The web is at a turning point. Over the past year, headline-making clashes like OpenAI’s lawsuit with The New York Times over scraping, Anthropic’s Claude facing publisher concerns on data use (e.g., Reddit lawsuit), and Perplexity’s exchange with Cloudflare regarding agent identification have revealed a foundational challenge: as AI agents become first-class participants on the web, existing standards are insufficient.
What’s available in PEAC today: a machine-readable policy file
(/.well-known/peac.txt), a capabilities document for discovery and negotiation, cryptographically verifiable receipts, adapter-friendly interop with common rails, and a minimal TypeScript SDK with an example project to try locally.
This isn’t about one company or one dispute. It affects everyone: publishers, developers, web platforms, service providers, and users. Without change, we risk a two-tier internet where only large incumbents thrive, while independent creators, new entrants, researchers, and everyday users are left behind.
Attribution & trust: Without clear signals and receipts, responsible agents resemble undifferentiated scraping, eroding trust on all sides.
Access to knowledge: Blanket blocks and brittle controls can exclude legitimate, policy-honoring agent traffic.
Transparency & accountability: No common way to declare agent purpose and terms—or to verify that interactions respected them.
Innovation at risk: Robots.txt alone can’t express modern, purpose-scoped policies; smaller teams and open projects are hit hardest.
From individual website owners and developers to global platforms and service providers, everyone is facing a surge in automated traffic. Legacy methods like robots.txt, broad firewalls, and blanket paywalls lack the nuance to address modern, use-case-specific needs. Without programmable access control and standardized agent identification, mislabeling is common, and everyone loses.
We need a neutral, web-native way for providers to publish capabilities and terms, for agents to discover and negotiate them up front, and for both sides to keep verifiable receipts of what happened.
An effective solution must provide:
Machine-readable policy: A clear, file-based way to declare free, conditional, paid, or prohibited access, including purpose, quotas, attribution, and retention.
Discovery and negotiation first: A simple capabilities document at a well-known path so agents learn endpoints, limits, and policy signals before acting.
Verifiable receipts: Each interaction can return a cryptographically verifiable receipt for audit, support, and compliance.
Programmable, fair access: Terms like “free for all”, “attribution required,” “read-only,” “research-only,” “exclude from training,” or “pay-per-use,” expressed consistently.
Adapter-friendly interop: Bridges to common payment rails, provenance systems, and agent ecosystems via lightweight adapters.
Predictable semantics: Consistent lowercase HTTP headers (x-peac-*), Problem Details (RFC 7807) error format, and conformance levels so integrations behave the same across providers.
Transparent, Auditable Interactions: Every interaction should enable trust and be logged in a machine-readable format, supporting privacy and regulatory compliance (e.g., GDPR, EU AI Act), and enabling post-hoc verification.
PEAC (Programmable Environment for Agent Coordination) is a neutral, open, file-based policy + receipts layer for the web. Providers declare terms once (peac.txt) and can enforce them anywhere (origin, gateway, or edge). Agents discover capabilities, honor policies, and carry verifiable receipts, so everyone has clarity without proprietary silos. PEAC plays well with robots.txt and focuses on predictable, auditable behavior rather than lock-in.
Only a neutral, open standard developed transparently, stewarded by a working group, and free to adopt, can provide a sustainable foundation. This approach enables the entire web ecosystem, publishers, platforms, developers, and users, to progress together, avoiding fragmentation and proprietary silos.
Such a standard is emerging, defined by these properties:
Backward compatible: Fully interoperable with robots.txt for an easy upgrade path.
Extensible: Designed for programmable rules and future integrations (e.g., HTTP 402, payment gateways, Stripe, x402, stablecoins).
Ethical by design: Aligns with privacy, consent, and AI governance frameworks, supporting both innovation and compliance.
Community-driven: Open to proposals, peer review, and contribution from AI developers, publishers, open-source foundations, researchers, and users worldwide to shape, contribute code, or join the working group and improve it.
Bridged by design: Adapter-friendly to existing rails, platforms, and agent ecosystems.
Payments are optional: Access comes first; when charging is desired, adapters support multiple approaches without prescribing one.
This is a pivotal moment: The web can either fragment or move toward a more open, equitable, and innovative future. The right standards will benefit everyone and empower publishers to control and monetize content, enable developers to build trustworthy AI, and ensure users enjoy broad, fair access.
CISO notes: PEAC aligns with least-privilege and accountability: purpose and retention signals in policy; rate/usage limits via capabilities; verifiable receipts for audit trails; consistent error semantics; and conformance levels for predictable behavior. It complements existing controls and simplifies evidence collection for privacy and AI governance
For providers (sites, APIs, platforms): Publish both: /.well-known/peac.txt (policy) and /.well-known/peac-capabilities (discovery). Start with the templates. Return verifiable receipts for interactions, and enforce where it fits your stack (origin, gateway, or edge).
For agent developers: Discover first, then act: resolve capabilities, honor `peac.txt`, and include/verify **receipts** for auditability. Use adapters to plug in your preferred payment rails and provenance systems. Explore the SDK and examples in the PEAC GitHub repo.
For everyone: Join the Working Group and contribute on GitHub. Follow conformance levels for predictable behavior across implementations.
Capabilities (discovery):
{
"protocol": "PEAC",
"version": "0.9.x",
"endpoints": {
"agreements": { "href": "/peac/agreements", "methods": ["POST"] },
"payments": { "href": "/peac/payments/charges", "methods": ["POST"] },
"receipts": { "href": "/peac/receipts/verify", "methods": ["POST"] }
},
"policy_hints": { "attribution": "required", "retention": "P7D" },
"limits": { "rate": "100/min" },
"error_format": "application/problem+json"
}
Policy (/.well-known/peac.txt):
version: 0.9.x
policy:
default:
access: allowed
purpose: [research, personal]
attribution: required
retention: P7D
quota:
requests_per_minute: 60
receipts:
required: trueLet’s collaborate to keep the web open, fair, and innovative for everyone.
PEAC Protocol is an open-source project initiated by Originary, free for anyone to use and modify under the Apache 2.0 license.