Ed25519 Signed Receipts

Ed25519 is a widely used elliptic-curve digital signature algorithm, valued for being fast, compact, and hard to misuse. A signer holds a private key and publishes a public key; anything signed with the private key can be verified by anyone with the public one. Signatures are 64 bytes, keys are 32, and both signing and verification take microseconds — which is why Ed25519 underpins SSH keys, TLS, package signing, and much of modern infrastructure.

Two properties matter for receipts: a signature proves the document came from the keyholder (authenticity), and any change to the document after signing invalidates it (integrity).

A signed receipt is a small structured document — typically recording what was paid, to whom, for which call, and when — signed with the issuer's Ed25519 key. Unlike a row in someone's database, it is portable and self-verifying: the holder can present it to any third party, who can confirm with the public key that it is genuine and unaltered, without trusting the holder or contacting the issuer.

That makes it the machine equivalent of a stamped invoice — except forging or editing it is computationally infeasible.

In the x402 flow, an agent pays per call in USDC: the server returns HTTP 402 with a price, the agent's wallet pays, settlement lands on Base in about two seconds, and the tool handler runs. The response then carries two proofs — the Base transaction hash, which shows money moved on-chain, and an Ed25519 signed receipt, which binds that payment to the specific call that was served.

The pair answers different questions. The chain proves payment happened; the receipt proves what it was for. Together they give both sides a complete, non-repudiable record of a transaction that no human witnessed.

When an autonomous agent transacts on a principal's behalf, nobody reviews each step in real time — accountability has to be reconstructable afterwards. Signed receipts make that practical: an operator can reconcile every cent of wallet spend against receipts, each tied to a named tool call, and verify the lot cryptographically. Disputes shrink to checking a signature rather than comparing two parties' logs.

Receipts also matter because x402 settlement is final — there are no chargebacks. The receipt is what replaces the card network's dispute paperwork: durable proof of exactly what was bought, held by the buyer from the moment of purchase.

Verification needs only the receipt, the issuer's public key, and any Ed25519 library — every mainstream language ships one. Check the signature over the receipt's canonical bytes, confirm the embedded transaction hash exists on Base, and the proof is complete. Servers monetized through the Loomal Index issue receipts in this flow automatically; neither buyers nor sellers implement the cryptography themselves.