Free
$0
forever
- 10k events per month
- Single project, single user
- Hash-chain integrity (local timestamps)
- Open-source verifier, offline or hosted
- Community support
Verifiable agent observability
Proof of what your
AI agent actually did.
Other tools show you what your agent did and ask you to trust their dashboard. Provenrail captures every model call and tool call, hash-chains it off-box to an append-only sink, and lets anyone verify the record with an open-source tool, trusting neither the agent nor the vendor. Observability you can take to court.
Honest scope: anything your agent logs, once it reaches the sink, is immutable and verifiable. Completeness is never claimed. A hostile agent that does not call the SDK will not appear in the record.
Free tier. No credit card. Installs in seconds. See how it compares.
60-second install
One SDK.
Every agent event.
Python and TypeScript. Drop-in capture for the OpenAI and Anthropic clients, LangChain and MCP; record any other provider, framework, or custom loop with one line. No vendor lock-in, and a run recorded in either language verifies with the same open-source tools.
uv tool install provenrail / npm install provenrail
Read the quickstart guide
quickstart.py
# 1. Install the CLI (isolated, survives brew/python upgrades) $ uv tool install provenrail $ pr quickstart # 2. Record every call in your session import provenrail as pr with pr.record("billing-agent"): agent.run(task) # every model + tool call captured # 3. Verify anytime, trusting neither agent nor sink $ pr verify bundle.json --pin pin.json
How it works
Three steps. Zero trust required.
The design is simple by intention: fewer moving parts to trust means less to audit.
01Instrument
Wrap your agent loop
One with pr.record() block captures every model and tool call wherever your agent makes decisions. Each event is hashed and sequenced on the client before it leaves your process.
02Chain
Records land on an off-box rail
Each record carries a hash of the previous one, forming a chain. The sink is append-only: records cannot be deleted or reordered without breaking the chain. On Builder and higher plans, RFC 3161 timestamps from an independent authority anchor the sequence so back-dating is detectable; the Free plan hash-chains the sequence without a third-party timestamp.
03Verify
Anyone can check the proof
The open-source pr-verify tool reconstructs the chain and validates every anchor independently. Export your bundle and share it with a client, auditor, or regulator who runs the same tool; on Builder and higher a hosted read-only proof link is also available. They trust the math, not you.
Try it right here
Change one byte. Watch the proof break.
Below is a real Provenrail record, verified live in your browser. Flip a single character and the open-source verifier rejects it. This is the whole idea, and you do not have to trust us to see it.
Verifying the record...
Runs entirely in your browser via the open-source verifier. Your data never leaves your device, not even to us.
See it in action
Watch it work, end to end.
Real terminal sessions, no mockups. Every command and every output below is captured verbatim from provenrail 0.2.0.
pr quickstart, pr demo, pr verify.
pr activate your server.
record() to pr report and a portable evidence pack.
For freelancers and agencies
Deliver AI work with a
verifiable paper trail.
When you deliver an autonomous agent project to a client, billing disputes and scope-creep questions are inevitable. Provenrail gives you a verifiable record of exactly what the agent did, when, and in what order. No more "the agent went rogue" conversations.
Share a portable proof bundle your client verifies themselves, or a hosted proof link on Builder and higher.
Tamper-evident: if anything is altered after delivery, the chain breaks.
Builds repeat business. Clients who can verify the work trust the next project.
streamproj_acme_seo_refresh
events1,847
period2026-05-12 to 2026-05-14
chainINTACT
timestampsVERIFIED (RFC 3161)
deletionsNONE DETECTED
tools usedweb_search, file_write,
browser_navigate (49x)
model callsclaude (312x)
verified bypr-verify 1.2.0
For developers with production-access agents
When something goes wrong,
know exactly what happened.
Agents with access to money, production infrastructure, or email can cause real damage. After an incident you need a reconstruction, not speculation. Provenrail gives you a verifiable sequence of every decision the agent made, in the exact order it made them.
Post-incident reconstruction without log-tampering doubts.
Drop-in capture for OpenAI, Anthropic, LangChain and MCP.
Any other provider, framework or custom loop records with one line, to the same chain.
seqtimeevent
109114:22:01model_call claude in=512tok
109214:22:03tool stripe.charge $340
109314:22:04tool stripe.charge $340
109414:22:04tool stripe.charge $340
109514:22:06model_call claude in=891tok
chain INTACT, timestamps VERIFIED
root cause: retry loop, no idempotency key
For teams with regulatory exposure
The technical evidence layer
for EU AI Act and HIPAA.
EU AI Act Article 12 logging requirements are enforceable from 2026-08-02. HIPAA 164.312(b) requires audit controls for systems handling protected health information. Provenrail provides an append-only, timestamped, tamper-evident event log designed to serve as technical evidence in regulatory contexts. Certification and attestation remain your responsibility.
Append-only log; RFC 3161 trusted timestamps on Builder and higher.
Attestation report templates for auditors and regulators.
HIPAA 164.312(b) evidence mapping; you remain the covered entity and certify compliance.
EU AI Act Art. 12
HIPAA 164.312(b)
regulationEU AI Act Art. 12
requirementAutomatic logging of
AI system operations
evidenceAppend-only event log
tamper proofHash chain + RFC 3161
evidence pack1-click (Team)
Attestation signed by: Your team
Evidence provided by: Provenrail
Why Provenrail
Built to be independently verified.
