Skip to main content
An x402 payment proves that a transfer happened on chain. A verifiable x402 receipt proves what the chain does not record: that a compliance screen ran at admission, that settlement reached a stated state under a named party’s risk model, and that the record has not been altered since it was issued. AlgoVoi issues that receipt on every x402 request and pins it to a canonicalisation discipline so anyone can verify it byte for byte.

What makes an x402 receipt verifiable

The receipt is a JSON object canonicalised under RFC 8785 (JCS) and hashed with SHA-256. The hash is content-addressed: it is a deterministic function of the receipt fields, so a verifier who holds the receipt recomputes the same hash and confirms the bytes independently. No issuer call, no registry lookup, no AlgoVoi service. A JSON parser, JCS, and SHA-256 are the entire dependency. Because the canonicalisation rule is pinned in-band as canon_version: jcs-rfc8785-v1, the receipt re-verifies under the exact rules it was issued under, years later, without an out-of-band registry.

The receipts AlgoVoi issues on x402

ReceiptRecordsClosed enumerationIssued on
Compliance receiptThe admission-time screening decisionALLOW / REFER / DENYPOST /checkout/{token}
Settlement attestationThe settlement state on a given chainSETTLED / PENDING_FINALITY / REVERSEDPOST /checkout/{token}/verify, POST /x402/verify
Refund receiptThe refund outcome, chained to settlementFULL / PARTIAL / REJECTEDrefund flow
Each receipt chains to the previous one by content_hash, so a verifier walks admission, then settlement, then refund under one byte-deterministic pin. Every value is a positive, byte-distinct record: a DENY receipt is not missing data, it is a verifiable artefact in its own right.

Verify one yourself

The hosted verifier confirms a content-addressed reference with no auth:
POST https://verify.algovoi.co.uk/action-ref
Content-Type: application/json

{ "agent_id": "did:web:api.algovoi.co.uk", "action_type": "payment.authorize",
  "scope": "base:0x2d96f2bc", "timestamp_ms": 1748534400000 }
Or reproduce the full corpus offline, with hand-written JCS and stdlib SHA-256, so the published values are proven without AlgoVoi’s canonicalizer being invoked at all:
git clone https://github.com/chopmob-cloud/algovoi-jcs-conformance-vectors
cd algovoi-jcs-conformance-vectors
pip install algovoi-substrate
python composition/verify_corpus.py
python composition/first_principles_check.py
The construction is cross-validated across eight independent JCS implementations in eight languages at 880/880 cumulative agreements, including the RFC 8785 author’s own Java implementation. When eight implementations that share no code produce the same bytes, the result is a property of the standard, not of any one library.

Specification and authorship

The receipts and the canonicalisation discipline they pin are AlgoVoi-authored and specified in IETF Internet-Drafts: Reference implementations are published Apache-2.0: algovoi-substrate (Python) and @algovoi/substrate (TypeScript), byte-for-byte identical on the same input.

See also