Receipts

Per-request signed evidence that proves how the router and provider TEEs processed your call.

A receipt is a JWS (JSON Web Signature) signed by the Tresor router that freezes the routed model, request and response digests, and the attestation evidence captured for the router TEE and upstream provider TEE at issuance time. Verifying it gives you a non-repudiable audit trail without having to trust the router itself — only the public key it signs with.

For the step-by-step procedure to fetch and verify one, see the Verify a receipt guide.

Why receipts

PropertyWhat it gives you
Signed with ES256Anyone with the public JWKS can verify; no shared secret with Tresor.
Bound to request/response digestsTies the signed receipt to the exact exchange, not just the receipt id.
Bound to the resolved modelDetects silent provider/model-route swaps.
Embeds two attestation hopsCaptures the router TEE and the upstream inference TEE in one signed payload.
Carries release binding materialRouter receipts can embed a signed workload manifest and trust bundle for offline checks.
Issued on every completionDefault-on; no per-request opt-in needed.
Stored briefly, fetched by idSkips streaming overhead; trade receipt_id for the signed receipt response later.

Lifecycle

  1. Issue. When the router finishes a chat completion, it builds the receipt payload and signs it with the active enclave key. The receipt_id is returned in the tresor.receipt_id field of the response (or finish chunk on a stream).
  2. Store. The signed receipt is held by the receipt service, scoped to the customer that owns the API key.
  3. Fetch. The customer calls GET /v1/receipts/{id} to retrieve the signed receipt response at any time.
  4. Verify. The customer fetches the JWKS from /.well-known/jwks.json and verifies the signature locally with tresor-verify or any ES256-capable library. → How-to.

To opt out of receipt issuance for a specific call, send X-Tresor-Receipt: false. No receipt is stored and receipt_id is omitted.

Payload

Top-level claims

FieldDescription
jtiStable receipt identifier. Matches the receipt_id returned on the API response.
iatUnix timestamp for when the receipt was issued.
requested_routeNormalized primary route the caller asked the router to use before automatic resolution or failover.
routed_modelFully resolved route used for the request.
prompt_tokensPrompt tokens counted by the router.
completion_tokensCompletion tokens counted by the router.
request_digestHash of the canonicalized request payload.
response_digestHash of the canonicalized response payload.
digest_versionDigest schema version used for the request and response hashes.
failovertrue when routing failover moved the request from the preferred route to a secondary route.
router_attestationAttestation block for the Tresor router TEE.
inference_attestationAttestation block for the upstream inference TEE, when available.
receipt_signatureHistorical signing metadata captured at issuance.

Attestation blocks

router_attestation and inference_attestation share the same base shape, but not every field is populated for both hops.

Older receipts may label the upstream hop provider_attestation instead of inference_attestation.

FieldDescription
teeTEE technology reported for that hop.
measurementWorkload or platform measurement supplied by that hop.
workload_identity_tagSHA-256 tag of the release-signed workload manifest. Present for the router hop today.
workload_identity_manifest_jwsCompact JWS of the release-signed workload manifest for offline verification.
trust_bundle_urlURL of the trust bundle used to validate the workload manifest, when published.
trust_bundle_jwsCompact JWS of that trust bundle for offline validation.
verifiedWhether that hop verified successfully when the receipt was issued.
verification_modeVerification path used for that hop at issuance time.
verified_atUnix timestamp for when that hop was verified.
attestation_strengthAdapter-reported strength classification.
evidence_summaryStable summary fields you can use in policy decisions.
message_attestationMessage-bound inference proof artifact, when the provider exposes one.
evidence_rawProvider-specific raw evidence captured at issuance.

receipt_signature captures kid, alg, verified, verification_mode, and verified_at for the receipt-signing key as it existed when the JWS was issued.

Signing keys

Receipts are signed by the router's enclave-resident ES256 key. Public keys are published as a JWKS at /.well-known/jwks.json. When the enclave rotates, the new public key is added to the JWKS before the old one is retired, so verifiers that follow the standard JWKS pattern handle rotation transparently.

See also