← All posts
·Sigill team

Timestamping every prompt: a 200-line agent that seals what your AI says

A working ~150-line Python agent that cryptographically timestamps every prompt and every model response, producing tamper-evident records you can verify with one openssl command. For teams whose AI systems will eventually face an auditor, regulator, or counterparty asking 'prove what your model said on day X' — this is the minimal pattern that answers the question.

ai-actagentsevidencetimestampingtutorial

Timestamping every prompt: a 200-line agent that seals what your AI says

If you deploy AI in a regulated environment, sooner or later someone is going to ask a question that sounds simple and is not: "prove what your model said on May 14th."

The AI Act asks it as Article 12 — high-risk AI systems must keep automatically generated logs that allow the system's operation to be traced. DORA Article 17 asks it of financial entities for ICT-related incidents. ISO 42001 asks it as part of an AI management system. The phrasing differs, the scope differs, but the underlying need is identical: a tamper-evident record of what your AI did, when it did it, and what data it acted on.

A common answer to "do you have logs" is to point at a centralized logging system — Splunk, Datadog, CloudWatch — and call it a day. That's fine for operational purposes. It is not fine for an auditor who asks how you would know if those logs were modified. Application logs are mutable by anyone with write access to the log store. They aren't evidence; they're a convenience.

What makes a log into evidence is a cryptographic anchor in time — a record, signed by an independent third party, that says "this exact byte sequence existed at this moment." That's what RFC 3161 timestamping does, and it's what Sigill exposes as a one-call API.

Below is a small Python agent — a working chat loop with Anthropic's Claude — that stamps every user input and every model output through Sigill before logging it locally. It's about 150 lines of code. It does not require you to run any additional infrastructure. And by the time you've finished reading this post, you'll have a self-contained example of an AI Act-aligned audit trail that you can adapt to your own pipeline.

The pattern

Every interaction with an AI model produces two artifacts worth attesting: the prompt (what you asked — and, in real systems, the full context the model saw; see the follow-up post for what that means in practice) and the completion (what the model produced). The agent stamps both, in that order, around the actual API call:

Architecture diagram: user input is base64-encoded and sent to Sigill, which returns an RFC 3161 timestamp; the input is then sent to Claude; the reply is timestamped; both timestamps and the message contents are appended to a local JSONL log.

The timestamps are not part of the conversation Claude sees — they sit alongside it, as evidence. If anyone later disputes what was said, what was retrieved, or when, you have two cryptographic proofs per turn: one binding the prompt to a specific moment, one binding the response. Each proof is independently verifiable against a public TSA's certificate chain — without trusting Sigill, and without relying on your own logging infrastructure as the source of truth.

The agent

Three small functions: a stamp call against Sigill's /tsa/stamp, a regular Anthropic SDK call, and a JSONL appender.

def stamp(text: str, label: str) -> dict:
    """Send text to Sigill /tsa/stamp. Returns the response dict."""
    file_b64 = base64.b64encode(text.encode("utf-8")).decode("ascii")
    resp = httpx.post(
        f"{SIGILL_BASE_URL}/tsa/stamp",
        headers={"Authorization": f"Bearer {SIGILL_API_KEY}"},
        json={"tsaSlug": "auto", "fileBase64": file_b64, "label": label},
        timeout=15,
    )
    resp.raise_for_status()
    return resp.json()

That's the whole integration. Sigill takes a base64 payload, hashes it client-side-or-server-side, requests a timestamp from a real TSA (DigiCert, Sectigo, GlobalSign, SwissSign, or auto to pick whichever is fastest), and returns a record containing the TSA name, the generation time, the serial, the SHA-512 hash, and the raw .tsr token base64-encoded.

The main loop wraps this around the Anthropic call:

turn_id = int(time.time() * 1000)

# 1. Stamp the input
ts_input = stamp(user_input, f"claude-input-{turn_id}")

# 2. Call Claude
history.append({"role": "user", "content": user_input})
reply = client.messages.create(
    model="claude-opus-4-7",
    max_tokens=1024,
    messages=history,
).content[0].text
history.append({"role": "assistant", "content": reply})

# 3. Stamp the output
ts_output = stamp(reply, f"claude-output-{turn_id}")

# 4. Log everything
log({
    "turn_id":   turn_id,
    "at":        datetime.utcnow().isoformat(),
    "input":     user_input,
    "output":    reply,
    "ts_input":  ts_input,
    "ts_output": ts_output,
})

Each turn produces a JSONL line with both timestamps embedded. The .tsr tokens travel with the log, so each entry is independently verifiable — an auditor doesn't need access to your Sigill account to check it. (Note: each entry verifying isn't the same as the sequence being tamper-evident — JSONL can be truncated or reordered without breaking individual stamps. The hardening post addresses sequence integrity.)

