For a senator, an ISO chief engineer, or an IPP CFO — a quiet note on receipt-shaped market messages.
We owe you the same honesty you would expect of a counterparty standing across a forty-year asset. We are a small team. We do not assume anything about how PJM, CAISO, ERCOT, MISO, NYISO, ISO-NE, SPP, or the EU Network Code regions are run that the people who built them would not. What follows is what we noticed in the last 18 months, what we think we can credibly contribute, and three questions we would like the room to push back on. If we are wrong on any of it, we want to be told. If we are right on any of it, we would like the chance to prove it on one signed receipt before anyone changes anything else.
Four clocks started ticking at once.
Four regulatory clocks have moved in the last six quarters. None of them require a new market message. All of them assume one exists.
| Where | What moved | What it asks for |
|---|---|---|
| FERC 2222 | Implementation deadlines now binding across PJM, CAISO, NYISO, ISO-NE, MISO, SPP. DER aggregations participate in wholesale markets through an aggregator the ISO settles against. | A way to settle thousands of DER assets behind one aggregator without trusting a single XML envelope. The aggregator is on the hook for the chain. |
| EU Network Code on Demand Response | The EU Network Code framework on Demand Response is moving from consultation toward implementation, with national TSOs working out how aggregators interface with balancing markets. | A cross-border evidentiary surface where a German aggregator and a French TSO can verify the same flex obligation without trading PDFs. |
| CAISO 2026 capacity reform | CAISO is rebuilding the resource-adequacy framework. Capacity is being redefined around what a resource can actually do under stress, not what it nameplates. | A capacity attestation with a measurement window and a test methodology referenced — not a PDF certificate that ages out of context the day it is signed. |
| PJM dispatchability rules | PJM has tightened capacity-performance rules and is leaning harder on dispatchability evidence after recent winter events. | A dispatch instruction and a meter window that share the same parent_ref, so the capacity-performance audit is a verifier run, not a forensic month. |
None of the four asks for a new market. All four assume there is a court-grade artifact under each market action. Today there is a PDF. Tomorrow we think there is a signed receipt.
Every settlement is reconstructed.
Sit with the settlement team at any ISO or any IPP for a week. The shape of the work is the same. A market run produces an XML envelope. A meter system produces a CSV. A scheduling system produces a PDF. A dispatch system produces a log. When a number is disputed, all four are pulled together by a human, reconciled, and a defended position is written into a memo. The memo is the artifact of record.
That is not a criticism of the people doing the reconstructing. It is a description of the artifact problem the people doing the reconstructing have to solve. The XML is trusted because of the pipe it came in on. The PDF is trusted because of the cover letter. The CSV is trusted because of the meter contract. None of the four is self-authenticating. None of the four survives the moment the pipe, the cover letter, or the contract is disputed.
Receipt-shaped market messages.
We think the contribution we can credibly make is one signed receipt per market action, in four bearer shapes, each one a canonical JSON body that the ISO can verify offline. We do not propose to replace market clearing. We do not propose to replace scheduling. We do not propose to replace settlement. We propose that the message under each of those actions becomes a receipt instead of a PDF or an XML envelope. Four primitives. One verifier. One open standard. The same artifact the IPP holds, the ISO verifies, the aggregator counter-signs, and the regulator reads five years later without calling us.
Standard Energy Unit.
Power · Capacity
One kilowatt of qualified capacity over a commitment period. Backed by a signed capacity certificate with measurement window and test methodology referenced.
Standard Megawatt Unit.
Megawatt-Hour · Delivered
One MWh of dispatched and meter-verified energy delivery. Pairs a dispatch receipt with a revenue-grade meter-data receipt. Court-grade evidentiary chain.
Standard Ancillary Unit.
Ancillary · ISO Market
One MW of regulation, spinning reserve, non-spin, ramping, or frequency response. Replaces XML market messages with a signed bid receipt the ISO can verify offline.
Standard Flexibility Unit.
Flex · Virtual Power Plant
One kilowatt-hour of forward demand-flex obligation. Atomic unit of VPP and DR market participation. ISO counter-signs; curtailment chains to dispatch with parent_ref.
A small admission. The receipt cryptography is real and verifiable offline today. We have an open verifier and an open canonicalization rule. Mainnet routing of the bearer instruments — the part that touches public payment rails — is sim-stage. The public rail we use is USDC on Base. Anything heavier than that we describe as a permissioned issuer-controlled settlement network, which is what it is. We want to be honest about what is in production and what is in simulation. The receipt is in production. The rail is not.
If any of these is the wrong question, tell us.
These are the three questions we would put in front of an ISO chief engineer, an IPP CFO, a VPP aggregator CEO, or a FERC counsel and ask to be argued out of. We do not think we know the answers. We think we know the questions.
Is offline verification of a bid receipt a credible substitute for ISO trust-of-pipe?
Today an ancillary-services bid is trusted because of the TLS pipe it arrived on and the market-participant credential at the other end. If the same bid is a signed JSON body with an Ed25519 signature against a registered issuer DID, the ISO can verify the bid without trusting the pipe. The pipe still carries the message. The trust moves from the pipe to the signature. Is that a credible substitution, or are there reasons of operational risk we have not thought through?
Does FERC 2222 settlement get easier or harder if every DER asset emits a signed flex receipt instead of an aggregator XML?
The aggregator model places the wholesale settlement on the aggregator and expects an XML roll-up of DER behavior to flow up to the ISO. If instead each DER asset emits an SFU at the moment of curtailment, and the aggregator counter-signs the roll-up, the chain from device to ISO is verifiable end-to-end. The aggregator is no longer the only evidentiary surface. Does that make settlement disputes easier to close, or does it move the dispute to a place that is harder to close?
If a meter and a dispatch sign the same parent_ref, what audit work goes away?
A delivered MWh today is two artifacts: a dispatch instruction in one system, a revenue meter reading in another. The reconciliation is human. If both reference the same parent SEU or SAU, the SMU is a single receipt that points to both. The capacity-performance audit, the settlement re-run, and the after-the-fact dispute all collapse into a verifier pass. We are interested in which audit functions you would be willing to retire on that basis, and which you would never retire regardless of how clean the chain looks.
A short list of things we do not propose to do.
To save time in the briefing, here is a short list of things we do not propose to do, in case any of them came up before we did.
We are not a market clearing engine. We do not propose to clear day-ahead, real-time, capacity, or ancillary markets. The ISO clears. We sign the inputs and outputs.
We are not a settlements platform. We do not propose to issue invoices, manage shortfall charges, or run uplift allocation. The ISO settles. We provide the evidentiary chain settlement leans on.
We are not an ISO replacement. The market participant credential is still the ISO's. The tariff is still the ISO's. The clearing is still the ISO's. We are an attestation layer that sits over the systems already in production.
We are not a SCADA system. We do not control breakers. We do not move set-points. We do not dispatch units. We sign what other systems did.
One signed receipt before anyone changes anything else.
If we are wrong on any of it, we want to be told. If we are right on any of it, we would like the chance to prove it on one signed receipt before anyone changes anything else.
The receipt cryptography is real today. The verifier is open. The four primitives are locked. The mainnet rail is sim-stage and we describe it that way. The conversation we would like to have is small, specific, and on one workflow first — one capacity test, one ancillary bid, one delivered MWh, or one flex obligation. After that, configuration. Before that, your questions.