# prxy.monster — full agent-readable context

Last updated: 2026-05-07

prxy.monster makes AI agent work visible, controllable, verifiable, and reusable — with a base URL change.

Core sentence: every AI inference call routed through prxy.monster becomes a signed, attributable, billable receipt. Identity (tenant + project + agent + IAM principal), cost (token-level estimate × signed pricing-table snapshot), pipeline metadata (cache hit / policy decision / module chain), and four sha-256 hashes of the canonical request and response live on the receipt. Receipts are Ed25519-signed against a published JWKS so customers can verify them offline.

Four pillars:

- **Visible** — see every call, provider, model, cost, cache hit, policy decision, receipt, and outcome.
- **Controlled** — enforce budgets, policies, provider routing, payload-capture rules, and sandbox limits.
- **Verified** — every call can carry a signed receipt, verifiable against public JWKS — no prxy code required.
- **Compounding** — outcomes create memory candidates; reviewer-promoted candidates become reusable patterns. Receipts → outcomes → patterns → better future calls.

The gateway runs a configurable module pipeline (MCP pruning, semantic cache, prompt-cache optimization, pattern injection, cost-guard, IPC, rehydrator, guardrails, etc.) around the model call. The receipt records which modules ran. Receipts are the proof layer. Outcomes are the learning layer. Patterns are the compounding layer.

## What prxy.monster is

prxy.monster is the control and receipt layer for AI calls. It sits in front of your existing model calls (Anthropic, OpenAI, Google, Groq, AWS Bedrock, OpenRouter). API-key users keep their existing provider billing relationship — the provider bills the customer directly and prxy.monster charges only for gateway requests, not provider inference.

The gateway runs a configurable module pipeline around each request. Modules can prune tool definitions, return cached responses, inject learned patterns, compress context, route models, and block requests that would exceed configured spend limits. Every module decision is recorded onto the receipt's `module_chain` + `cache_status` + `policy_decision` fields, so the call's audit trail is just the receipt.

prxy.monster is **not** an inference provider. The provider runs the model and bills inference. prxy.monster is **not** a generic log sink either — it provides agent-call visibility through receipts, outcomes, cost dashboards, and module metadata, which is the auditable output of the gateway pipeline (not a dumping ground for arbitrary log lines).

## Production routes

- `POST https://api.prxy.monster/v1/messages` — Anthropic Messages-compatible route, API-key BYOK auth.
- `POST https://api.prxy.monster/v1/chat/completions` — OpenAI Chat Completions-compatible route, API-key BYOK auth.
- `POST https://api.prxy.monster/v1/agent/messages` — managed MPP route, HTTP 402 challenge + Stripe SPT settlement.
- `POST https://api.prxy.monster/v1/agent/quote` — MPP quote endpoint.
- `POST https://api.prxy.monster/v1/agent/sessions` — MPP funded-session creation.
- `POST https://api.prxy.monster/v1/anon/sessions` — anonymous sandbox session.
- `POST https://api.prxy.monster/v1/outcomes` — submit an outcome anchored on a receipt id.
- `GET  https://api.prxy.monster/v1/receipts/:id/outcomes` — list outcomes for a receipt.
- `GET  https://api.prxy.monster/v1/pipeline` — active module pipeline for an API key.
- `GET  https://api.prxy.monster/v1/catalog` — pricing and tier catalog.
- `GET  https://api.prxy.monster/v1/capabilities` — wire formats, providers, modules, and feature flags.
- `GET  https://api.prxy.monster/v1/receipts/:id` — fetch a receipt by id.
- `GET  https://api.prxy.monster/.well-known/prxy-receipt-keys.json` — JWKS for receipt verification.
- `GET  https://api.prxy.monster/.well-known/prxy-receipts.md` — receipt-verification flow (markdown).
- `GET  https://api.prxy.monster/.well-known/mpp` — MPP merchant discovery.
- `GET  https://api.prxy.monster/health` — machine-readable health/liveness.
- `GET  https://api.prxy.monster/openapi.json` — OpenAPI 3.1 + MPP payment metadata.

