it works

Four steps from interaction to verifiable evidence.

Publish policy

Services expose machine-readable terms and policy at the edge, so agents know what to expect before interacting.

Return a signed record

When an agent request is processed, the service returns a portable signed record of what happened.

Verify anywhere

The receiver, operator, partner, or auditor verifies the record locally using the issuer's public key. Offline once keys are available.

Keep or bundle evidence

Use the record for incident review, disputes, compliance evidence, internal controls, or cross-party workflows.

Apache-2.0

Self-hostable

Offline verification once keys are available

TypeScript + Go

Conformance fixtures

Choose your path

Built for your role

API providers, MCP hosts, agent operators, and security teams each start differently.

I run an API

Add signed interaction records to requests and responses. Give your consumers portable proof.

API quickstart

I run an MCP server

Return proof with tool calls and verifiable outcomes. Evidence travels with every response.

MCP quickstart

I operate agents

Verify records locally and keep stronger evidence than screenshots or logs.

Try verifier

Security, audit, compliance

Export portable evidence for reviews, incidents, and procurement decisions.

Talk to Originary

Open standard, commercial support

Open standard underneath.
Commercial support when you need it.

PEAC is the open standard. Originary is one production path built on top of it.

Open standard

PEAC Protocol

Open specification, Apache-2.0
Self-hostable, no vendor lock-in
Verification works offline once keys are available
Public docs, tooling, and SDK
Works alongside auth, payments, observability

View PEAC Protocol

Commercial path

Originary

Guided deployment and rollout
KMS-backed signing keys
Compliance evidence bundles
Dedicated engineering access
SLA and priority support

See it in action

For production teams

Use the open protocol directly. Bring in Originary when you need production support.

You do not need Originary to adopt PEAC. But when you need managed deployment, key infrastructure, or compliance workflows, Originary is the commercial path.

Guided deployment and rollout

KMS-backed signing keys

Compliance evidence bundles

Dedicated engineering access

SLA and priority support

Compliance and procurement support

Ready to evaluate PEAC for production?

See it in action Talk to Originary

Questions

Frequently asked

Is this just a joke site?

No. The name is the hook. The problem is real. This site exists to make a serious issue instantly legible.

Do I need Originary to use PEAC?

No. PEAC is open-source and self-hostable. There is no dependency on Originary in the verification path. Originary provides managed deployment and operational support for production teams.

Is this replacing auth, observability, or payment systems?

No. PEAC adds portable signed evidence alongside those systems. It does not replace auth, payment rails, observability platforms, or MCP/A2A runtimes.

Who is this for?

API providers, MCP and tool operators, agent platform teams, and security, audit, and compliance stakeholders who need verifiable evidence of agent interactions.

What does Originary sell?

Guided deployment, KMS-backed signing keys, compliance evidence bundles, dedicated engineering access, SLA support, and enterprise rollout around the open PEAC protocol.

How does verification work?

Records are signed with Ed25519 and verified locally with the issuer's public key. There is no dependency on Originary in the verification path. Verification is offline once public keys are available or bundled.

Verification independence

Open standard

Apache-2.0

Self-hostable

Offline verification

No Originary dependency in verification path

When the question lands, have proof ready.

Open protocol. Production path when you need it.

Verify a sample receipt See it in action See PEAC Protocol

WTF did my agent just do?

This is not another observability product

An agent checks inventory via MCP. What do you get?

The problem is not visibility. It is proof.

Agents cross boundaries

Logs stay local

Disputes happen fast

Logs are local.Proof travels.

How it works

Publish policy

Return a signed record

Verify anywhere

Keep or bundle evidence

Built for your role

I run an API

I run an MCP server

I operate agents

Security, audit, compliance

Open standard underneath.Commercial support when you need it.

PEAC Protocol

Originary

Use the open protocol directly. Bring in Originary when you need production support.

Frequently asked

Is this just a joke site?

Do I need Originary to use PEAC?

Is this replacing auth, observability, or payment systems?

Who is this for?

What does Originary sell?

How does verification work?

When the question lands, have proof ready.

Logs are local.
Proof travels.

Open standard underneath.
Commercial support when you need it.