Billateral — The Receipt Layer for the Agent Economy

For operators, their CFOs, and partners building the agent economy

AI agents are starting to spend real money. Today, when they do, the business gets a blockchain transaction hash — no vendor name, no invoice, no proof of what was bought. Billateral turns every agent payment into a real receipt, signed by both the buyer and the vendor and anchored on-chain, so your books, your CPA, and the IRS all see the same thing. Trust the agent. Prove the agent.

WHAT IS BILLATERAL?

At any shop, the register prints two copies of every receipt — one for the merchant, one for the customer. Billateral is that, for AI agents. Every time your agent pays, the vendor keeps a signed copy, you keep a signed copy, and both are anchored on-chain so neither side can rewrite history.

One receipt — five jobs it does for you: audit defense · 1099-NEC prep · $10k IRS alerts · agent-to-agent delegation · clean export to your CPA

Read the spec

EXHIBIT A — specimen.rcpt_□×

* VERIFIED * BILATERAL EAS · BASE

STATUS · ANCHORED● IMMUTABLE

receipt no.01HXA4…Q91T

paid viax402 · USDC on Base

amount$12.50 (USD at time of tx)

paid toLumen Data API Ltd

vendor tax IDXX-XXXXXXX

paid byNorthstar Labs Ltd

agentresearch-bot-v3

authorized2026-04-15 · by CFO

expense typeData & API services

business purposeQ2 market research

line item1,000 API calls · $12.50

— signatures —

vendor signed0x4a1b…b37e ✓ valid

buyer signed0x9c0e…f024 ✓ valid

on-chain proof0x7f4a…c21e ✓ anchored

ANCHOR: EAS · BASEIMMUTABLE · CANNOT BE DELETED

— CHAPTER 01 —
WHY NOW

Four things are converging, all at once.

Payments went live2025

Agents can now pay with a single HTTP call.

the x402 standard turns any API into something an AI can pay for instantly. Sending money is solved. Keeping track of what was bought is not.

Agents hire agents2025–26

The paper trail is about to disappear.

The major AI labs have all shipped protocols that let one agent delegate work — and money — to another. By the time a payment settles, it may have passed through three different bots.

The IRS is catching up2024–27

New crypto tax rules take effect in 2026.

Form 1099-DA, stricter enforcement of Form 8300, and FinCEN scrutiny on programmable money all land in the next 18 months. Records must go back seven years.

CFOs get the bill2026

Every agent deployment is hitting a finance review.

The controller asks one question: "where's the receipt for this?" Today, nobody buying or building AI agents can answer it. We think that's a product.

CHAPTER 02THE PROBLEM

Every agent payment
is a black box.

The IRS does not care that a bot pressed “pay.” The business still needs a record — and the chain doesn’t hold one.

What the chain sees today

A wallet paid a wallet.

That is the entire surface area of an x402 settlement. A tx hash, a payer address, a network identifier. No vendor identity. No tax category. No business purpose. No counterparty signature.

{
  "success": true,
  "payer": "0xb37e…",
  "transaction": "0x4a1b…",
  "network": "base:8453",
  // what did they buy? ?
  // on whose behalf? ?
  // under what authority? ?
  // what tax category? ?
  // fair market value USD? ?
}

AUDIT.SYS

A fatal exception 0x1099DA has occurred at IRS:AUDIT+0x8300.
The current application will be terminated.

· No vendor identity.
· No business purpose.
· No counterparty signature.
· No evidence the CPA will accept.

Press any key to produce a bilaterally-signed receipt.

An agent can trigger a $10,000+ transaction, tripping Form 8300, and the business has fifteen days to file — without a human ever seeing the request. The evidence the CPA will ask for does not exist.

§ 01.1 — The gaps

I.
Agents don't sign receipts.They don't know the business's tax ID. They don't categorize expenses. They don't generate invoices. "Our agent bought it" is a shrug, not a defense.
II.
Vendors don't attest.A PDF invoice in your inbox is unsigned by both parties. It proves nothing beyond the sender's willingness to send one.
III.
Accounting software is blind to agent spend.Ledgerbook ingests transactions. It cannot ingest cryptographic bilateral proof of what was purchased and why.
IV.
Swarms hide the paper trail.When agent A delegates to agent B who hires agent C, the trail of authority disappears. The IRS sees one wallet; the reality is a dependency graph.
V.
1099-DA lands in 2026.Crypto brokers report. Businesses paying via agents need vendor documentation ready today — not in the quarter a notice arrives.