## Receipts

Every successful call returns three response headers:

- `Payment-Receipt: https://receipts.prxy.monster/r/<receipt_id>`
- `Payment-Receipt-Digest: sha-256=:<base64-digest>:` (RFC 9530)
- `Payment-Receipt-Kid: <kid>` (matches the JWKS)

Receipt body fields (signed via ed25519 over RFC 8785 JCS + Unicode NFC):

- `receipt_id`, `request_id`, `parent_receipt_id`, `client_request_id`, `idempotency_key`
- `agent_id`, `tenant_id`, `project_id`, `customer_id`, `environment`, `api_key_id`, `user_id`
- `receipt_version`, `canonicalization_version`, `receipt_type`, `status`, `error_class`, `error_code`, `error_message_hash`
- `provider`, `model_id`, `region`, `aws_account_id`, `iam_principal`
- `provider_request_id`, `provider_trace_id`, `cloudflare_ray_id`
- `input_tokens`, `output_tokens`, `cache_read_tokens`, `cache_write_tokens`, `tokens_source`
- `cost_source`, `cost_estimated_usd`, `cost_estimate_confidence`, `cost_final_usd`, `cost_currency`
- `pricing_table_id`, `pricing_version`, `pricing_effective_at`
- `routing_decision`, `policy_decision`, `cache_status`, `module_chain`, `settlement_protocol`
- `client_request_hash`, `provider_request_hash`, `provider_response_hash`, `client_response_hash`
- `payload_capture` (`hash_only` | `encrypted_at_rest` | `none`)
- `visibility`, `public_receipt_hash`, `redaction_policy`
- `request_started_at`, `request_ended_at`, `created_at`
- `signing_key_id`, `signing_algorithm`, `signature`

Verification flow without trusting prxy:

1. `GET /v1/receipts/:id` — returns the JSON body.
2. `GET /.well-known/prxy-receipt-keys.json` — JWKS with the matching `kid`.
3. Canonicalize the receipt body via RFC 8785 JCS, then verify the `signature` field against the public key.

The `prxy-cli receipt verify` command runs the same flow offline against any receipt id or pasted compact-pointer header.

## Payload capture (default: hash-only)

prxy stores receipt hashes by default — no plaintext request or response bodies persist. The receipt records sha-256 of the canonical request, canonical provider request, provider response, and client response. Customers verifying a receipt can prove the call shape without prxy ever holding the plaintext.

Per-key opt-in modes:

- `hash_only` (default) — what every key gets unless changed.
- `encrypted_at_rest` (opt-in, live) — request + response sealed under a customer-held X25519 key. Algorithm `x25519-xchacha20-poly1305-v1` with per-call ephemeral keys. Cache is bypassed for this key — caching across customers with private payloads would defeat the encryption guarantee. The customer decrypts client-side; prxy's server never holds the customer private key. Browser-side keypair generation lives at lair `/dashboard/admin/api-keys`.
- `none` (compliance opt-out) — nothing beyond the receipt hashes persists. Cache bypassed.

The Sentry pipeline strips request/response bodies, sensitive headers (authorization, cookie, x-provider-key, x-api-key), and any field matching `messages | prompt | body | content | text | system | password` from outbound events as defense-in-depth.

## MPP agent payments

MPP sentence: prxy.monster MPP lets agents buy optimized LLM calls, coding sessions, or paid tool endpoints over HTTP 402 — no account, no checkout, no subscription. Agents request the resource, receive a payment challenge, pay, retry, get the result, and receive a signed receipt.

