Skip to main content

Overview

AgentSystems Notary creates tamper-evident audit trails for AI agent interactions.

Why

When AI behavior is questioned by customers, auditors, regulators, insurers, etc., you need to prove what actually happened. Traditional logs don’t work: you control them, so third parties have to trust you didn’t modify them. Tamper-evident logging removes that trust requirement.

How it works

Raw LLM interactions stay in your storage. No third party sees them during normal operation. But cryptographic hashes of each interaction are written to independent, tamper-evident storage (Arweave or the AgentSystems custodied service) at the same time. If there’s ever an audit or dispute, you provide the raw logs. The auditor re-hashes them and compares against the stored hashes. A match indicates the logs are unaltered. A mismatch indicates tampering or corruption. You control your data, but can’t alter it without detection. What gets logged:
  • To your storage: full raw LLM payload (prompts, responses, metadata, timestamps)
  • To hash storage: SHA-256 hash + metadata (e.g. namespace, session ID, timestamps)

Hash storage options

Hashes (not raw data) can be written to either storage option:
StorageBest ForFeatures
Decentralized (Arweave)No vendor lock-inPublic append-only ledger, open-source verification, no account needed
CustodiedManaged complianceWrite-once storage, verification UI, signed attestations for audits
Custodied plans offer WORM-compliant hash storage, managed signing, and signed attestations.

Prerequisites

pip install agentsystems-notary langchain langchain-anthropic python-dotenv

Example (decentralized)

1

Generate signing key

openssl genrsa -out arweave-key.pem 4096
Retain this key. It is required to prove ownership of on-chain hashes during verification.
For production, use a cloud key management service.
2

Create .env file

Create a .env file in your project root:
# AWS S3 for raw payload storage
ORG_AWS_S3_BUCKET_NAME=your-bucket
ORG_AWS_S3_ACCESS_KEY_ID=AKIA...
ORG_AWS_S3_SECRET_ACCESS_KEY=...
ORG_AWS_S3_REGION=us-east-1

# Path to signing key
ARWEAVE_PRIVATE_KEY_PATH=./arweave-key.pem

# Anthropic
ANTHROPIC_API_KEY=sk-ant-...
3

Run the example

import os

from agentsystems_notary import (
    LangChainNotary,
    ArweaveHashStorage,
    AwsS3StorageConfig,
    LocalKeySignerConfig,
    RawPayloadStorage,
)
from langchain_anthropic import ChatAnthropic
from dotenv import load_dotenv

load_dotenv()

# Your S3 bucket for raw LLM payloads
s3_config = AwsS3StorageConfig(
    bucket_name=os.environ["ORG_AWS_S3_BUCKET_NAME"],
    aws_access_key_id=os.environ["ORG_AWS_S3_ACCESS_KEY_ID"],
    aws_secret_access_key=os.environ["ORG_AWS_S3_SECRET_ACCESS_KEY"],
    aws_region=os.environ["ORG_AWS_S3_REGION"],
)
raw_payload_storage = RawPayloadStorage(storage=s3_config)

# Local RSA key for signing
signer = LocalKeySignerConfig(
    private_key_path=os.environ["ARWEAVE_PRIVATE_KEY_PATH"],
)

# Arweave for decentralized hash storage
# Namespace is public — written to the ledger and used to segment stored data
# Namespace should be one anonymous ID per customer, agent, or environment
# Retain a record of your namespace mappings
arweave_storage = ArweaveHashStorage(
    namespace="tenant_a1b2c3d4",  # See namespace comments above
    signer=signer,
)

# Create notary callback
notary = LangChainNotary(
    raw_payload_storage=raw_payload_storage,
    hash_storage=[arweave_storage],
    debug=True,
)

# Attach to model
model = ChatAnthropic(
    model="claude-sonnet-4-5-20250929",
    api_key=os.environ["ANTHROPIC_API_KEY"],
    callbacks=[notary],
)

response = model.invoke("What is the capital of France?")
print(response.content)

Verification

Decentralized (Arweave): Download raw payloads from your storage bucket, zip them, and verify with the open-source CLI: 
aws s3 sync s3://your-bucket/arweave/tenant_a1b2c3d4/ ./logs
zip -r logs.zip logs
npm install -g agentsystems-verify
agentsystems-verify --logs logs.zip
The CLI re-hashes each payload and compares against the hashes stored on Arweave. See the full verification guide for details. Alternatively, the Verify UI supports both decentralized and custodied verification.

Configuration

Resources

Edit this page on GitHub or file an issue.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.