> ## Documentation Index
> Fetch the complete documentation index at: https://docs.parmanasystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate a Receipt

> Generates a cryptographically signed Receipt for businessTransactionId. If no Execution Trust Record exists for businessTransactionId, this fails with a 404 (VerificationFailedError, the same not-found error used by POST /verify and POST /replay). If the record exists but its latest Verification does not have status VERIFIED, this fails with a 409 (ReceiptGenerationError) instead.




## OpenAPI

````yaml /openapi.bundled.yaml post /receipt
openapi: 3.1.0
info:
  title: Parmana API
  version: 1.0.0
  description: >
    Parmana is an Execution Trust Infrastructure that ensures there is no gap
    between what humans decide and what AI systems do. The API enables creation,
    execution, verification, replay, and auditing of Business Transactions
    through cryptographically verifiable Execution Trust Records.


    **Every route requires a caller bearer key, except GET /health.** Send
    `Authorization: Bearer <key>` on every other request. Keys are issued by
    `scripts/generate-api-key.ts` and configured server-side via
    `PARMANA_API_KEYS`; only a hash of each key is ever held by the server,
    verified in constant time. A missing or invalid credential returns 401
    before a Business Transaction is even constructed, independent of Policy
    evaluation and gateway attestation, see
    `packages/api/src/middleware/caller-auth.ts` and
    [Authentication](/api-reference/authentication). Local development may set
    `PARMANA_AUTH_DISABLED=true` to skip this middleware entirely; that flag
    must never be set in a real deployment.
  contact:
    name: Parmana
    email: support@parmana.ai
  license:
    name: Apache-2.0
    identifier: Apache-2.0
servers:
  - url: http://localhost:3000
    description: Local (packages/api, PORT env var, default 3000)
security:
  - bearerAuth: []
tags:
  - name: Execution
    description: >-
      Executes a Business Transaction through the complete Execution Trust
      pipeline
  - name: Transactions
    description: Business Transaction creation and retrieval
  - name: Verification
    description: Deterministic verification of an Execution Trust Record
  - name: Receipts
    description: Cryptographically signed Execution Trust Receipts
  - name: Trust Records
    description: Execution Trust Record retrieval
  - name: Replay
    description: Deterministic replay of a recorded Execution Trust Record
  - name: Policies
    description: Policy existence/readability check
  - name: System
    description: Operational endpoints
paths:
  /receipt:
    post:
      tags:
        - Receipts
      summary: Generate a Receipt
      description: >
        Generates a cryptographically signed Receipt for businessTransactionId.
        If no Execution Trust Record exists for businessTransactionId, this
        fails with a 404 (VerificationFailedError, the same not-found error used
        by POST /verify and POST /replay). If the record exists but its latest
        Verification does not have status VERIFIED, this fails with a 409
        (ReceiptGenerationError) instead.
      operationId: generateReceipt
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/receipt-request.schema'
            examples:
              vendor-payment-flow:
                summary: Real captured request
                value:
                  businessTransactionId: 44b34a79-e0f2-49d7-a48e-e52fff88182e
      responses:
        '200':
          description: Receipt generated.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/receipt.schema'
              examples:
                vendor-payment-flow:
                  summary: Real captured response
                  value:
                    receiptId: ec0e71e6-e5af-4e14-8f65-13949fca9c6d
                    businessTransactionId: 44b34a79-e0f2-49d7-a48e-e52fff88182e
                    trustRecordHash: >-
                      e20a8861864f1a0a6c5fe00e64abca04de18a7d165a82ef9d7beb458c2096b3f
                    receiptHash: >-
                      d443df31a6ad94e8d9758d5143afd0859984b935f3209c35a7d93aaf8cd9f0d0
                    issuedAt: '2026-07-13T17:42:11.094Z'
                    algorithm: ed25519
                    signature: >-
                      uchgXRFJnByGu3F+NZSoq1Hwt6bBr3rRJjQGpLOULKJ7jR4NfE/P4g7loD4L5aADdYxUqLh6Yn7ngfnz2peCCA==
        '400':
          description: businessTransactionId missing or not a valid UUID.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/error.schema'
              examples:
                badUuid:
                  summary: Real captured response
                  value:
                    error: businessTransactionId must be a valid UUID.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          description: >-
            businessTransactionId does not correspond to any Execution Trust
            Record (VerificationFailedError, the same not-found error used by
            POST /verify and POST /replay).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/error.schema'
              examples:
                notFound:
                  summary: Real captured response
                  value:
                    error: Execution Trust Record not found.
                    code: VERIFICATION_FAILED
        '409':
          description: >-
            The Execution Trust Record exists but its latest Verification does
            not have status VERIFIED (ReceiptGenerationError).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/error.schema'
              examples:
                notYetVerified:
                  summary: Real captured response
                  value:
                    error: >-
                      Execution Trust Record must be successfully verified
                      before a Receipt can be generated.
                    code: RECEIPT_GENERATION_FAILED
components:
  schemas:
    receipt-request.schema:
      $schema: https://json-schema.org/draft/2020-12/schema
