Skip to main content
GET
/
aci
/
receipts
/
{id}
Get Receipt
curl --request GET \
  --url https://api.redpill.ai/v1/aci/receipts/{id} \
  --header 'Authorization: Bearer <token>'
Returns the signed receipt for a response: a transparency event log that binds the request and response hashes to the attested gateway, signed by a key from the attested keyset. This is the canonical per-response proof. Look up a receipt by the x-receipt-id header on the inference response, or by the response id. For how to read the event log, see Receipts. 
GET /v1/aci/receipts/{id}

Request

id
string
required
A receipt id (rcpt-…) or the response id (chat id). The receipt id is returned in the x-receipt-id response header on /v1/chat/completions.

Response

200 OK, application/json. The bare canonical receipt:
FieldTypeDescription
api_versionstringACI version token, for example aci/1.
receipt_idstringThe receipt id (rcpt-…).
chat_idstringThe response/chat id.
workload_idstringMust match the attestation report.
workload_keyset_digeststringMust match the attestation report.
endpointstringThe route served, for example /v1/chat/completions.
methodstringHTTP method.
served_atnumberUnix seconds.
event_logarrayOrdered transparency events (below).
signaturestringSignature over the receipt, by a key in the attested keyset.

event_log entries

typeKey fields
request.receivedbody_hash
middleware.forwardedbody_hash
route.selectedtarget_route_id
request.forwardedbody_hash
transparency.request_modified(present when forwarded body differs)
upstream.verifiedprovider, upstream_name, model_id, url_origin, verifier_id, result, required, session_id, channel_bindings, claims
response.receivedcleartext_hash
transparency.response_modified(present when returned response differs)
response.returnedcleartext_hash, wire_hash

Example (truncated)

{
  "api_version": "aci/1",
  "receipt_id": "rcpt-e0eefe63b3673e2a5984951f",
  "chat_id": "d3ad808b20a444c29e798db35f112033",
  "workload_id": "sha256:3def476b…",
  "workload_keyset_digest": "sha256:3eff0836…",
  "endpoint": "/v1/chat/completions",
  "method": "POST",
  "served_at": 1781588857,
  "event_log": [
    { "seq": 0, "type": "request.received", "body_hash": "sha256:111d08a5…" },
    { "seq": 2, "type": "route.selected", "target_route_id": "near-ai:qwen/qwen3-30b-a3b-instruct-2507" },
    { "seq": 5, "type": "upstream.verified", "provider": "near-ai", "model_id": "Qwen/Qwen3.6-35B-A3B-FP8",
      "url_origin": "https://cloud-api.near.ai", "verifier_id": "private-ai-verifier/near-ai-gateway/v1",
      "result": "verified", "required": true, "session_id": "as_3681736b…" },
    { "seq": 7, "type": "response.returned", "cleartext_hash": "sha256:07703fb4…", "wire_hash": "sha256:07703fb4…" }
  ],
  "signature": "…"
}

Verifying the receipt

  1. Confirm workload_id and workload_keyset_digest match a verified attestation report.
  2. Verify signature under a receipt_signing_keys entry from the attested keyset.
  3. Confirm request.received.body_hash matches the request you sent and response.returned.wire_hash matches the response you received.
  4. Read upstream.verified: result = verified and required = true indicate a confidential model served from a verified, channel-bound upstream. Follow session_id to the attested session.
See Verify a response for the full walkthrough.

Legacy alias

GET /v1/signature/{id} is a legacy compatibility alias that wraps this same receipt in a legacy envelope, documented under Signature.

Get attestation report

Get session