Full source on GitHub →

What you can prove with this

Run the agent for a few minutes, then take any line of conversation_log.jsonl and write the tsrBase64 field to a file. You can verify the timestamp against the file's hash with one openssl command — without touching Sigill at all:

echo -n "what the user typed" > input.txt
echo "<tsrBase64 value>" | base64 -d > input.tsr
openssl ts -verify -in input.tsr -data input.txt -CAfile tsa-ca-bundle.pem
# Verification: OK

That's the full evidence story in one command. The TSA's signature, anchored to its publicly trusted certificate chain, attests that those exact bytes existed at that exact moment. If anyone modifies the recorded content without also producing a new valid timestamp over the modified bytes, verification fails. Forging the timestamp itself would require compromising a publicly audited Certificate Authority, which is the threat model RFC 3161 was designed against. (Forging the contents before stamping is a separate threat the agent runtime has to defend against — see the hardening post for that side of the picture.)

If your auditor would rather not touch a terminal, sigill.ai/verify accepts a file drop and returns the same answer in the browser — no account required.

Beyond standard logging

Different frameworks set different bars for traceability and record-keeping. None of them require RFC 3161 timestamping specifically — but each has a question this pattern answers more crisply than ordinary application logs:

  • AI Act Article 12 — automatically generated logs of high-risk AI systems must enable traceability. Whether your logs survive an adversarial reading isn't part of the regulation, but it's part of how an auditor will weigh them.
  • AI Act Article 26 (deployer obligations) — logs must be retained for at least six months. Cryptographic timestamps remove the ambiguity around whether a log retained for six months has also been unmodified for six months.
  • DORA Article 17 — ICT-related incident records for financial entities. Resolution authorities will accept ordinary records, but timestamped records are harder to dispute when there's a counterparty involved.
  • ISO 42001 §9.1 — performance evaluation of AI management systems. Audit findings around log integrity disappear when the integrity is cryptographic.
  • eIDAS — RFC 3161 timestamps from a Qualified Trust Service Provider become qualified electronic time-stamps with reversed burden of proof under Article 41(2). Sigill's TSA pool is being expanded to include qualified providers; for those tenants, every stamp this agent produces is qualified evidence by default.

The framing isn't "this is AI Act compliant" — compliance is a conversation between you and your auditor, not between you and your tools. The framing is "your evidence base is no longer 'trust our central log,' so the conversations that follow are easier."

Why timestamping, specifically

A reasonable question: why not just sign each turn with my own key?

You can. But signatures with your own key prove only that something controlled by you signed the data — they don't prove when. If there's any incentive to backdate, a self-signed log is exactly as trustworthy as the entity that produced it. RFC 3161 separates the two: you control the content, an independent and publicly audited authority controls the time. That separation is the whole point.

The other reasonable question: why not blockchain?

Public blockchains do solve the time problem, but at significant operational and regulatory cost — every record becomes a public on-chain transaction, and EU data protection law makes that complicated for any payload that could contain personal data. RFC 3161 timestamps achieve the same cryptographic binding to a moment in time without publishing your data anywhere; only the hash is sent to the TSA, and the original data never leaves your infrastructure. For regulated workloads, this is generally the simpler answer.

Where to take it next

This agent is deliberately minimal. A few directions if you want to push further:

  1. Stamp the full input the model actually saw. The agent stamps the user's typed message, but for a RAG system the model also sees retrieved chunks, a system prompt, and tool results. If a dispute arises later about what the model based its answer on, stamping only the user's question doesn't cover the documents that drove the response. Concatenate (system_prompt, retrieved_chunks, user_message) and stamp that — same call, fuller evidence.
  2. Bulk-seal the daily log. Stamping every turn individually is one-call-per-turn. For high-volume agents, build a Merkle tree of the day's records and stamp the root once. You commit to thousands of records with a single timestamp; any individual record can still be proven by walking the tree.
  3. Pair with a tenant seal. Sigill's /seal/sign endpoint produces PAdES signatures with your tenant's qualified certificate. Wrap the daily log file in a sealed PDF and you have a self-contained, courtroom-ready evidence package for that day's AI activity.
  4. Surface in your incident response. Plug the JSONL log into your SIEM. When something goes wrong, the timestamps let you reconstruct exactly what the model saw and said in the relevant window — and prove the reconstruction is what actually happened.

For a deeper treatment of the harder questions — what counts as the full prompt the model saw, how to prove the log hasn't been silently truncated or reordered, and how to handle the data-protection implications of storing prompts in cleartext — see the follow-up post: Hardening AI evidence: input completeness, sequence integrity, and the AI event ledger.

A note on what this isn't

Timestamping every prompt does not make your AI system trustworthy. It does not catch hallucinations, prevent jailbreaks, or substitute for evaluation. What it does is take the integrity of the log off the table as a question — leaving you free to focus on the harder questions that come after. Did the model do the right thing? is hard. Can we prove what the model actually did? should be tractable. This is the tractable half.

If you want to try it, the full agent source is here, and you can sign up for a Sigill API key at sigill.ai/signup. The free tier is enough to run a few hundred stamps and decide whether the pattern fits.

Got an interesting use case for AI evidence? Reach out — we like talking about this stuff.

More from the blog