AI agent authority

Prove what your AI agent was allowed to do.

As personal AI agents act for people, the core question becomes: did this person knowingly authorize this agent, for this task, during this time window, with these limits? PlenaProof turns that into a receipt.

Existing AI Agent ReceiptsVaultAI Oversight Receipts

Flagship individual primitive

Not a sector feature. A personal proof layer for the agent era.

Who

Named human and named agent

Records the human account, agent identifier, provider, and delegate relationship.

What

Specific allowed task

Pay invoice, submit form, schedule appointment, negotiate quote, draft email, or retrieve document.

When

Time-bound authority

Start time, end time, expiry, revocation, renewal, and emergency stop are part of the receipt.

Limits

Scope and forbidden actions

No spending above a threshold, no legal filing, no medical decision, no contract signing, no data sharing beyond named recipients.

Proof

Human approval marker

PIN, passkey, signed confirmation, video attestation, reviewer-backed approval, or issuer-backed authorization.

Aftermath

Outcome receipt

What the agent actually did can be chained to the original authorization receipt.

A witness layer, above whatever runs the agent

Two different jobs sit in the agent stack. PlenaProof does the second one.

Execution layer

Controls what the agent may do

Scoped session keys in agentic wallets, tool-call permissions in agent frameworks, and agent-SDK setups enforce limits in the moment. They keep an agent inside its lane — but they do not, by themselves, hand the person a portable, external record they can show someone else later.

Witness layer — PLENA

Records who authorized what, and what happened

PlenaProof records who authorized which agent, for what scope and time window, what it actually did, and what was refused or revoked — as a signed, anchored, human-readable, revocable receipt anyone can verify. It sits above whatever system runs the agent.

What this is and is not. PlenaProof does not control, execute, or enforce an agent's actions, and does not by itself stop an agent. It records the authorization and the outcome as a receipt anyone can verify. Agent-execution systems are integration targets, not competitors — the receipt sits on top of them. This page names categories only (agentic wallets, agent frameworks) and does not describe or imply any specific product, partnership, or integration.

VRX-1 authorization fields

{
  "protocol": "VRX-1",
  "receipt_type": "ai_agent_authorization",
  "human_subject": "wallet-holder-public-id-or-private-token",
  "agent_identifier": "agent-provider-and-agent-id",
  "authorized_task": "submit selected document packet to named recipient",
  "authority_window": {"starts": "timestamp", "expires": "timestamp"},
  "spending_limit": "optional",
  "forbidden_actions": ["contract signing", "medical consent", "legal filing"],
  "revocation_path": "wallet revocation receipt",
  "human_approval_method": "passkey + plain-language consent screen",
  "public_verification_level": "metadata_only"
}

Individual use

People can prove that a task was delegated intentionally and within limits.

Institutional use

Banks, schools, clinics, employers, lawyers, agencies, and platforms can require a valid authorization receipt before accepting agent-submitted actions.