Delegation Receipt Protocol v2.1.0

The AI agent acted.
Can you prove what it
was authorized to do?

Authproof gives every agent action a cryptographic receipt that existed before execution started. Not reconstructed from logs. Not the operator's word against yours. Math.

install 
# JavaScript
npm install authproof

# Python
pip install authproof-py

Want managed infrastructure? cloud.authproof.dev — free tier available.

Read the white paper →
01 / operator claims

The operator claims you authorized it.

Right now there is no cryptographic record of what you actually told your agent to do. The company running it can say anything.

02 / model substitution

The model was swapped after you signed.

An operator can substitute a modified model after authorization. Standard receipts don't detect this. Ours do.

03 / server-side logs

The audit trail is server-side logs.

Logs can be written after the incident. A Delegation Receipt exists before the first action. That is not the same thing.

04 / confidential deployment

Confidential Deployment

Azure TDX and AWS Nitro Enclaves supported. Execution happens inside hardware-attested confidential compute — verifiable from outside the operator's stack.

05 / session state

Session State

Adaptive risk-aware authorization. Trust decay, sensitivity classification, real-time threat scoring.

06 / approval outcome logging

Approval Outcome Logging

Noise vs signal scoring. Threshold recalibration. Approval fatigue detection.

Two primitives. One complete chain.

Seven verification checks. Every one must pass before execution proceeds. Scope defined from observed behavior, not guesswork.

authproof-cli
$ authproof verify --receipt 0x7f3a... [1/7] Receipt signature PASS [2/7] Revocation check PASS [3/7] Time window PASS [4/7] Scope validation PASS [5/7] Operator instruction hash PASS [6/7] Model state attestation PASS [7/7] Replay protection PASS ✓ Authorization verified. Receipt pre-dates execution. Delegation Receipt signed by user Model Commitment bound to receipt Execution Proof hardware attested Action Log tamper evident chain Delegation Chain scope attenuation enforced [session] trust: 97.3 | risk: 12.1 | ALLOW
// by the numbers
1,151
Tests passing
14
Test suites
0
Failures
7
Verification checks
2
Core primitives
2
Language SDKs

See it in action

Three scenarios. Watch the decision happen in real time.

 
// Click a scenario above to begin

Minimal integration surface.

One client. One receipt. Every subsequent action is locked to it.

agent.js 
import { AuthProofClient, ScopeSchema } from 'authproof'

const receipt = await client.delegate({
  scope: new ScopeSchema({
    allowedActions: [{ operation: 'read',   resource: 'email' }],
    deniedActions:  [{ operation: 'delete', resource: '*'     }]
  }),
  operatorInstructions: 'Summarize inbox only',
  expiresIn: '2h'
})

// Agent cannot act outside this receipt
// Operator cannot claim broader authorization
// Model substitution is detected automatically
Ryan Nelson

Built by one person

I am Ryan Nelson. HVAC technician at Arctic Air. Accounting student at Oklahoma State University. Father of a daughter turning three in June.

I spent the last month building Authproof because the PocketOS incident showed what happens when AI agents act without cryptographic proof of what they were authorized to do. Nobody else was solving this at the protocol layer.

IETF Internet-Draft filed April 2026. 1,229 tests. MIT licensed.

Full time job. Full time school. Built it anyway.

Connect on LinkedIn → ryan@authproof.dev