◑‽

It looks like you're building an agent economy.Would you like Billateral to produce a bilaterally-signed receipt for every transaction — bound to your business entity, anchored on a public chain, and cryptographically immutable from the moment it's signed — impossible to alter or delete, by us or by anyone? Receipts never stale, never expire, and never require our servers to stay verifiable.

CHAPTER 03HOW IT WORKS

A receipt signed on
both sides of the wire.

Five stages. Each one leaves a cryptographic trace. None of them require a human in the loop, and none of them leave the paper trail to chance.

STAGE I

Agent initiates
a payment.

Over x402, a wallet tool, or any supported rail. The agent carries a verifiable delegation from its business entity — via our agent-id standard at MVP.

AGENT ──▶ $$$ delegated_agent business_entity tax_category

STAGE II

II.

Vendor signs
line items.

Server-side middleware emits a vendor-side attestation: “I provided this service on this date for this amount, against this business purpose.”

VENDOR ─── signs ──▶ line_items[] terms tax_id

STAGE III

III.

Buyer co-signs
on behalf of.

The buyer-side agent signs with its delegation key. The receipt now bears both signatures — independently verifiable against both public keys.

BUYER ─── signs ──▶ bilateral = true verifiable = true

STAGE IV

IV.

Encrypt.
Pin. Batch.

Receipt body encrypted to both parties only. Pinned to IPFS. Hashed with a blinding nonce. The hash enters a Merkle batch alongside thousands of others.

sha256(json ‖ pk_v ‖ pk_b ‖ r) ──▶ merkle_root

STAGE V

Anchor
on Base.

The Merkle root is written on-chain via EAS. The chain learns nothing beyond “a batch exists.” Both parties hold an offline-verifiable inclusion proof — forever.

→ ANCHORED ON BASE: chain stores only the root — no amounts, no identities

CHAPTER 04THE RECEIPT

One receipt. Two signatures.
Immutable forever.

Every Billateral record is a structured, bilaterally-signed object. Human-readable as a PDF, machine-readable as JSON, legally-defensible as evidence.

Specimen · Example

Billateral

— BILATERAL RECEIPT · FOR TAX AND AUDIT PURPOSES —

Receipt

01HXA4·BQG·C7D9·Q91T

Issued

2026-04-15 · 14:30:12 UTC

Rail

x402 on Base · USDC

0x4a1b…b37e

Vendor

Lumen Data API Ltd (XX-XXXXXXX)

Buyer

Northstar Labs Ltd (XX-XXXXXXX)

Agent

agent:did:research-agent-v3

Authority

auth:2026-04-15/research-runtime

§ 03.1 · Public verification

Verification is designed to run client-side: any third party pastes a receipt proof into a static page and validates it in-browser against the on-chain commitment. No login, no account — the CPA you already have can verify a receipt without onboarding to anything new. Signature check runs locally; the Merkle inclusion proof checks against a Base RPC. The hosted verifier ships alongside the SDK at MVP.

§ 03.2 · Selective disclosure

Share one receipt, one vendor, one quarter, or the whole year. An optional completeness proof lets the business prove they've shared all receipts for a period — the count is baked into the Merkle root, so any omission is cryptographically detectable.

§ 03.3 · counterparty trust score

SCORING VENDOR

Lumen Data API Ltd

VENDOR · EIN XX-XXXXXXX

·84

UNKNOWNTHRESHOLD · 62ATTESTED

POLICY · YOUR AGENT REJECTS VENDORS BELOW 62ACCEPTED84/62

MINMAX

BUYERS REJECT UNTRUSTED VENDORS. YOUR AGENT REFUSES TO SIGN A PURCHASE BELOW THE THRESHOLD. SIGNALS: VENDOR EIN VERIFIED · FULFILLMENT RATE · AGENT-ID PROVENANCE · DISPUTE HISTORY.

CHAPTER 05SECURITY & PRIVACY

The chain learns nothing.
You learn everything.

A content-hiding commitment anchors the receipt’s existence without exposing its contents. Only the two parties — and the auditors they authorize — can read it.

§ 04.1

End-to-end encryption.

The receipt body is encrypted to a list of explicit reader public keys — buyer, vendor, admin, and any auditor either party grants access to. Not to Billateral. Not to an indexer. Not to a third party.

If our servers are compromised, the attacker sees commitments and ciphertext — not contents. The reader list is append-only, so adding an auditor never re-encrypts the body, and on-chain commitments never need to be re-anchored.

PRIMITIVEHPKE · RFC 9180

§ 04.2

Bilateral signatures.

Both parties sign the same structured payload before it is finalized. Neither side can alter the record after the fact without invalidating the other's signature.

This is the property that makes a Billateral receipt a genuine receipt — not just an invoice in an inbox. Both sides independently hold the same cryptographically-bound artifact.

