Why architecture matters here
AP2 receipts matter because they provide the verifiable proof that closes the loop on an agent payment -- cryptographic evidence that the transaction happened, as authorized -- essential for trust, disputes, and auditability in agent payments. When an agent completes a payment, there must be verifiable proof it happened (for the parties' records, for disputes, for audit). An AP2 receipt provides this: a cryptographically-signed, verifiable proof of the completed payment (the amount, parties, mandate reference, settlement) -- tamper-evident and verifiable by anyone. This is essential for trust (the parties trusting the payment is proven), disputes (the receipt as evidence -- linking intent, mandate, and payment), and auditability (reconstructing transactions). Without verifiable receipts, agent payments would lack proof (disputes hard to resolve, no audit trail, less trust). For AP2 (agent payments) to be trustworthy and auditable, verifiable receipts are essential, and understanding them (the cryptographic proof, the links, the uses) is understanding how agent payments are proven and made auditable.
The cryptographically-signed-verifiable-proof insight is the core, and it's what makes the receipt strong evidence. A receipt isn't just a record -- it's a cryptographically-signed proof. The receipt (the transaction details -- amount, parties, mandate reference, settlement) is signed cryptographically (by the issuing party -- e.g., the payment processor or settlement system) -- so the signature makes it tamper-evident (any alteration to the receipt would invalidate the signature -- so the receipt can't be forged or altered without detection) and verifiable (anyone can check the signature -- confirming the receipt is authentic -- from the claimed issuer -- and unaltered). This makes the receipt strong evidence: it's a proof that can't be forged (the signature) and can be independently verified (by anyone -- not requiring trusting the presenter) -- so it's a reliable proof of the transaction (versus an unsigned record, which could be forged or altered, and requires trusting the source). This cryptographic strength (tamper-evident, verifiable) is what makes the receipt a strong piece of evidence (for disputes, audit, non-repudiation) -- reliable, independently-verifiable proof. Understanding the cryptographically-signed-verifiable-proof core (the receipt as tamper-evident, independently-verifiable evidence) is understanding what makes the AP2 receipt strong.
And the links-the-full-chain insight is what makes the receipt complete evidence, connecting the whole transaction. An AP2 receipt doesn't stand alone -- it links to the mandate and intent, connecting the full transaction chain. The chain: the user's original intent (what they wanted -- the basis for the authorization), the mandate (the user's authorization that permitted the agent's payment -- with its scope/limits), and now the receipt (proof of the completed payment) -- with the receipt referencing the mandate (which references the intent) -- forming a complete, verifiable chain from intent to mandate to payment. This complete chain is powerful evidence: it doesn't just prove the payment happened (the receipt) but that it was authorized (the mandate) and intended (the intent) -- the full story, cryptographically linked and verifiable. This is crucial for disputes (the complete chain -- intent, mandate, receipt -- proving the payment was intended, authorized, and completed -- strong evidence) and audit (reconstructing the full transaction from the linked records). So the receipt's links to the mandate and intent (the full chain -- intent → mandate → payment, cryptographically connected) make it complete evidence (not just proof of payment, but of authorized, intended payment). Understanding the links-the-full-chain aspect (the receipt connecting intent, mandate, and payment -- complete, verifiable evidence) is understanding what makes the AP2 receipt complete evidence.
The architecture: every piece explained
Top row: the need and contents. The need: verifiable proof that an agent payment occurred (for records, disputes, audit). Receipt contents: the transaction details -- the amount, the parties (payer, payee), a reference to the mandate (the authorization), and the settlement details -- the recorded proof. Cryptographic signing: the receipt is signed cryptographically (by the issuer) -- making it tamper-evident (alterations detectable) -- a forge-proof proof. Verification: anyone can verify the signature (confirming the receipt's authenticity and integrity -- from the issuer, unaltered) -- independently verifiable.
