Verifiable agent observability

Proof of what your
AI agent actually did.

Every model call and tool call your agent makes is captured, hash-chained off-box, and pushed to an append-only sink. Anyone can verify the record with an open-source tool, trusting neither the agent nor the vendor. Observability you can take to court.

Honest scope: anything your agent logs, once it reaches the sink, is immutable and verifiable. Completeness is never claimed. A hostile agent that does not call the SDK will not appear in the record.

Start free Verify a record yourself

Free tier. No credit card. 60-second install via pip.

60-second install

One SDK.
Every agent event.

Python and TypeScript. Works with LangChain, CrewAI, the Vercel AI SDK, the raw Anthropic or OpenAI client, or your own agent loop. No vendor lock-in, and a run recorded in either language verifies with the same open-source tools.

pip install provenrail  /  npm install provenrail

Read the quickstart guide
quickstart.py 
# 1. Install and connect (one time, writes a local config)
$ pip install provenrail
$ pr quickstart

# 2. Record every call in your session
import provenrail as pr

with pr.record("billing-agent"):
    agent.run(task)   # every model + tool call captured

# 3. Verify anytime, trusting neither agent nor sink
$ pr verify bundle.json --pin pin.json
How it works

Three steps. Zero trust required.

The design is simple by intention: fewer moving parts to trust means less to audit.

01Instrument

Wrap your agent loop

One with pr.record() block captures every model and tool call wherever your agent makes decisions. Each event is hashed and sequenced on the client before it leaves your process.

02Chain

Records land on an off-box rail

Each record carries a hash of the previous one, forming a chain. The sink is append-only: records cannot be deleted or reordered without breaking the chain. RFC 3161 timestamps anchor the sequence to an external time authority.

03Verify

Anyone can check the proof

The open-source pr-verify tool reconstructs the chain and validates every timestamp independently. Share a read-only link with a client, auditor, or regulator. They trust the math, not you.

For freelancers and agencies

Deliver AI work with a
verifiable paper trail.

When you deliver an autonomous agent project to a client, billing disputes and scope-creep questions are inevitable. Provenrail gives you a read-only proof link that shows exactly what the agent did, when, and in what order. No more "the agent went rogue" conversations.

Share a read-only proof link with your client before the invoice.
Tamper-evident: if anything is altered after delivery, the chain breaks.
Builds repeat business. Clients who can verify the work trust the next project.
Client proof link
streamproj_acme_seo_refresh
events1,847
period2026-05-12 to 2026-05-14
chainINTACT
timestampsVERIFIED (RFC 3161)
deletionsNONE DETECTED
tools usedweb_search, file_write,
browser_navigate (49x)
model callsclaude (312x)
verified bypr-verify 1.2.0

For developers with production-access agents

When something goes wrong,
know exactly what happened.

Agents with access to money, production infrastructure, or email can cause real damage. After an incident you need a reconstruction, not speculation. Provenrail gives you a verifiable sequence of every decision the agent made, in the exact order it made them.

Post-incident reconstruction without log-tampering doubts.
Works across providers: Anthropic, OpenAI, Gemini, local models.
Works across frameworks: LangChain, CrewAI, custom loops.
Incident reconstruction
seqtimeevent
109114:22:01model_call claude in=512tok
109214:22:03tool stripe.charge $340
109314:22:04tool stripe.charge $340
109414:22:04tool stripe.charge $340
109514:22:06model_call claude in=891tok
chain INTACT, timestamps VERIFIED
root cause: retry loop, no idempotency key

For teams with regulatory exposure

The technical evidence layer
for EU AI Act and HIPAA.

EU AI Act Article 12 logging requirements are enforceable from 2026-08-02. HIPAA 164.312(b) requires audit controls for systems handling protected health information. Provenrail provides the append-only, timestamped, tamper-evident event log these frameworks require as technical evidence. Your team certifies compliance; we provide the evidence.

Append-only log with RFC 3161 trusted timestamps.
Attestation report templates for auditors and regulators.
HIPAA 164.312(b) evidence mapping; you remain the covered entity and certify compliance.
EU AI Act Art. 12 HIPAA 164.312(b) SOC 2 Type II ISO 27001
Attestation report
regulationEU AI Act Art. 12
requirementAutomatic logging of
AI system operations
evidenceAppend-only event log
tamper proofHash chain + RFC 3161
retention2 years (Team+)
Attestation signed by: Your team
Evidence provided by: Provenrail
Why Provenrail

Built to be independently verified.