PRIMITIVEEd25519 · secp256k1

§ 04.3

Content-hiding commitments.

On-chain state per batch is a single Merkle root. No parties, no amounts, no business details. Auditors verify inclusion offline with a proof the business hands over.

A competitor sniffing on-chain state learns "Billateral anchored a batch this hour" — and nothing more. Your vendor list, your spend, your categories — invisible.

ANCHOREAS on Base

§ 04.4

Trust-scored counterparties.

Each party carries a trust score derived from verified tax ID, bilateral-signing history, agent-id provenance, and dispute record. Agents can refuse to transact below a threshold you set.

Raise the threshold for treasury-size payments. Lower it for dust-sized API calls. The policy is enforceable at the payment boundary, not post-hoc in the books.

ENFORCEMENTpre-commit · agent-side

§ 04.5

Post-seed: zero-knowledge.

Stage 2 adds aggregation proofs ("total paid to vendor X in 2026 is exactly $60,000" — without revealing line items), range proofs, and capability-based access grants.

Phase 6 layers on top of Phase 1. The commitment scheme is SNARK-compatible by construction. No forced migration; no broken history.

STAGE 2 · POST-SEEDNoir / Circom

CHAPTER 06SWARMS & DELEGATION

When agents hire agents,
the paper trail holds.

An agent managed by another agent is still spending your money. Billateral records the whole dependency path — not just the wallet that pressed “pay.”

Every hop is attested.

Agent A delegates a research task to agent B, which hires paid tool C and subcontracts transcription to agent D. Four entities, three payments, one taxpayer on the hook.

Billateral follows the delegation chain. Every receipt carries the full dependency path — which agent authorized which, under whose entity, for which business purpose. No transaction leaves the process unattributed.

“Our agent's agent's agent paid” is, remarkably, also not an audit defense. The receipt names all four.

The CFO sees a flat ledger. The auditor, if asked, sees the tree. The chain sees a single commitment.

▼ orchestrator · "research-v3"                 agent:did:…a1
│  ├─ entity: Northstar Labs Ltd                 EIN: XX-XXXXXXX
│  └─ delegation: q2-research-runtime
│
├─ ▸ researcher · "scout-2"                  agent:did:…b4
│   │
│   ├─ ● PAID  $12.50  lumen-data-api           rx-01H·Q91T
│   │   └─ bilateral ✓✓  eas · batch 41           root 0x7f…c21e
│   │
│   └─ ● PAID   $4.00  search-index-svc        rx-01H·R02F
│       └─ bilateral ✓✓  eas · batch 41           root 0x7f…c21e
│
└─ ▸ transcriber · "scribe-1"               agent:did:…c7
    │
    ├─ ● PAID   $0.80  whisper-hosted-api      rx-01H·S14A
    │   └─ bilateral ✓✓  eas · batch 41           root 0x7f…c21e
    │
    └─ ● PAID   $2.20  summary-agent-svc       rx-01H·S14B
        └─ bilateral ✓✓  eas · batch 42           root 0xe2…9a08

─────────────────────────────────────────────
Σ  run total       $19.50
   receipts           4 / 4 bilateral
   attributed to      Northstar Labs Ltd
   tax category       data-and-api-services

CHAPTER 07DASHBOARD · PREVIEW

One envelope.
A reader list that only grows.

A peek at the operator console we're building. Top up a USD balance, watch your agents debit it in real time. Each receipt's body is encrypted once; the list of who can read it is append-only — agent, vendor, or admin can grant a new auditor at any time, before or after creation, with the same one-line operation. Numbers below are mocked for illustration; nothing is billed today.

Billateral · control-panel.exe — northstar-labs_▢×

BalanceReceiptsAgents · 4

Prepaid USD balance● live

$487.32

MTD spend $312.68burn $14.27 / day

runway · 34 daysauto-recharge @ $250

Top up balance

$250.00USD

$50$250$1k$5k

▣VISA · ending 1099ACH alt

Settles to USD ledger · normal SaaS line-item

Spend by agent · April 20264 agents · 738 receipts

research-agent-v3did:agent:rch-3a91
$ 142.10
412 receipts
billing-bot-proddid:agent:bil-7c4d
$ 84.40
188 receipts
analytics-runnerdid:agent:ana-2f1e
$ 61.04
96 receipts
cleanup-crondid:agent:cln-09b2
$ 25.14
42 receipts