Middle row: links and guarantees. Links to mandate + intent: the receipt references the mandate (which references the intent) -- forming the full chain (intent → mandate → payment -- complete, verifiable evidence). Non-repudiation: the parties can't deny the transaction (the signed receipt is proof -- non-repudiable evidence) -- a key guarantee. Settlement confirmation: proof the money actually moved (the settlement -- not just that a payment was initiated -- confirming the completion) -- proof of actual settlement. Audit trail: the receipt (and its links) enables reconstructing the transaction (the full trail -- intent, mandate, payment, settlement) -- auditability.
Bottom rows: disputes and retention. Dispute evidence: the receipt (linking intent, mandate, and payment -- signed, verifiable) is strong evidence in a dispute/chargeback (proving the payment was intended, authorized, and completed) -- crucial for dispute resolution. Retention + privacy: receipts must be retained (for the audit trail and disputes -- kept over time) but with privacy (they contain sensitive transaction data -- so stored securely, access-controlled) -- the retention/privacy balance. The ops strip: issuance (issuing the receipt -- generating and signing it upon a completed payment -- the issuance process, by the appropriate party), storage (storing the receipts -- retaining them securely for the audit trail and disputes, with privacy protection), and verification (verifying receipts -- checking the signatures -- when needed for disputes, audit, or confirmation -- the verification process).
End-to-end flow
Trace a receipt closing the loop on an agent payment. An agent completes a payment (within a mandate the user granted). Upon completion (settlement -- the money moved), a receipt is issued: it records the transaction details (amount, payer, payee, mandate reference, settlement) and is cryptographically signed (by the settlement system) -- a tamper-evident, verifiable proof. The receipt links to the mandate (which links to the user's intent) -- forming the full chain (intent → mandate → payment). The receipt is now verifiable proof that the payment happened (as recorded), was authorized (the mandate reference), and settled (the money moved) -- closing the loop on the agent payment (the proof of completion). The parties retain the receipt (for their records, and potential disputes). So the receipt (cryptographically-signed, linking the full chain) provided the verifiable proof of the completed, authorized agent payment -- closing the loop. The receipt was the verifiable evidence of the transaction.
The verification and non-repudiation vignettes show the guarantees. A verification case: a party (or a third party -- e.g., an auditor) needs to verify the payment happened -- so they verify the receipt (checking the cryptographic signature -- confirming it's authentic, from the issuer, and unaltered) -- independently confirming the payment (without needing to trust the presenter -- the signature is the proof). The independent verification confirmed the payment. A non-repudiation case: a party later tries to deny the transaction (claiming it didn't happen or was different). The signed receipt is proof (non-repudiable -- the party can't deny it, since the signed receipt proves the transaction as recorded) -- so the non-repudiation (the signed receipt) prevents the denial. The receipt provided non-repudiation.
The dispute and retention vignettes complete it. A dispute case: a payment is disputed (a chargeback). The receipt -- linking the intent, mandate, and payment (the full chain -- signed and verifiable) -- is strong evidence (proving the payment was intended, authorized -- via the mandate -- and completed) -- supporting the dispute resolution (the complete, verifiable chain as evidence). The receipt was crucial dispute evidence. A retention case: the receipts are retained (kept over time -- for the audit trail and potential disputes) but with privacy (they contain sensitive transaction data -- so stored securely, access-controlled -- balancing retention against privacy) -- the retention/privacy balance (keeping the evidence while protecting the sensitive data). The consolidated discipline the team documents: issue cryptographically-signed receipts upon completed payments (recording the transaction details -- amount, parties, mandate reference, settlement -- signed for tamper-evidence and verifiability), link the receipt to the mandate and intent (the full chain -- intent → mandate → payment -- complete evidence), leverage the guarantees (non-repudiation -- the parties can't deny; settlement confirmation -- proof the money moved; audit trail -- reconstructing the transaction), use receipts as dispute evidence (the complete, verifiable chain), retain receipts securely (for the audit trail and disputes -- with privacy protection), and support issuance, storage, and verification -- because AP2 receipts provide the verifiable proof that closes the loop on an agent payment (cryptographic evidence that the transaction happened, as authorized -- linking intent, mandate, and payment), essential for trust, disputes, and auditability in agent payments.