      $id: https://schemas.parmana.ai/requests/receipt-request.schema.json
      title: Receipt Request
      description: >-
        Request payload for POST /receipt. businessTransactionId is required and
        must be a valid UUID; both are rejected with a 400, with distinct
        messages depending on which check fails.
      type: object
      additionalProperties: true
      required:
        - businessTransactionId
      properties:
        businessTransactionId:
          type: string
          format: uuid
          description: >-
            Business Transaction to generate a Receipt for. Its Execution Trust
            Record must already have a successful (VERIFIED) Verification, or
            the request fails with a 409.
      examples:
        - businessTransactionId: eed2a972-1bf5-4166-8472-761f76fbf1b2
    receipt.schema:
      $schema: https://json-schema.org/draft/2020-12/schema
      $id: https://schemas.parmana.ai/common/receipt.schema.json
      title: Receipt
      description: >-
        Cryptographically signed, immutable Execution Trust Receipt proving the
        outcome of an Execution Trust Record at the time it was issued.
      type: object
      additionalProperties: true
      required:
        - receiptId
        - businessTransactionId
        - trustRecordHash
        - receiptHash
        - signature
        - algorithm
        - issuedAt
      properties:
        receiptId:
          type: string
          description: Unique Receipt identifier.
        businessTransactionId:
          type: string
          description: Business Transaction represented by this Receipt.
        executionId:
          type: string
          description: >-
            Execution represented by this Receipt. Absent when the Receipt
            represents the latest transaction state; every Receipt currently
            produced by ReceiptService omits this field.
        trustRecordHash:
          type: string
          description: >-
            Canonical hash of the Execution Trust Record, used for independent
            verification.
        receiptHash:
          type: string
          description: Hash of this Receipt.
        signature:
          type: string
          description: Base64-encoded digital signature over the Receipt.
        algorithm:
          type: string
          description: Signing algorithm.
          examples:
            - ed25519
        issuedAt:
          type: string
          format: date-time
          description: UTC timestamp when the Receipt was generated.
      examples:
        - receiptId: 312ce65d-8ec4-4978-ac50-aeb0062ad7be
          businessTransactionId: eed2a972-1bf5-4166-8472-761f76fbf1b2
          trustRecordHash: 989aef83d595202ec02bb338ac00461abec0541098ea065f965b5cde342d3b25
          receiptHash: 2cc963456dd71e0e85f2d2fe743d4475072997287356ac1b9c6a9314b189ea8b
          issuedAt: '2026-07-07T16:38:59.350Z'
          algorithm: ed25519
          signature: >-
            2Z49nDSXubFNTpy0ovPwguGW3IpgvdJuiusCAadMNPS4cqmjRUthZmrfN3kZUO5m7Ku5v/poeLxtjsFKvXe9DA==
    error.schema:
      $schema: https://json-schema.org/draft/2020-12/schema
      $id: https://schemas.parmana.ai/common/error.schema.json
      title: Error Response
      description: >-
        Shared error envelope produced by
        packages/api/src/middleware/error-handler.ts and by every route's inline
        validation checks. error is always a plain human-readable string (never
        a nested object). code is present only when the failure was a
        RuntimeError subclass reaching the centralized error handler
        (VerificationFailedError, ReceiptGenerationError, or an uncategorized
        RuntimeError); it is absent from every inline route-level check
        (businessTransactionId format/required checks) and from
        BusinessTransactionValidationError, PolicyValidationError,
        SignalValidationError, PolicyNotFoundError,
        DuplicateBusinessTransactionError, and the generic 500 fallback. POST
        /policies/validate does NOT use this envelope at all. See its own
        response schema. For the triggering condition and recommended caller
        action behind any specific error/code/status combination, see the Error
        catalog at /api-reference/error-catalog.
      type: object
      additionalProperties: false
      required:
        - error
      properties:
        error:
          type: string
          description: Human-readable error message.
        code:
          type: string
          description: >-
            Stable machine-readable error code. Only present for errors that
            reach the handler as a RuntimeError.
          examples:
            - RUNTIME_ERROR
            - VERIFICATION_FAILED
            - RECEIPT_GENERATION_FAILED
      examples:
        - error: businessTransactionId must be a valid UUID.
        - error: >-
            Business Transaction 'eed2a972-1bf5-4166-8472-761f76fbf1b2' already
            exists.
        - error: >-
            Execution rejected: Vendor payment rejected because the assessed
            payment risk exceeds the maximum permitted threshold.
          code: RUNTIME_ERROR
  responses:
    Unauthorized:
      description: >-
        Missing or invalid caller credential (StaticKeyAuthenticator returned no
        identity). Real captured response,
        packages/api/src/middleware/caller-auth.ts.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/error.schema'
          examples:
            authRequired:
              summary: Real captured response, missing or invalid Authorization header
              value:
                error: authentication required
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >
        Caller API key issued by scripts/generate-api-key.ts. Sent as
        Authorization: Bearer <key>. Verified against a stored SHA-256 hash in
        constant time by packages/api/src/auth/StaticKeyAuthenticator.ts.
        Required on every route except GET /health. See
        /api-reference/authentication.

````