Recent receipts · last hour

ReceiptVendorAmountStatusWhen

01HXA4·BQG·C7D9Lumen Data API$ 12.50✓ signed2m ago
01HXA4·BQF·M3K1OpenRouter$ 4.18✓ signed9m ago
01HXA4·BQE·R7T2Twilio$ 0.81✓ signed14m ago
01HXA4·BQD·X9Q5Vendor:0xc4f9…unkn$ 0.42⚠ unilateral31m ago
01HXA4·BQC·H2L8Anthropic$ 3.05⌛ pending44m ago
01HXA4·BQB·N1V0Stripe Issuing$ 19.00✓ signed1h ago

unlocked · in-browser decryptHPKE · RFC 9180

Demo · no-op

§ 10 · the envelopeHPKE · RFC 9180

Body written once. Reader list grows forever.

body · encrypted once

01HXA4·BQG·C7D9

│├ wrap K → reader_pk▼

agent

vendor

admin

auditor

← append-only · forever →

The body is encrypted once with a fresh key K. That key is wrapped independently to every reader. Adding a reader later just appends a new wrap — the body ciphertext stays bit-identical forever.

readers · 01HXA4·BQG·C7D94 · append-only

agent
research-agent-v3
did:agent:rch-3a91 · 0x4a1b…
at mint
vendor
Lumen Data API Ltd
vendor:lumen · 0x9c0e…
at mint
admin
Northstar Labs · org
org:nbsd · 0x9f4a…c21e
at mint
auditor
Mendoza CPA, LLP
cpa:mendoza · 0x7d12…
granted

+ grant a new reader⌘G

pkcpa:eversharp · 0xb612…f0a4

granter · admin (you)signature · ed25519 · ready

Mocked for the deck. The real dashboard is designed as a static client app running HPKE (RFC 9180) in WebCrypto — one primitive across every customer, every release. Decryption happens in your tab; reader grants are signed and appended; we never see plaintext. The balances, agents, and receipts above are illustrative — nothing is billed, signed, or anchored from this page.

CHAPTER 08FAQ

Things finance, legal,
and engineering ask.

Q·01Is this an accounting system?+

No. Billateral produces the receipt — the primitive evidence. Whatever ledger you already use (QuickBooks, Xero, NetSuite, an on-chain accounting tool) ingests those receipts and handles reporting. We are the layer between the agent and the ledger, not a replacement for either.

Q·02Can the vendor refuse to co-sign?+

Yes — which is its own signal. If a vendor declines to co-sign after 72 hours, the receipt is marked unilateral. You still hold a non-repudiable attestation on the signing side, plus the on-chain payment. A pattern of unilateral receipts with a given vendor pulls their trust score down.

Q·03Who can see a receipt?+

The buyer, the vendor, and anyone either party explicitly shares a proof with — typically their CPA or an auditor. Billateral's servers store only encrypted blobs and commitments; we cannot decrypt your receipts. The chain sees a Merkle root per batch and nothing else.

Q·04What does the accountant do?+

Whatever they already do. The business exports a per-receipt proof or an audit bundle and sends it via the channel they already use. At MVP the accountant will verify a receipt via a static, client-side verifier page or a small open-source CLI — both check the signatures locally and the Merkle inclusion proof against a Base RPC. No logins. No role management. No new surface to learn.

Q·05Does this work for human payments too?+

Yes — the schema generalizes. Agent-first at launch because that's the market with the acute unmet need; human-initiated spend uses the same primitive and the same exports. One ledger of defensible receipts regardless of who pressed the button.

Q·06Does Billateral handle the money?+

No. Your agent will pay the vendor directly via x402 — the funds never touch us. We see only the metadata, and only after both sides have signed it. When we open paid access, our fee will be debited from a prepaid USD balance you top up by card or ACH (just like Twilio or OpenAI credits) — your bank and your CFO see a normal SaaS line on the books, not a crypto inflow. We are not a money transmitter and not an MSB. (We’re still in development; nothing is billed today.)

Q·07What happens if Billateral goes down?+

Your receipts already exist. They are pinned to IPFS, committed on Base, and held by both parties. The hosted service provides indexing, sync, and exports — but the cryptographic layer is offline-verifiable by any third party with a Base RPC endpoint and the open-source verifier we ship alongside the SDK.

Four things are converging, all at once.

Agents can now pay with a single HTTP call.

The paper trail is about to disappear.

New crypto tax rules take effect in 2026.

Every agent deployment is hitting a finance review.

Every agent paymentis a black box.

A wallet paid a wallet.

A receipt signed onboth sides of the wire.

Agent initiatesa payment.

Vendor signsline items.

Buyer co-signson behalf of.

Encrypt.Pin. Batch.

Anchoron Base.

One receipt. Two signatures.Immutable forever.