append-only · publicly checkable · BLAKE3-merkle
Hive Transparency Log

The public log for every signed agent receipt.

Think of it as Certificate Transparency, but for AI agents. Every Hive receipt, no matter which rail, chain, or model created it, gets submitted to one public log that anyone can add to. Anyone can check a receipt. Anyone can copy the whole log. This gives the agent web a shared record it never had.

RFC 6962: CERTIFICATE TRANSPARENCY BLAKE3 MERKLE ED25519 SIGNED TREE HEAD SUBMIT AND FORGET

Why this changes how proof works online

Right now every proof system stands alone. Stripe keeps its own logs, Coinbase keeps its own logs, and every model provider has its own audit trail, but none of them can check each other's work. Hive Transparency changes that. One public log. One shared root, signed every minute. Every receipt gets a permanent address. Once browsers and gateways start checking these proofs automatically, any proof system that skips the log becomes invisible by comparison. That's the shift this creates.

Four endpoints. That's the whole API.

Smaller than DNS. Easier to check than git.

POST ct.thehiveryiq.com/v1/submit Send in any signed receipt. Get back proof it's in the log.
GET ct.thehiveryiq.com/v1/sth Signed Tree Head: the master root hash, refreshed every minute.
GET ct.thehiveryiq.com/v1/proof/<leaf_hash> Proof that one specific receipt is in the log. Checkable offline.
GET ct.thehiveryiq.com/v1/entries?start=N&end=M Pull entries by number. Anyone can copy the whole log.
Submit anything signed

One curl command. Your receipt is checkable forever.

# Submit any signed receipt: Hive, Stripe, x402, AP2, MCP tool call, or Coinbase Commerce
curl -X POST https://ct.thehiveryiq.com/v1/submit \
  -H "Content-Type: application/json" \
  -d '{"envelope": <your_signed_object>}'

# What you get back: a signed proof the receipt is in the log
{
  "leaf_hash": "blake3:7f2a...",
  "tree_size": "4,718,209",
  "sth_signature": "ed25519:i6-Wo01...",
  "audit_path": ["blake3:...", "blake3:...", ...],
  "timestamp": "2026-05-29T11:04:33Z",
  "canonical_url": "https://thehiveryiq.com/r/?id=blake3:7f2a..."
}
Check it offline

Proofs are just math. You don't need the internet to check one.

# Check a Hive Transparency proof: pure math, works offline
import blake3
from hive_ct import verify_inclusion

ok = verify_inclusion(
  leaf=signed_receipt_bytes,
  audit_path=proof["audit_path"],
  sth_root=signed_tree_head["root_hash"],
  sth_signature=signed_tree_head["signature"],
  trust_anchor="ed25519:i6-Wo01AwSD1eAhSSC3e3VCTEYFXehGNOVdC5iobuBc"
)
# Comes back true only if this exact receipt is in the log
Spec: written like an RFC, on purpose boring

Hive Transparency v1: the whole spec, one page.

  • HASH BLAKE3-256 over the standard CBOR encoding of what you submit
  • TREE A Merkle binary tree, using the RFC 6962 hashing method, with BLAKE3 instead of SHA-256
  • STH CADENCE A Signed Tree Head goes out every 60 seconds, even when nothing new came in
  • STH SIGNATURE Signed with Ed25519 by did:hive:hivetrust-issuer-001
  • PQ FUTURE An ML-DSA-65 second signature is ready behind a feature flag and can be turned on anytime
  • SUBMIT WINDOW Your entry shows up in the next Signed Tree Head within 60 seconds, guaranteed
  • MIRROR Anyone can copy the full log through /v1/entries. No rate limit on public mirror addresses
  • GOSSIP Signed Tree Heads post to a public X feed, RSS, and IPFS pin every minute so anyone can catch a mismatch
  • ABUSE We only rate-limit submitters. We don't moderate content. The log is plumbing, nothing more
  • TRUST ANCHOR One Ed25519 key, rotated every year with an overlap window
  • CANONICAL URL Every entry gets a permanent link at /r/?id=<leaf_hash>
Why it wins

We're following a path that already worked once.

01

Google turned HTTPS around in 10 years.

Certificate Transparency went from a new idea to a Chrome requirement because it was cheap, boring, and easy to check. Every TLS certificate on earth now runs through it. We're doing the same thing for agent receipts.

02

Submit it and move on. No lock-in.

The log takes any signed object: Hive, Stripe, AP2, x402, Coinbase Commerce, even a plain OpenAI tool_call signature. We don't read or judge the content. We just add it to the log and prove it's there.

03

The verifier does the enforcing.

Once browsers and gateways start checking these proofs by default, anything missing from the log will stand out as unsigned. We're not asking anyone's permission for that to happen. We're shipping the verifier extension and letting it spread on its own.

Integrations

Already connected. The plumbing is done.

A

Every Hive receipt submits itself

Every receipt made through /try/, the SDKs, or the inference bus lands in the log within 60 seconds. Free. No extra steps.

B

Works with rails Rosetta already speaks

Paste in any Stripe webhook, x402 receipt, or AP2 mandate. Rosetta converts it to a common format and the log accepts it. /rosetta

C

A permanent public link for every entry

Every entry gets a permanent URL at /r/?id=<leaf_hash>. Every receipt becomes something you can point to and cite, forever.

Submit your first proof.

One curl command. No signup. It stays in the log for good.