Cryptographically verifiable receipts for delegated AI work

Prove what your AI agents actually did.

Every action your agent takes is signed, chained, and witnessed. Anyone can verify a Sequesign receipt offline, even years later.

The Sequesign protocol, end to end. An agent records an action, the witness countersigns it, the receipt is finalized, and any verifier can confirm it offline against the published witness key. >_ AGENT records invoice_reviewed WITNESS countersigns · 0e050a75… RECEIPT finalized · receipt.tar.gz VERIFIER confirms · no network required L3 · A · C VERIFIED · OFFLINE
Ed25519 SHA-256 Canonical JSON Length-prefixed encoding Offline verification Patent pending

Tamper-evident

Audit trails that fail loudly.

Every action enters a signed hash chain. Re-ordering, omission, and after-the-fact edits are detectable on verification.

Tampered receipts surface as verification failures, not as a clean log. The verifier tells reviewers exactly which action, which evidence hash, and which chain state broke.

See a tampered receipt fail →
01 9f4a8c2b… task_created OK
02 b3217f00… policy_checked OK
03 c8e91a4d… llm_reviewed MISMATCH
04 d2e7f180… human_approval UNREACHED
L0 · evidence hash mismatch at action 03

Offline verification

Verifiable offline. By anyone.

The verifier needs no Sequesign endpoint to confirm a receipt at verification time. Given the receipt and the witness's published public key, any reviewer can verify the chain, the schemas, the workflow, and the human approval signatures. No network access to Sequesign required at the moment of verification.

View the live witness key →
$ sequesign verify ./receipt.tar.gz
 
reading receipt ./receipt.tar.gz
resolving witness witness.sequesign.com
witness key f4f9ed6f0657e186
 
chain continuity 4 actions, 0 gaps
evidence hashes 4 / 4 match
agent signatures 4 / 4 valid
witness signatures 4 / 4 valid
profile constraints invoice-payment-v1
human approval alice@acme.com
 
L3 · A · C verified · no network required

Standards & interoperability

Open formats. No lock-in.

A Sequesign receipt is not a closed format. Any receipt can be notarized as a DSSE-wrapped in-toto Statement — canonicalized with RFC 8785 (JCS) and signed with Ed25519 — so standard DSSE/in-toto tooling can verify the witness signature offline against our published key, no Sequesign service required.

in-toto attestation DSSE envelope RFC 8785 (JCS) Ed25519 SHA-256

Interactive demo

Prove the approval happened.

Your policy says a human reviews every payment. Can you prove it for this payment? In a Sequesign receipt the approval is a signature, not a log line. Pick a domain and a condition, then verify. The same Sequesign verifier handles both workflows; the failure modes are real, not staged.

Live verifier / receipt artifact

Receipt sandbox

Receipt domain Same verifier, different workflow
Receipt condition Select, then verify
select a domain and condition, then verify…

Trust model

What a receipt can and cannot prove.

Sequesign shows what is verified, what is attested, and what remains only agent-asserted. The distinction is the product.

What the receipt can prove

  • Evidence has not changed after receipt construction
  • Action sequence and chain continuity are intact
  • Agent and witness signatures verify
  • Schema validation passed, when requested
  • Workflow profile validation passed, when requested
  • Human approval signature is present and valid

What a receipt does not prove

  • The agent told the truth
  • The invoice came from the real vendor
  • The payment provider confirmed the instruction
  • The LLM provider attested to the response
  • A lying agent self-reported every unsupported claim
  • Every natural-language claim is externally verified

SDK

One SDK call per action.

Start a session. Record actions as they happen. Finalize. The receipt is a single signed artifact reviewers can verify with the local CLI or the hosted verifier at verify.sequesign.com.

  • Three receipt modes: freeform, schema-validated, profile-constrained
  • Built-in human approvals, plan steps, counterparty attestations
  • Cross-process resume from on-disk checkpoint
  • Verification levels L0 through L3, plus independent W/A/C badges, from real SDK calls

View on GitHub →

import { createSequesign } from "@sequesign/sdk";

const sdk = createSequesign({
  witness: {
    baseUrl: "https://witness.sequesign.com",
    apiKey: process.env.SEQUESIGN_API_KEY
  }
});

const session = await sdk.startSession({
  agent: { agentId: "agent_acme_invoice_bot", keypair: agentKeys },
  task:  { taskId: "inv_2024_07_421", profile: "invoice-payment-v1" }
});

await session.recordAction({
  actionType: "invoice_reviewed",
  evidence:   { invoice_id: "inv_2024_07_421", decision: "approve" }
});

const { receiptPath } = await session.finalize();
// receiptPath → ./out/<task_id>.tar.gz  ·  verifiable offline
# Witness one action over bare HTTP. The same operation as SDK (direct).
# action_record_hash and the chain states are precomputed from the action
# record; docs/protocol-primitives-reference.md shows how.
curl -s -X POST https://witness.sequesign.com/witness \
  -H "Authorization: Bearer $SEQUESIGN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "chain_id": "chn_minimal_action",
    "sequence": 1,
    "action_record_hash": "de15a7e8f5a7e310bc899451bce16bcddb2c709d45f62a16f1bce6c17f2ac85d",
    "previous_chain_state": "7a94dc75d14c5fb6af6d27a931534b5e034c1e8e5d51b4ae2b7b027aa53651d7",
    "chain_state": "e5f14487d84857e74a2025d8739c1425f8ec9fe7dccf7d8703f61f7bc1277ea0"
  }'
# Records the action and returns a witness attestation.
import { createSequesign } from "@sequesign/sdk";