Most observability tools ask you to trust them. Provenrail is designed so that you do not have to.

Open-source verifier

The pr-verify tool is open-source and runs entirely offline. Any party can check the chain without contacting our servers. Trust the math, not the vendor.

RFC 3161 trusted timestamps

Each record is anchored to an external time authority using the RFC 3161 standard. Timestamps cannot be back-dated, even by us.

Witnessed log, standards-aligned

An independent off-box receipt chain plus a witnessed, append-only Merkle log closes the single-host equivocation gap, and every inclusion is emitted as an IETF SCITT (COSE) receipt any standards-aware auditor can verify.

Privacy-first by default

Default mode stores a SHA-256 hash of each prompt and response, not the raw text. Selective-disclosure redaction lets you reveal or erase sensitive fields later, without breaking the proof.

Works across every provider

Anthropic, OpenAI, Gemini, local models, or anything else. LangChain, CrewAI, custom loops. One SDK records all of them in the same chain.

Honest about the threat model

We document exactly what Provenrail does and does not catch. Technical buyers trust specificity. We tell you what we cannot guarantee before you commit to a plan.

Pricing

Start free. Scale when you need to.

No email gate on pricing. No hidden fees. Cancel anytime.

Free
$0
forever
  • 10k events per month
  • 30-day retention
  • Hash chain verification
  • pr-verify access
  • Community support
Get started
Most popular
Builder
$29/mo
billed monthly
  • 500k events per month
  • 1-year retention
  • Shareable client proof links
  • Hash chain + RFC 3161 timestamps
  • Email support
Start Builder
Team
$99/mo
billed monthly
  • 2M events per month
  • 2-year retention
  • Multi-project support
  • Data exports (JSON, CSV)
  • Priority email support
Start Team
Compliance
$699/mo
billed monthly
  • Everything in Team
  • Attestation report templates
  • HIPAA 164.312(b) evidence mapping
  • Sales-assisted onboarding
  • Dedicated support channel
Talk to us
Enterprise
Custom
volume + SLA
  • Unlimited events
  • Custom retention policy
  • Private deployment option
  • Custom SLA
  • Dedicated account team
Contact sales

All paid plans include a 14-day refund window. No questions asked.

FAQ

Common questions.

A cooperative agent cannot silently alter records once they reach the sink: the hash chain makes any tampering detectable, and RFC 3161 timestamps prevent back-dating. However, a hostile agent that simply does not call the SDK at all will not appear in the record. Provenrail detects tampering and deletion of records that were written. It cannot force an uncooperative agent to write in the first place. This limitation is a documented part of the threat model, not fine print.
No. The verifier (pr-verify) is open-source and checks the hash chain against the RFC 3161 timestamps without contacting our servers. You can run it yourself or share a read-only proof link with any third party who can run it. You do not need to trust us or the agent; you only need to trust standard cryptographic hash functions and the time authority.
The default mode is store-hash-not-content: we record a SHA-256 hash of each prompt and response, not the raw text. The hash proves the content existed and has not changed; the raw text stays on your infrastructure. Selective-disclosure redaction lets you commit sensitive fields as salted hashes and reveal or erase them later without breaking the proof. For HIPAA-covered entities, Provenrail maps evidence to 164.312(b); you remain the covered entity and own certification.
Provenrail provides the technical evidence layer: an append-only, timestamped, tamper-evident log of AI system operations of the kind EU AI Act Article 12 calls for (enforceable 2026-08-02). Your team is responsible for regulatory certification. We provide the evidence; you provide the attestation. The Compliance tier includes attestation report templates designed for use with auditors and regulators.
Free: $0, 10k events/month, 30-day retention. Builder: $29/month, 500k events, 1-year retention, shareable client proof links. Team: $99/month, 2M events, 2-year retention, multi-project, data exports. Compliance: $699/month, attestation reports, evidence mapping, sales-assisted onboarding. Enterprise: custom pricing, contact us. All paid plans include a 14-day refund window.
Install the package: pip install provenrail. Export your stream as a bundle, then run: pr verify bundle.json --pin pin.json. The tool recomputes the client hash chain, every Ed25519 signature, the independent server receipt chain, the Merkle anchor and each RFC 3161 timestamp locally, trusting neither the agent nor the sink. It exits 0 if intact and non-zero with a detailed error if any record is missing, reordered, altered, or back-dated. You can also share a read-only proof link and let a third party run the verifier on their own machine.