TAP solves the "is this agent legitimate?" question with RFC 9421 signatures. Once the agent is authenticated and the merchant processes the transaction, though, neither party has a cryptographic record of what actually happened.
For regulated commerce this creates a gap: the agent proved its identity at request time, but there is no tamper-evident receipt of the transaction itself. In a chargeback dispute or compliance audit, the merchant has logs, but logs are mutable. The agent has nothing.
Proposed extension: a lightweight receipt that the merchant (or a TAP-aware proxy) signs after processing a verified agent request.
The receipt would contain:
- The original TAP signature (binding it to the authenticated request)
- A hash of the transaction payload (what was actually processed)
- Merchant signature over both (proving the merchant saw and processed this specific request)
- Timestamp and sequence number (ordering guarantee)
This creates a two-sided audit trail: the agent proves it was authorized (via TAP signature), and the merchant proves what it processed (via receipt signature). Either party can verify the other's claims offline.
I built a working implementation of this receipt pattern for a different context (MCP tool-call signing): examples/deerflow-receipts. The core is Ed25519 signing with JCS canonicalization (RFC 8785), which would map cleanly onto TAP's existing signature infrastructure.
Two design questions worth considering:
-
Who signs the receipt? The CDN proxy is the natural candidate since it already intercepts and verifies TAP signatures. Alternatively, the merchant backend could sign after processing.
-
Receipt format: TAP already uses RFC 9421 for request signatures. Should receipts reuse the same signature format (keeping everything in the HTTP Message Signatures family), or use a simpler detached JWS envelope?
Happy to prototype a receipt-signing extension for the CDN proxy if there is interest.
TAP solves the "is this agent legitimate?" question with RFC 9421 signatures. Once the agent is authenticated and the merchant processes the transaction, though, neither party has a cryptographic record of what actually happened.
For regulated commerce this creates a gap: the agent proved its identity at request time, but there is no tamper-evident receipt of the transaction itself. In a chargeback dispute or compliance audit, the merchant has logs, but logs are mutable. The agent has nothing.
Proposed extension: a lightweight receipt that the merchant (or a TAP-aware proxy) signs after processing a verified agent request.
The receipt would contain:
This creates a two-sided audit trail: the agent proves it was authorized (via TAP signature), and the merchant proves what it processed (via receipt signature). Either party can verify the other's claims offline.
I built a working implementation of this receipt pattern for a different context (MCP tool-call signing): examples/deerflow-receipts. The core is Ed25519 signing with JCS canonicalization (RFC 8785), which would map cleanly onto TAP's existing signature infrastructure.
Two design questions worth considering:
Who signs the receipt? The CDN proxy is the natural candidate since it already intercepts and verifies TAP signatures. Alternatively, the merchant backend could sign after processing.
Receipt format: TAP already uses RFC 9421 for request signatures. Should receipts reuse the same signature format (keeping everything in the HTTP Message Signatures family), or use a simpler detached JWS envelope?
Happy to prototype a receipt-signing extension for the CDN proxy if there is interest.