// Managed mode routes through Sequesign's hosted broker. Sequesign
// stores and witnesses the receipt; nothing is written to local disk.
const sdk = createSequesign({
  mode: "managed",
  tier: "hosted",
  broker: {
    baseUrl: "https://broker.sequesign.com",
    apiKey: process.env.SEQUESIGN_API_KEY
  }
});

const session = await sdk.startSession({
  agent: { agentId: "agent_acme_invoice_bot", keypair: agentKeys },
  task:  { taskId: "inv_2024_07_421", delegatorId: "acme_ap_team" }
});

await session.recordAction({
  actionType: "invoice_reviewed",
  evidence:   { invoice_id: "inv_2024_07_421", decision: "approve" }
});

const { receiptId, receiptUrl } = await session.finalize();
// receiptUrl → dashboard.sequesign.com/receipts  ·  witnessed and stored
// To verify offline later, check witness signatures against the discovery
// key (/.well-known/sequesign/keys.json), not any key in the response.
// In bare HTTP this flow needs client-side Ed25519 signing and envelope
// assembly; the Python and Go examples in
// docs/protocol-primitives-reference.md section 5 show the machinery.
# Python SDK coming soon.
# Track progress on GitHub: https://github.com/Sequesign/sdk
// Go SDK coming soon.
// Track progress on GitHub: https://github.com/Sequesign/sdk

MCP

Give your agent a receipt.

The Sequesign MCP server turns any MCP-capable agent — Claude Desktop, Claude Code, and other clients — into one that can prove what it did. It exposes tools to open a signed session, record each action as it happens, and seal a witnessed receipt anyone can verify offline. In direct mode the agent's signing key never leaves the machine.

  • Tools for sessions, actions, approvals, counterparty, finalize, verify
  • Direct mode (key stays local) or managed (registered identity)
  • Schema- and profile-constrained recording, same as the SDK
  • One line in Claude Code, or a one-click Desktop Extension

View on GitHub →

MCP server · install & prompt
# Claude Code — add the server. Direct mode signs
# locally but the hosted witness needs a write-class
# API key from dashboard.sequesign.com.
claude mcp add sequesign \
  --env SEQUESIGN_API_KEY=sq_live_... \
  -- npx -y @sequesign/mcp

# Leaving the agent key unset mints a per-session key
# (self-asserted). If your API key is registered to an
# agent key, also pass that exact key:
#   --env SEQUESIGN_AGENT_PRIVATE_KEY="$(cat agent.key.pem)"

# Claude Desktop — one-click Desktop Extension:
# download sequesign.mcpb from the GitHub release,
# or find Sequesign in the MCP registry.

# Then just ask your agent:
"Review and pay invoice INV-4242 ($4,200) from Acme
Supplies — then give me a Sequesign receipt I can
verify independently."

# The agent opens a signed session, records each step,
# and seals a witnessed receipt that verifies offline.

Pricing

Choose your trust model.

Start free, choose the Standard plan, or run a dedicated witness. The protocol, the SDK, and the verifier are identical across tiers. Library storage is $0.10 per GB-month on every paid tier; configure retention via pruning policies.

Free

Developer tier

$0 / month

Try the protocol with no commitment.

  • 1,000 signatures / month
  • 10 MB library storage (storage pauses at the limit)
  • Up to 1 MB evidence per receipt
  • 90-day receipt retention
  • Hosted witness service
  • Email support

Standard

For production

$5 / month + usage

5,000 witnesses and 1 GB included each month, then pay for what you use.

  • 5,000 signatures / month included
  • 1 GB library storage included
  • Up to 4 MB evidence per receipt
  • $0.001 per signature over 5,000
  • $0.10 per GB-month for additional storage
  • Configurable retention (time-based or size-based pruning)
  • Hosted witness at witness.sequesign.com
  • Email support

Managed Isolated

Dedicated witness for your data

$25 / month + $0.002 per signature

Your own dedicated witness instance with isolated keys.

  • 10 GB library storage included
  • Up to 4 MB evidence per receipt
  • $0.10 per GB-month for additional storage
  • Configurable retention (time-based or size-based pruning)
  • Dedicated witness instance with isolated keys
  • Priority support

Bring Your Own Infrastructure

Data residency for regulated deployments

For data sovereignty

Contact us

Keep your receipts and evidence in your own cloud or datacenter. We work with you on a deployment that fits your data-residency requirements — your data stays under your control while Sequesign provides the protocol, witness, SDK, and support.

  • Your data stays in your infrastructure
  • Hash-only by default — evidence content need never reach Sequesign
  • Configurable evidence size limits
  • Independent witness signing by Sequesign
  • Configurable retention (time-based or size-based pruning)
  • Protocol updates and integration support

Enterprise

Custom for your scale

For complex needs

Custom

Annual contracts, dedicated support, custom SLA.

  • All deployment options
  • Custom storage quotas and rates
  • Custom evidence size limits
  • Dedicated support engineer
  • 99.99% uptime SLA

Use cases

One protocol. Many delegated workflows.

The same sequence-signing receipt pattern applies wherever agents act on behalf of people or organizations. Below are the workflows the protocol was designed against and the ones it's being shaped toward next.

Invoice and procurement approvals

Receipts attach decision evidence and human approval to every payment instruction an agent emits.

Design target

Healthcare decision support

Sign clinician confirmations alongside model output for prescription, triage, and intake.

High-trust use case

Financial and compliance agents

Per-action receipts that survive audit cycles for trading bots, KYC, and regulated reporting.

Future profile

Customer operations automation

Refunds, escalations, and entitlement decisions land in a permanent, attestable log.

Profile candidate

Get started

Ready to sign your first receipt?

Sequesign issues API keys directly from the dashboard. The hosted witness is live; the SDK is engineering-complete; the verifier runs locally today.

IP posture

Patent pending.

Sequesign technology is patent pending. This demo explains protocol concepts and is not a production deployment.