A signed, verifiable record of every task your agents complete — for audit, billing, and dispute resolution.
Every agent decision is signed at the moment of execution, independently verified by a second agent, and stored in a tamper-evident log. Anyone — your auditor, your customer, a counterparty — can verify the receipt without trusting you.
Ed25519 signature binds the agent's identity, the task input, the output, and the timestamp into one cryptographic claim. Tamper with any field — the signature breaks.
The signing unit is the agent's output, not the agent's identity. Every decision produces its own receipt — not a per-session token, not a per-login credential. That's what makes the record evidentiary rather than circumstantial.
A second, independently-identified agent executes the same task, validates the Worker's signature, and signs its own attestation recording its verdict. Disagreement is preserved as data, not hidden.
This is the category claim. Identity products attest to who was allowed to act. Attestly attests to what they did — and proves it by doing it again.
A static HTML viewer renders receipts as a chronological timeline and re-verifies every signature in the browser. No server. No network call. No trust required.
Below is what your compliance lead sees when they open the audit viewer. The third row's signature does not match — and Attestly catches it. If application logs were the only record, that edit would be invisible.
| Time | Agents (worker → verifier) | Decision | Status |
|---|---|---|---|
| 2026-05-11 14:32 UTC | agent-kyc-01 → agent-kyc-02 | Customer #4711 — APPROVE | 🟢 Verified |
| 2026-05-11 14:32 UTC | agent-kyc-01 → agent-kyc-02 | Customer #8842 — FLAG | 🟢 Verified |
| 2026-05-11 14:32 UTC | agent-kyc-01 → agent-kyc-02 | Customer #9999 — FLAG | 🔴 Signature invalid |
The agent stack has names for almost every layer — except this one. Models, orchestration, tool access, identity, observability, payments. The slot for "what did the agent actually do, and can I prove it" was empty. Attestly is that layer.
A note on "trust layer." Some products call themselves the trust layer for agents and live at the identity slot — answering "who is this agent and is it allowed to act." Attestly lives one layer down: "what did the agent actually do, and is the record intact." Both layers are real. Attestly is built for the second one.
Complementary, not competitive. Observability tools tell you what happened on your infrastructure. Attestly tells you what the agent claimed, signed at the source, and proves the claim wasn't edited after the fact. Both belong in your stack.
Wrap any StateGraph with attestly.langgraph.attest. Every node execution
emits a signed receipt to a local file or a configurable sink. No model changes, no orchestration
changes — just attestations flowing alongside the work.
verifier_agent_id= to run the graph twice with independent identities and produce a signed verdict.
Your examiner asks "show me what the agent did, and prove it wasn't edited." Application logs are circumstantial. Attestly attestations are evidence.
A buyer disputes a $500 agent task. You can refund (lose revenue) or hold the line (lose the buyer). With Attestly, the receipt is the evidence.
Their procurement team wants proof of what your agent did, signed by the agent — not by your platform. Attestly is signed at the source.
The SDK is open source and works offline forever. Attestly Cloud is for teams who'd rather not run their own retention, sharing, and compliance infrastructure. Same signed receipts. Same verification. You own the keys either way.
Run Attestly entirely on your own infrastructure. No account, no telemetry, no dependency on us.
Hosted retention and sharing for teams running agents in production. Self-serve, Stripe checkout, cancel any time.
For audit, SOC 2, SR 11-7, EU AI Act, HIPAA. Designed to survive procurement review at a mid-market regulated buyer.
Cancelling does not invalidate your receipts. Every attestation we ever stored for you is a self-contained Ed25519-signed record — its proof lives in the bytes, not in our database. The OSS audit viewer re-verifies them with no network call to us.
One command pulls everything down as JSON Lines, ready to drop into the static viewer or your own pipeline:
curl -H "x-api-key: $ATTESTLY_KEY" \
https://app.attestly.xyz/v1/export > receipts.jsonl
The export endpoint stays available for 30 days after cancellation. After that, your data is purged per our retention promise — but the receipts you exported stay valid forever, because the math doesn't depend on us.
Datadog, LangSmith, Helicone tell you what happened on your infrastructure. Attestly tells you what the agent claimed and proves it. Complementary.
Attestly attests to what was claimed, not to whether the claim is right under your business rules. Model validation is your job; Attestly makes the claims auditable.
The trust Attestly provides is narrow and verifiable: what the agent did, signed at the source, provably un-edited. Not fairness, not alignment, not bias. That narrowness is why auditors accept it — and why we call it a trust layer, not a trust solution.
Optional Merkle root anchoring exists for cross-party networks. Most buyers will never anchor anything on a chain — the protocol works without one.
v0.1 ships with LangGraph (Python). CrewAI, AutoGen, and Mastra are next. MCP server middleware lands after that. The Rust core is the reference implementation; every SDK is a binding to it.
Identity tells you who acted. Attestly tells you what they did — and proves it by doing it again.
Install the SDK and produce your first signed receipt in five minutes, or book a pilot conversation and bring your compliance lead.