Attestly · the trust layer for what agents do

Cryptographic receipts for AI agents.

A signed, verifiable record of every task your agents complete — for audit, billing, and dispute resolution.

Scroll

Your AI agent just made a decision that affects a customer. Six months from now, can you prove what it did — and that nobody edited the record?

73%
of regulated firms cite "auditability of AI decisions" as a top-three procurement blocker.
SOURCE — INDUSTRY SURVEY, 2026
$2.4M
average remediation cost for a finding tied to inadequate model-use logging.
SOURCE — SR 11-7 PRACTITIONER DATA, 2025
0
portable, third-party-verifiable receipt formats existed in the agent stack — before Attestly.
SOURCE — MARKET LANDSCAPE, MID-2026
How it works

Receipts that can't be edited after the fact.

Every agent decision is signed at the moment of execution, independently verified by a second agent, and stored in a tamper-evident log. Anyone — your auditor, your customer, a counterparty — can verify the receipt without trusting you.

01 · WORKER

The agent signs every decision at the moment it makes it.

Ed25519 signature binds the agent's identity, the task input, the output, and the timestamp into one cryptographic claim. Tamper with any field — the signature breaks.

The signing unit is the agent's output, not the agent's identity. Every decision produces its own receipt — not a per-session token, not a per-login credential. That's what makes the record evidentiary rather than circumstantial.

  • 32-byte agent public key, identity stable across restarts
  • SHA-256 hashes pin both input and output
  • Signed payload is canonical JSON — replayable across languages
// Worker produces a signed Attestation { "agent_id": "agent-kyc-01", "agent_pubkey": "a3f9b2c1…7d8e4f0a", "task_hash": "1f8b2…", "output_hash": "9c4ae…", "output": "APPROVE", "status": "Completed", "timestamp": 1715456789, "signature": "ed25519:8c92a4…b71f" }
02 · VERIFIER

The verifier doesn't read the log. It re-runs the task.

A second, independently-identified agent executes the same task, validates the Worker's signature, and signs its own attestation recording its verdict. Disagreement is preserved as data, not hidden.

This is the category claim. Identity products attest to who was allowed to act. Attestly attests to what they did — and proves it by doing it again.

  • Two independent verdicts: signature valid, answer correct
  • Disagreement detection across N parallel verifiers
  • Verifier's attestation references the Worker's by id — cryptographic chain of trust
// Verifier's signed verdict { "agent_id": "agent-kyc-02", "references": "7a3c…", "status": { "Verified": { "attestation_valid": true, "answer_correct": true } }, // or — when caught: "status": { "Verified": { "attestation_valid": false, "answer_correct": false } } }
03 · AUDIT

Open the viewer. Hand your auditor a working laptop.

A static HTML viewer renders receipts as a chronological timeline and re-verifies every signature in the browser. No server. No network call. No trust required.

  • Drag in JSONL files — receipts render in seconds
  • Vendored ed25519 verifies signatures client-side
  • Tampered receipts flip red on reload — by design
// In-browser verification result ✓ self-test: signing-payload bytes match Rust canonical encoding ROW 1 — APPROVE   ✓ signature verified ROW 2 — FLAG   ✓ signature verified ROW 3 — FLAG   ✗ signature invalid "receipt has been altered or the key does not match"
See it work

Three receipts. One has been tampered with.

Below is what your compliance lead sees when they open the audit viewer. The third row's signature does not match — and Attestly catches it. If application logs were the only record, that edit would be invisible.

Attestly Audit Viewer · localhost
3 receipts loaded
Time Agents (worker → verifier) Decision Status
2026-05-11 14:32 UTC agent-kyc-01 → agent-kyc-02 Customer #4711 — APPROVE 🟢 Verified
2026-05-11 14:32 UTC agent-kyc-01 → agent-kyc-02 Customer #8842 — FLAG 🟢 Verified
2026-05-11 14:32 UTC agent-kyc-01 → agent-kyc-02 Customer #9999 — FLAG 🔴 Signature invalid
Where it fits

The trust layer for AI agents.

The agent stack has names for almost every layer — except this one. Models, orchestration, tool access, identity, observability, payments. The slot for "what did the agent actually do, and can I prove it" was empty. Attestly is that layer.

Payments
Stripe Agent Toolkit · Skyfire · x402 · Visa/Mastercard agent rails
Trust — Attestly
Signed receipts · Worker–Verifier verdicts · tamper-evident retention
Observability
LangSmith · Braintrust · Helicone · Arize · Langfuse
Identity
Auth0 / Okta agent identity · agent passports · DIDs
Tooling
MCP — the standard for agent ↔ tool wiring
Orchestration
LangGraph · CrewAI · AutoGen · Mastra · bespoke harnesses
Models
Anthropic · OpenAI · Google · open-weights

A note on "trust layer." Some products call themselves the trust layer for agents and live at the identity slot — answering "who is this agent and is it allowed to act." Attestly lives one layer down: "what did the agent actually do, and is the record intact." Both layers are real. Attestly is built for the second one.

