Every tool call,
signed.

Tamper-evident receipts for every agent action. Drop-in SDK. Your tools stay the same.

$ pip install "aevs[langchain]"

Examples → Explorer

1install · pip install aevs

2configure + enable · wire up in your app

3run agent · receipt sealed on every tool call

import os, aevs
from dotenv import load_dotenv

load_dotenv()
aevs.configure(
    api_key=os.environ["AEVS_API_KEY"],
    agent_id=os.environ["AEVS_AGENT_ID"],
)
aevs.enable()  # auto-detects langchain, mcp

# run your agent - every tool call → signed receipt

import os, aevs
from dotenv import load_dotenv
from langchain_openai import ChatOpenAI
from langchain.agents import create_agent

load_dotenv()
aevs.configure(
    api_key=os.environ["AEVS_API_KEY"],
    agent_id=os.environ["AEVS_AGENT_ID"],
)
aevs.enable(frameworks=["langchain"])

agent = create_agent(
    model=ChatOpenAI(model="gpt-4o"),
    tools=[...],
)
await agent.ainvoke({"messages": [("user", "pay $142 to acme")]})
aevs.flush()

approve_payment sealed d4e5f6a7… chain intact view in explorer →

LangChain 0.2+ MCP 1.20+ Python 3.10–3.13 Open source · fetchai/AEVS-sdk

How it works

Catch. Sign. Verify.

One receipt per tool call. The flow below is what gets written every time your agent acts.

CatchRecord the call

AEVS sits between the agent and its tools. Every invocation is captured: tool name, inputs, output, timing, and errors.

SignSeal the chain

Each receipt is HMAC-sealed and linked to the previous one. The hash chain shows if anything was altered or skipped.

VerifyCheck independently

Share a reference_id. The public API or explorer confirms the signature without your codebase.

The problem

Model text is not proof of execution.

Example Your agent refunds user_91 for invoice #8842 The model replies: "Refund of $142 sent." That message describes intent. It does not record which tool ran, with which inputs, or what the API returned.

Without AEVS

You rely on chat history and app logs to reconstruct what happened. Auditors cannot verify a tool call from the model reply alone.

No portable proof · manual replay · gaps are hard to spot

With AEVS

Each tool call gets a signed receipt: exact tool, inputs, output, and place in the chain.

ref d4e5f6a7… · independent verify · no re-running the agent

Verify

Verify via API or explorer

No account required. Same signed proof either way.

Via API

GET https://api.aevs.fetch.ai/v1/receipts/verify/<reference_id>

Response

verified true tool approve_payment status success

For scripts, CI, and auditors. Pass <reference_id> only.

Via explorer

Browse receipts in the UI. Open one by reference_id and see verification, chain, and tool details.

1 Open the explorer
2 Search your reference_id or receipt_id
3 View receipt Detail

Open explorer

Visibility

You control what ships

Two settings work together: what each receipt exposes, and whether your agent appears on the public explorer.

SDK · receipt_visibility

Set per agent when you configure AEVS. Applies to every receipt that agent creates.

aevs.configure(..., receipt_visibility="public")

Dashboard · explorer listing

Toggle per agent. When off, that agent's receipts are not listed on the public explorer (verify API still works if you have the reference_id).

public open audit

Full tool payloads on the explorer and verify API.

What is stored: Inputs, outputs, metadata, and hash chain.
Who sees payloads: Anyone with the reference_id or explorer access.
Best for: Demos, shared audits, or workflows where reviewers need the full picture.

private default for prod

Prove the call happened. Hide payloads from the public.

What is stored: Full inputs and outputs in the backend (your team can view them).
Who sees payloads: Only your account. Public verify and explorer show [REDACTED] for inputs and outputs.
Still public: Tool name, status, timestamps, signatures, and hash chain. Auditors can confirm execution without seeing sensitive fields.

proof_only strictest

Never store payloads. Only hashes and metadata.

What is stored: Inputs and outputs are stripped before ingest. Only input_hash, output_hash, and chain data are kept.
Who sees payloads: No one. There is no payload to retrieve, even for the owner.
Best for: PCI, health, or other data you must not persist, while still proving the tool ran.