
 ██████╗ ███████╗ █████╗  ██████╗
 ██╔══██╗██╔════╝██╔══██╗██╔════╝
 ██████╔╝█████╗  ███████║██║
 ██╔═══╝ ██╔══╝  ██╔══██║██║
 ██║     ███████╗██║  ██║╚██████╗
 ╚═╝     ╚══════╝╚═╝  ╚═╝ ╚═════╝

v0.15.1 · stable on npm

Verify what your agents and tools actually did.

PEAC issues portable, signed records for AI agents, APIs, MCP tools, and gateways. Get from zero to a verified record in seconds.

[ verify a sample ]quickstart ↓

tip the terminal is real — type verify then tamper.

guest@peac.dev: ~/verifyzsh

run:

start here

Pick a path. Each is copy-paste.

browser · 60s

Verify in the browser

Decode and check a real signed record with the Web Crypto API. No install, no account.

open verifier

cli · 5m

Issue + verify locally

Generate signed sample records and verify one offline against the sandbox key.

open /try

mcp · 1h

Add to an MCP tool

Attach a signed record to a tool call and verify it independently across the boundary.

open /mcp

quickstart

60 seconds to a local proof.

Generate real signed records and verify one offline. Requires Node 22+. No account.

1 · generate signed samples

$npx @peac/cli@0.15.1 samples generate -o ./samples

2 · verify one offline

$npx @peac/cli@0.15.1 verify ./samples/valid/basic-record.jws --public-key ./samples/bundles/sandbox-jwks.json

expected Signature valid (offline)

what a record looks like

interaction-record.jwsdecoded

interaction record · wire 0.2✓ verified

jti: 019ecfcc…bdd8
type: org.peacprotocol/access
kind: evidence
iss: sandbox.peacprotocol.org
iat: 2026-06-16
alg: EdDSA · Ed25519
kid: sandbox-2026-06

signature

signing input: header.payload ✓
public key: sandbox-2026-06 ✓
checked by: web crypto · offline ✓

Ed25519 signature valid · verified offline · tamper-evident

Same sandbox record as the terminal and /verify; rendered here so you can see the shape. Or run the walkthrough.

wire it in

Attach a record to an MCP tool call.

tool result _meta

{
  "_meta": {
    "org.peacprotocol/receipt_jws": "<compact-JWS>",
    "org.peacprotocol/receipt_ref": "sha256:<digest>"
  }
}

The consumer extracts the JWS, confirms receipt_ref == sha256(jws), and verifies the signature. Tampering fails closed.

$peac verify <record.jws> --public-key <issuer-jwks.json>

MCP guide integration docs ↗

terminal commands

Everything is a command.

verify	verify the signed sandbox record (real Ed25519, offline)
tamper	flip a byte, then verify -> watch it fail closed
decode	base64url-decode the record header + payload
gui	open the full point-and-click verifier
try / mcp	open the CLI path / MCP integration
help	list every command

man peac

Getting-started questions.

>how do I verify a signed record?

Run the terminal above (type verify), use the browser verifier at /verify, or run the CLI: npx @peac/cli verify <record.jws> --public-key <jwks.json>. Verification checks the Ed25519 / JWS signature against the issuer public key.

>does verification need a network connection?

No. Records verify offline with a local public key. The in-browser verifier can additionally resolve the issuer key from the record over https for convenience.

>where are the full docs and specification?

The canonical PEAC Protocol specification, schemas, and documentation live at peacprotocol.org. peac.dev is a developer front door for getting started fast.

Verify a real signed record now.

[ open verifier ]star on github ↗