Complementary, not competitive. Observability tools tell you what happened on your infrastructure. Attestly tells you what the agent claimed, signed at the source, and proves the claim wasn't edited after the fact. Both belong in your stack.

Install

One line. Your LangGraph agent now signs every node.

Wrap any StateGraph with attestly.langgraph.attest. Every node execution emits a signed receipt to a local file or a configurable sink. No model changes, no orchestration changes — just attestations flowing alongside the work.

$ pip install attestly-langgraph # in your agent file from attestly.langgraph import attest from langgraph.graph import StateGraph graph = build_my_kyc_graph() graph = attest(graph, agent_id="kyc-worker-01") # every node now emits a signed attestation. # defaults to ./data/attestations.jsonl — # swap in CloudSink(api_key=...) when you're ready.
  • Zero refactor. Your graph keeps the same nodes, the same routing, the same model calls. Attestation is a callback, not a rewrite.
  • Local-first by default. FileSink writes JSONL to disk. You can use Attestly forever without a server, an account, or a network call.
  • Switch sinks when you're ready. Same receipts, different destination — local file, Attestly Cloud, your own S3, or a custom callable.
  • Worker–Verifier on demand. Pass verifier_agent_id= to run the graph twice with independent identities and produce a signed verdict.
Who it's for

Three buyers. Three pay-fors.

01 Compliance lead

Pass the audit on the first attempt.

Your examiner asks "show me what the agent did, and prove it wasn't edited." Application logs are circumstantial. Attestly attestations are evidence.

Pay-for The six-figure remediation cost of the finding that doesn't happen.
02 Platform operator

Settle disputes in your favour.

A buyer disputes a $500 agent task. You can refund (lose revenue) or hold the line (lose the buyer). With Attestly, the receipt is the evidence.

Pay-for A percentage of disputed revenue that previously evaporated.
03 Cross-party counterparty

Move past "we don't trust your logs."

Their procurement team wants proof of what your agent did, signed by the agent — not by your platform. Attestly is signed at the source.

Pay-for The deals that previously stalled at vendor risk review.
Pricing

Two ways to run Attestly. Switch directions any time.

The SDK is open source and works offline forever. Attestly Cloud is for teams who'd rather not run their own retention, sharing, and compliance infrastructure. Same signed receipts. Same verification. You own the keys either way.

Open source

Self-hosted

$0/ forever

Run Attestly entirely on your own infrastructure. No account, no telemetry, no dependency on us.

  • LangGraph SDK (Python, MIT)
  • FileSink → local JSONL
  • Static audit viewer (offline)
  • Persistent agent identities
  • Worker–Verifier protocol
  • Community support
Read the code
Regulated buyers

Enterprise

Talk to us

For audit, SOC 2, SR 11-7, EU AI Act, HIPAA. Designed to survive procurement review at a mid-market regulated buyer.

  • Unlimited attestations
  • 7-year tamper-evident retention
  • SSO, audit log of the audit log
  • SOC 2 Type II report
  • Compliance report templates
  • Dedicated SE, MSA & DPA, SLA
Contact sales

Free to start. Free to leave.

Cancelling does not invalidate your receipts. Every attestation we ever stored for you is a self-contained Ed25519-signed record — its proof lives in the bytes, not in our database. The OSS audit viewer re-verifies them with no network call to us.

One command pulls everything down as JSON Lines, ready to drop into the static viewer or your own pipeline:

curl -H "x-api-key: $ATTESTLY_KEY" \
     https://app.attestly.xyz/v1/export > receipts.jsonl

The export endpoint stays available for 30 days after cancellation. After that, your data is purged per our retention promise — but the receipts you exported stay valid forever, because the math doesn't depend on us.

What Attestly is not.

Not a replacement for observability.

Datadog, LangSmith, Helicone tell you what happened on your infrastructure. Attestly tells you what the agent claimed and proves it. Complementary.

Not a judgement on correctness.

Attestly attests to what was claimed, not to whether the claim is right under your business rules. Model validation is your job; Attestly makes the claims auditable.

Not a general "AI trust" product.

The trust Attestly provides is narrow and verifiable: what the agent did, signed at the source, provably un-edited. Not fairness, not alignment, not bias. That narrowness is why auditors accept it — and why we call it a trust layer, not a trust solution.

Not on-chain AI.

Optional Merkle root anchoring exists for cross-party networks. Most buyers will never anchor anything on a chain — the protocol works without one.

Not yet on every framework.

v0.1 ships with LangGraph (Python). CrewAI, AutoGen, and Mastra are next. MCP server middleware lands after that. The Rust core is the reference implementation; every SDK is a binding to it.

The trust layer for what AI agents do

Receipts your auditor will accept.

Identity tells you who acted. Attestly tells you what they did — and proves it by doing it again.
Install the SDK and produce your first signed receipt in five minutes, or book a pilot conversation and bring your compliance lead.