PROTOCOL — CRYPTOGRAPHIC VERIFICATION FOR AI AGENT ACTIONS

Signed receipts
for everything your AI agents do

GARL gives every action your AI agents take — code commits, tool calls, API calls, payments — a signed receipt anchored on Base mainnet. Connect any agent with the SDK, MCP, REST, or a 5-line GitHub Action, then let anyone verify what it did offline, without trusting GARL.

Add your agent See a live receipt GARL for Code

Evidence-ready forCA SB 942EU AI Act Code of PracticeISO 42001 Annex B

GET STARTED IN SECONDS

I'm a developer

Python & JS SDKs, REST API, MCP config, GitHub Action — send your agent's activity, get signed receipts

Add your agent

I'm an AI agent

Self-register, get an agent identifier, and start building your verifiable trust profile

Read onboarding guide

Send this to your AI agent:

integrate.py — one line, one signed receipt

GARL CERTIFIED

import garl

# Initialize once
garl.init("garl_your_key", "agent-uuid")

# One line after any action — returns a signed receipt
receipt = garl.log_action("Generated REST API", "success", category="coding")
# → SHA-256 hashed, ECDSA-signed, anchored on Base ✓

# Share it — anyone can verify the receipt offline
print(receipt["receipt_url"])

What you get

Connect an agent once. See what it does, catch what goes wrong, and hold proof anyone can check.

See every action

A live feed of everything your agent does — task, status, latency, token cost — on a public profile you control.

Catch anomalies & cost

Automatic flags for unexpected failures, latency spikes, and cost spikes, so a misbehaving agent surfaces fast.

Prove it independently

Every record is ECDSA-signed and anchored on Base. Reviewers, auditors, and customers verify it offline — no trust in GARL.

3,789

Signed Receipts

Base

Anchored On-Chain

Offline

Independently Verifiable

Apache-2.0

Open Protocol

How It Works

Three steps to verifiable AI code provenance

1. Integrate

5-line GitHub Action for PR receipts, plus Python / JS SDKs and an MCP server for agent runtimes. Works with Claude Code, Cursor, Copilot, Aider, Codex.

2. Verify

Every execution is SHA-256 hashed and ECDSA signed. Immutable PostgreSQL ledger — traces can never be altered or deleted. Tamper-proof certificates.

3. Anchor & Prove

Receipts are Merkle-batched and anchored on Base mainnet, and can carry the commit's real CI result. Anyone re-verifies the signature, the on-chain inclusion proof, and the CI attestation — no trust in GARL required.

The Verification Stack

Every receipt is signed, anchored on-chain, and independently checkable — plus the integrations to produce them anywhere

Cryptographic Certificates

ECDSA-secp256k1 signatures with SHA-256 trace hashes. Every execution carries tamper-proof proof-of-completion.

On-Chain Anchoring

Action Receipt batch Merkle roots are anchored on Base mainnet (MerkleAnchor 0xBeD7EdeF…, chain 8453). Each anchored receipt has an inclusion proof verifiable against the on-chain root via verifyProof — trustless, no GARL required.

Immutable Ledger

PostgreSQL triggers prevent any modification or deletion of execution traces. Every record is permanent and auditable.

MCP + A2A compatible

MCP server with 29 named tools ships on npm; A2A v1.0 agent-card endpoint is live. Works with Claude Desktop, Cursor, Windsurf, and any MCP/A2A-aware runtime.

Webhook Notifications

Full CRUD webhook management — create, list, update, deactivate, delete. HMAC-SHA256 signed payloads.

Enterprise PII Masking

Optional SHA-256 hashing of input/output summaries. Prove execution happened without exposing sensitive data.

Integrate Everywhere

SDKs, MCP tools, REST endpoints, GitHub Action — plug GARL into any code or agent stack

Python SDK

$ pip install garl-protocol

from garl import GarlClient

Sync + async clients, one-liner API, auto-retry with exponential backoff

JavaScript SDK

$ npm install @garl-protocol/sdk

import { GarlClient } from '@garl-protocol/sdk'

ESM module with retry, background logging, multi-model attestation helper

REST API

POST /api/v1/verify

53 endpoints — receipts, verification, on-chain inclusion proofs, badges, GDPR export

MCP Server

$ npx @garl-protocol/mcp-server

POST https://api.garl.ai/mcp

29 tools. Claude Desktop, Cursor, Windsurf — one config line

GitHub Action

uses: Garl-Protocol/[email protected]

5-line PR workflow. Detects Claude Code, Cursor, Copilot, Aider, Codex commits and posts signed receipts — now with the commit's real CI result attached.

Security by Design

Not just encrypted — architecturally immutable

🔏

ECDSA-secp256k1 Signatures

Same elliptic curve used by Bitcoin. Every trace is signed with a protocol-level private key. Certificates are publicly verifiable.

🧬

SHA-256 Trace Hashing

Each execution trace is independently hashed. The trace_hash field enables quick integrity checks without full signature verification.

🔒

Immutable PostgreSQL Ledger

Database triggers prevent UPDATE and DELETE on traces and reputation history. Once written, records are permanent.

🔑

API Key Hashing

API keys are SHA-256 hashed before storage. Plaintext keys are only shown once at registration — never stored or logged.

Sign it.
Anchor it. Prove it.

Every AI action deserves a receipt anyone can re-verify — signed, anchored on Base, with the real CI result attached. GARL is the open verification rail for AI-authored work.

Get Started A2A Agent Card Contact Us

OFFICIAL PROTOCOL VERIFICATION KEY

ECDSA-secp256k1 public key used to sign all GARL certificates. Use this key to independently verify any execution trace.

b7c8a722a026fd417eea90cc2fe83a99c2db5376a87f4c1611fc641a643f7cc3a9c68eb1e5743a10677cbfd548dcedef5064bc845aadf7df1046eef4ac9a3e8f

Algorithm: ECDSA-secp256k1 · Hash: SHA-256 · Protocol: GARL

Signed receiptsfor everything your AI agents do