Execution Protocol

Every AI action. Authorized. Executed. Or stopped. With proof.

One message in. One verifiable outcome out.
Every action is enforced before execution and proven after.

Enforcement before commit. Cryptographic receipts. Independently verifiable.
Every terminal outcome emits a signed receipt. The audit trail survives the failure.

Open the sandbox Read the docs

Open specification · CC BY 4.0

curl https://executionprotocol.dev/api/sandbox/execute \
  -H "Content-Type: application/json" \
  -H "EP-Mode: sandbox" \
  -d '{
    "archetype": "PAYMENT_TRANSFER",
    "constraints": {
      "recipient": "vendor/acme_corp",
      "amount_usd": "9200.00",
      "max_total_usd": "1000.00"
    }
  }'

curl https://executionprotocol.dev/api/sandbox/execute \
  -H "Content-Type: application/json" \
  -H "EP-Mode: sandbox" \
  -d '{
    "archetype": "PAYMENT_TRANSFER",
    "constraints": {
      "recipient": "vendor/acme_corp",
      "amount_usd": "9200.00",
      "max_total_usd": "1000.00"
    }
  }'

Blocked before commit

attempted: $9,200 transfer

constraint: max_total_usd $1,000

outcome: kind: blocked · paymentStatus: not_charged

proof: signed receipt — audit chain records the block

The gap

Models can act.
Prompts are not governance.
Logs are not proof.

Agent execution layer

One message in. One terminal outcome out.

Execution Protocol

Structured intent
Natural language converted to a structured message
Policy evaluation
Pre-commit policy evaluated at the Authorization Boundary
Atomic commit
Once-only execution; commit and authorization separated
Signed receipt
Hash-chained, KMS-signed, verifiable offline

Single interaction. Execute when complete; instruct to complete when not.

Capabilities

What the protocol does.

Single-message gateway

One structured intent in, one terminal outcome out. No multi-turn handshake, no session state, no orchestration framework wrapped around the request.

Structured input

Natural language is converted to a structured message before policy evaluation. The LLM never reaches the authorization path.

Execute-or-instruct

Incomplete inputs receive a machine-readable completion response, not an error. The agent fixes and resubmits as a fresh interaction. No rejection path, no error-code maze.

Authorization Boundary

Pre-commit policy evaluated against the structured request. Hard-deny list, scoped delegation bounds, approval-chain routing.

Signed receipts on every terminal outcome

Execute, refuse, block — every terminal state ends with a hash-chained, KMS-signed receipt that any third party can verify offline against the public key.

Card primitives at the input boundary

PANs and CVVs are refused at the input boundary. Only tokenised payment-intent IDs from PSP-controlled flows cross. Whether this reduces a merchant’s PCI scope depends on the full payment architecture and the merchant’s QSA assessment.

Every outcome leaves a record

A signed receipt on every terminal outcome.

Executed

The protocol committed the action. The receipt records the committed state, the full pipeline audit chain, and the signed proof of commitment.

kind: executed

paymentStatus: charged

Instructed

The input did not satisfy the schema. The receipt records which fields were missing and the candidate values to complete them. The agent resubmits a corrected message in a fresh interaction — the protocol prohibits rejection.

kind: instructed

completeness: { missing: […] }

Blocked

A boundary or delegation rule fired before commit. The receipt is still signed and audit-chained — the proof that the gateway blocked, not lost the request.

kind: blocked

paymentStatus: not_charged

Where it fits

Existing protocols help agents communicate. Execution lets them commit safely.

Discovery and message-passing are solved problems. What happens between intent and outcome — authorization, policy, proof — is not.

This compares native protocol primitives, not what you can layer on top. A REST API can be wrapped in middleware that signs responses or enforces policy — that doesn’t make signing or policy a REST primitive. The question is what the protocol itself contracts for.

Capability	Execution	A2A	MCP	ACP	REST
Pre-commit policy primitive
Signed-receipt primitive
Scoped-delegation primitive
Hash-chain audit primitive
Tool-discovery primitive
Multi-agent-communication primitive
Stateless-request constraint

Architectural position

The action layer.

Models generate intentions. Execution Protocol turns intentions into actions, with proof.

Models
↓
Agent applications
↓
Execution Protocol
↓
Payments · Commerce · Systems · Data

Execution Protocol sits between the agent and the systems where consequences happen.

Open specification, protected implementation. The message format, receipt schema, and verification rules are public. The gateway and policy engine that run them are built on filed patents covering deterministic agent authorization.

Sandbox

Watch an agent action authorize, score, and settle.

In-browser. No signup. Try a successful call, then try a blocked one — watch the Authorization Boundary halt the action before commit and surface the exact remediation path.

Open the sandbox

Why it matters

Other tools filter what the model says. Execution controls what the model is allowed to do.

For CTOs

Built for production, not AI theater.

Reduce uncontrolled tool use across teams
Prevent costly autonomous errors before they commit
Enforce permission models that scale with the org
Simplify audit and legal review with verifiable receipts
Lower orchestration complexity in your agent stack

For CISOs and security teams

Evidence trails the auditor can verify independently.

KMS-signed receipts, verifiable offline against the public key
Card primitives refused at the input boundary — only tokenised payment-intent IDs from PSP-controlled flows cross
Hash-chained audit logs, exportable to your SIEM
Scoped delegation with revocation paths
Open specification — no proprietary telemetry required

The next era of AI is action. Action requires infrastructure.

Read the spec. Run the sandbox. Ship safer agents in production.

Read the docs Book a demo

Every AI action. Authorized. Executed. Or stopped. With proof.

One message in. One verifiable outcome out.
Every action is enforced before execution and proven after.

Enforcement before commit. Cryptographic receipts. Independently verifiable.
Every terminal outcome emits a signed receipt. The audit trail survives the failure.

Open specification · CC BY 4.0

curl https://executionprotocol.dev/api/sandbox/execute \ -H "Content-Type: application/json" \ -H "EP-Mode: sandbox" \ -d '{ "archetype": "PAYMENT_TRANSFER", "constraints": { "recipient": "vendor/acme_corp", "amount_usd": "9200.00", "max_total_usd": "1000.00" } }'

Existing protocols help agents communicate. Execution lets them commit safely.

Discovery and message-passing are solved problems. What happens between intent and outcome — authorization, policy, proof — is not.

Capability

Execution

A2A

MCP

ACP

REST

Pre-commit policy primitive

Signed-receipt primitive

Scoped-delegation primitive

Hash-chain audit primitive

Tool-discovery primitive

Multi-agent-communication primitive

Stateless-request constraint