Most observability tools ask you to trust them. Provenrail is designed so that you do not have to.
Open-source verifier
The pr-verify tool is open-source and runs entirely offline. Any party can check the chain without contacting our servers. Trust the math, not the vendor.
RFC 3161 trusted timestamps
On Builder and higher plans, each anchor is timestamped by an external authority using the RFC 3161 standard, so the timing cannot be back-dated, even by us. The Free plan hash-chains ordering without a third-party timestamp.
Witnessed log, standards-aligned
An independent off-box receipt chain closes the single-host rewrite gap on every plan. On Builder and higher, an append-only Merkle log cosigned by independent witnesses closes the equivocation gap too, and every inclusion is emitted as an IETF SCITT (COSE) receipt any standards-aware auditor can verify.
Privacy-first by default
Default mode stores a SHA-256 hash of each prompt and response, not the raw text. Selective-disclosure redaction lets you reveal or erase sensitive fields later, without breaking the proof.
Works across every provider
Drop-in capture for the OpenAI and Anthropic clients, LangChain and MCP. Any other provider or framework, Gemini, local models, or a custom loop, records with one line, all to the same chain.
Honest about the threat model
We document exactly what Provenrail does and does not catch. Technical buyers trust specificity. We tell you what we cannot guarantee before you commit to a plan.
Pricing
Start free. Scale when you need to.
No email gate on pricing. No hidden fees. Cancel anytime.
Most popular
Builder
$29/mo
billed monthly
- 500k events per month
- RFC 3161 trusted timestamps
- Shareable client proof links + live badge
- Single project, single user
- Email support
Team
$99/mo
billed monthly
- 2M events per month
- Everything in Builder
- Up to 10 team members, roles + SSO
- Unlimited projects
- Data exports (NDJSON / SIEM)
- Attestation + HIPAA evidence packs
- Priority email support
Enterprise
Custom
volume + support
- Unlimited events
- Everything in Team
- Unlimited members + SSO
- Private / self-hosted deployment
- Support terms by agreement
- Dedicated support
Every plan includes full hash-chain integrity and the open-source verifier, identical on every tier. Paid plans add RFC 3161 trusted timestamps, shareable proof links and a live badge (Builder); then up to 10 team members with roles and SSO, data exports, and attestation plus HIPAA evidence packs (Team). Limits apply to the licensed build you run. We host no agent records. 14-day refund on paid plans.
FAQ
Common questions.
A cooperative agent cannot silently alter records once they reach the sink: the hash chain makes any tampering detectable, and on Builder and higher plans RFC 3161 timestamps from an external authority prevent back-dating. However, a hostile agent that simply does not call the SDK at all will not appear in the record. Provenrail detects tampering and deletion of records that were written. It cannot force an uncooperative agent to write in the first place. This limitation is a documented part of the threat model, not fine print.
No. The verifier (
pr-verify) is open-source and verifies the hash chain locally without contacting our servers. On Builder and higher plans it also checks RFC 3161 timestamps from an external time authority. You can run it yourself, or export a portable bundle and hand it to any third party who runs the open-source verifier; on Builder and higher a hosted read-only proof link is also available. You do not need to trust us or the agent; you need to trust standard cryptography and, on paid plans, the third-party time authority.The default mode is store-hash-not-content: we record a SHA-256 hash of each prompt and response, not the raw text. The hash proves the content existed and has not changed; the raw text stays on your infrastructure. Selective-disclosure redaction lets you commit sensitive fields as salted hashes and reveal or erase them later without breaking the proof. For HIPAA-covered entities, Provenrail maps evidence to 164.312(b); you remain the covered entity and own certification.
Provenrail provides the technical evidence layer: an append-only, timestamped, tamper-evident log of AI system operations of the kind EU AI Act Article 12 calls for (enforceable 2026-08-02). Your team is responsible for regulatory certification. We provide the evidence; you provide the attestation. The Team plan includes one-click attestation evidence packs designed for use with auditors and regulators.
Free: $0, 10k events/month, single project, single user, hash-chain integrity, open-source verifier. Builder: $29/month, 500k events, RFC 3161 trusted timestamps, shareable client proof links and live badge, single user. Team: $99/month, 2M events, unlimited projects, up to 10 team members with role-based access and SSO, data exports, and one-click attestation plus HIPAA evidence packs. Enterprise: custom pricing, unlimited members, private deployment, support terms by agreement, contact us. Limits apply to the licensed build you run; the open-source integrity guarantee is identical on every plan, and we host no agent records. All paid plans include a 14-day refund window.
Install the verifier:
uv tool install provenrail (or pip install provenrail inside a virtualenv). Export your stream as a bundle, then run: pr verify bundle.json --pin pin.json. The tool recomputes the client hash chain, every Ed25519 signature, the independent server receipt chain, and every anchor locally, trusting neither the agent nor the sink. On Builder and higher plans each anchor carries an RFC 3161 trusted timestamp that the tool verifies against the external time authority. It exits 0 if intact and non-zero with a detailed error if any record is missing, reordered, altered, or back-dated. You can hand the bundle to a third party to run the verifier themselves; on Builder and higher a hosted read-only proof link is also available.