Server data from the Official MCP Registry
EU AI Act-ready audit trail: signed, tamper-evident receipts proving what your AI agents did.
EU AI Act-ready audit trail: signed, tamper-evident receipts proving what your AI agents did.
4 tools verified · Open access · No issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Remote servers are capped at 8.0 because source code is not available for review. The score reflects endpoint verification only.
Set these up before or after installing:
Environment variable: AGENT_RECEIPTS_DATA
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-dhanushs1912-svg-agent-receipts-mcp": {
"env": {
"AGENT_RECEIPTS_DATA": "your-agent-receipts-data-here"
},
"args": [
"-y",
"agent-receipts-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
Prove what your AI agents did.
On August 2, 2026, the EU AI Act's record-keeping obligations for high-risk AI systems became enforceable: automatic event logging (Article 12), deployer log retention of at least six months (Article 26), and penalties up to €15M or 3% of global turnover. The question your auditor, regulator, or counterparty will ask is simple:
"Your AI agent approved this. Prove exactly what it did — and prove nobody edited the record."
An ordinary log file can't answer that: whoever owns the log can edit it. agent-receipts
gives every consequential agent action a cryptographically signed, timestamped receipt
that anyone can verify offline — and exports signed audit bundles you can hand
directly to a compliance officer.
export_audit_bundle produces what compliance actually needs: all receipts in a date
range, a tamper-evidence report (sequence gaps, chain breaks), the signing public key,
and a manifest signature over the whole bundle. Retention is yours to control — the vault
is a local SQLite file you keep as long as Article 26 (or your policy) requires.
You don't have to trust us. Receipts verify offline against a pinned public key with the bundled CLI — no account, no network call, no dependence on this service existing tomorrow. That's what makes the evidence durable.
// Claude Desktop / Claude Code / any MCP client
{
"mcpServers": {
"agent-receipts": {
"command": "npx",
"args": ["-y", "agent-receipts-mcp"],
"env": { "AGENT_RECEIPTS_DATA": "<where-to-keep-the-vault>" }
}
}
}
Requires Node.js >= 22.13 (uses the built-in node:sqlite — zero native dependencies).
Prefer one-click? Grab the .mcpb bundle from
Releases and open it
with Claude Desktop.
| Tool | When an agent should call it |
|---|---|
issue_receipt | Immediately after any consequential action. Returns the signed receipt. |
verify_receipt | Before trusting a receipt presented by another agent or system. |
export_audit_bundle | When a human asks for the audit trail of a date range. |
get_service_info | To fetch the public key worth pinning for offline verification. |
npm install && npm run build
npm run serve # http://localhost:8787
# 1. Create a vault (returns your API key — shown once)
curl -X POST localhost:8787/v1/vaults -d '{"name":"acme-compliance"}'
# 2. Issue a receipt after an agent action
curl -X POST localhost:8787/v1/receipts \
-H "Authorization: Bearer ark_..." \
-d '{"action_type":"invoice.approved","summary":"Approved INV-1042 for EUR 1,250",
"payload":{"invoice":"INV-1042","amount":1250},"actor":"agent:ap-bot@acme"}'
# 3. Anyone can verify — no auth
curl -X POST localhost:8787/v1/verify -d '{"receipt":{...}}'
# 4. Export a signed audit bundle for the compliance officer
curl "localhost:8787/v1/export?from=2026-01-01" -H "Authorization: Bearer ark_..."
Service manifest for machine discovery: GET /.well-known/agent-receipts.json.
npx -y -p agent-receipts-mcp agent-receipts-verify receipt.json --pubkey <base64-spki-der>
# exit 0 = authentic, exit 1 = invalid/tampered
agent-receipts/v1){
"schema": "agent-receipts/v1",
"id": "rcpt_...",
"vault_id": "vlt_...",
"sequence": 42, // monotonic per vault; gaps = deletion evidence
"issued_at": "2026-07-15T12:34:56.789Z",
"action": {
"type": "invoice.approved",
"summary": "Approved invoice INV-1042 for EUR 1,250",
"actor": "agent:ap-bot@acme", // optional
"principal": "acme-gmbh", // optional
"context": { "jurisdiction": "EU" } // optional
},
"payload_hash": "sha256:...", // or null; contents never stored
"prev_receipt_hash": "sha256:...", // hash chain to the previous receipt
"key_id": "key_...",
"public_key": "<base64 SPKI DER>", // embedded for offline verification
"signature": "<base64 Ed25519 over canonical JSON of everything above>"
}
Canonicalization is JCS-style: lexicographically sorted keys, no whitespace. The JSON Schema lives at docs/receipt.schema.json.
| Obligation | How agent-receipts helps |
|---|---|
| Art. 12 — automatic event logging | issue_receipt on every consequential action; timestamps, actor, traceable chain |
| Art. 26 — keep logs ≥ 6 months | Local vault you retain on your terms; signed export_audit_bundle for handover |
| Traceability / integrity | Ed25519 signatures, hash chain, deletion detection, offline verification |
Not legal advice. Whether your system is "high-risk" and what you must log is a question for your counsel. agent-receipts produces evidence infrastructure.
MIT License.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.