Receipts
A receipt is an append-only, signed audit record created for every call to the Relynt gateway. Receipts provide a tamper-evident trail of every action your agents attempt — whether allowed, denied, or pending approval.
Design principles
- Append-only — receipts are never updated or deleted
- Signed — every receipt includes an HMAC-SHA256 signature for tamper detection
- Complete — every gateway call produces at least one receipt
- Verifiable — receipts can be verified via the dashboard or API
Receipt fields
Every receipt contains:
| Field | Description |
|---|---|
receipt_id | Unique identifier |
created_at | Timestamp of creation |
organization_id | Tenant the receipt belongs to |
agent_id | Agent that made the request |
instance_id | Run identifier for the agent execution |
action | Operation string (e.g., update_deal) |
resource | Target identifier (e.g., crm:deal:123) |
policy_version | Which policy version was evaluated |
decision | allow, deny, pending_approval, or error |
risk_level | low, medium, or high |
request_hash | SHA-256 over canonical JSON of the request body |
response_hash | SHA-256 over the connector response (when available) |
signature | HMAC-SHA256 for tamper detection |
Additional fields when applicable:
| Field | Description |
|---|---|
approval_id | Links to the approval record |
idempotency_key | The client-provided idempotency key |
approver | Identity of the human who approved/denied |
Approval flow receipts
When a request triggers an approval flow, two receipts are created:
- Initial receipt —
decision: "pending_approval", created when the approval request is sent to Slack - Final receipt —
decision: "allow"ordecision: "deny", created when the approver responds
Both receipts share the same approval_id for correlation.
Verification
Every receipt can be verified to detect tampering:
- Dashboard — click the Verify button on any receipt detail page
- API — call
GET /v1/receipts/:id/verify
Verification recomputes the HMAC-SHA256 signature and compares it to the stored value. If they match, the receipt has not been tampered with.
{
"valid": true
}Relynt uses HMAC-SHA256 for signing in v0. The signing key is managed server-side and is never exposed to clients.
Security
Receipts follow strict security rules:
- Raw connector secrets and
Authorizationheaders are never stored - Sensitive payload fields are redacted or hashed
- The dashboard and logs never display secrets
- Request and response hashes allow integrity verification without storing raw data
Querying receipts
Receipts can be queried via the dashboard or API with filters:
- Decision — filter by
allow,deny,pending_approval,error - Risk level — filter by
low,medium,high - Agent — filter by
agent_id - Time range — filter by date range
- Search — full-text search across action, resource, and receipt ID