Current API truth:

- MPP discovery is live at `https://api.prxy.monster/.well-known/mpp`.
- The dedicated MPP route is `POST https://api.prxy.monster/v1/agent/messages`.
- Calls without `Authorization: Payment` return `402 Payment Required`.
- Challenges include `WWW-Authenticate: Payment`, a flat challenge object, and an RFC 9530 SHA-256 content digest.
- Discovery, the HTTP 402 challenge flow, `/v1/agent/quote`, and `/v1/agent/sessions` are wired end-to-end.
- Production Stripe SPT settlement is gated on Stripe Link SPT GA + production-payment credentials. The settlement code path emits `cost_source: mpp_stripe` plus a settlement receipt linking back to the inference receipt; it activates when the operator sets `PRXY_MPP=enabled`, `PRXY_MPP_PRODUCTION_PAYMENTS=enabled`, `STRIPE_SECRET_KEY`, and `MPP_SECRET_KEY`.
- Until production-payment credentials are configured, paid retries can return `402 verification-failed`.
- The managed MPP price is `$0.05` per call inside a funded session ($0.50 direct), per model option in `/.well-known/mpp`.
- Agents do not need a prxy account or provider key for managed MPP.
- Refunds are not currently supported.
- No public test credential is documented today.

The paid MPP resource is one PRXY pipeline execution: MCP tool pruning, cache lookup, context compression/preservation, pattern injection, cost guarding, optional upstream model call, and a signed receipt header after successful settlement. Both BYOK and MPP receipts share the same canonical schema.

## Cost estimation

Every cost-bearing receipt carries a `cost_estimated_usd` computed from token-level pricing tables for the four supported provider classes (`aws_bedrock`, `anthropic`, `openai`, `google`). The pricing tables are committed JSON in `packages/billing/`. Each receipt also records the pricing-table provenance (`pricing_table_id`, `pricing_version`, `pricing_effective_at`) so the estimate is verifiable against a known rate snapshot.

Confidence flags:

- `complete` — full provider-reported usage on a known model.
- `partial` — stream aborted before the final usage chunk; tokens come from the stream-counted partial response.
- `low` — unknown model fallback or unsupported provider; the cost is a directional default.

The receipt's `cost_final_usd` is null until reconciliation lands. AWS CUR reconciliation will append a `reconciliation_adjustment` child receipt linking back via `parent_receipt_id`.

## Pricing

Primary pricing claim: API-key BYOK users pay providers directly; prxy.monster never marks up provider inference. prxy.monster charges for gateway requests and the module pipeline.

Human pricing page: `https://prxy.monster/pricing/`.

API-key BYOK:

| Plan | Monthly | Requests included | Overage |
|---|---:|---:|---:|
| Free | $0 | 1,000 | none, hard cap |
| Pro | $20 | 100,000 | $0.20 / 1k requests |
| Team | $99 | 1,000,000 | $0.10 / 1k requests |

Managed MPP (per model option in `/.well-known/mpp`):

| Tier | Backing model | Direct | Funded session |
|---|---|---:|---:|
| fast | Amazon Nova Micro | $0.50 | $0.05 / call |
| balanced | Anthropic Claude Sonnet 4.6 | $0.50 | $0.05 / call |
| coding | Anthropic Claude Opus 4.7 | $1.50 | $0.15 / call |

All three tiers route through the prxy gateway, include upstream Bedrock inference, and emit a signed `Payment-Receipt` header on success.

## Public receipts

Public receipts surface: `https://receipts.prxy.monster/`. Per-receipt detail page at `https://receipts.prxy.monster/r/<id>`.

Visibility levels:

- `private` — default. Visible only to the owning tenant + lair operator.
- `public_demo` — anonymous sandbox receipts. Provider, model, status, tokens, cost, module_chain, cache_status, policy_decision, payload_capture, environment, signing metadata. Tenant / project / agent / IP / trace IDs hidden on the public page; signature still verifiable.
- `public_minimal` — opt-in. Same shape as public_demo, plus the agent handle when an `agent_profiles` row is claimed.
- `public_redacted` — opt-in. Public proof of work, redacted by policy before publish.
- `public_full` — opt-in. Full receipt body, nothing redacted.

For API-key BYOK routes, prxy billing and provider token billing are separate; provider invoices remain private provider invoices. The receipt's `cost_estimated_usd` reflects the provider's list rate. Agents can fetch any non-private receipt by id and verify offline against the published JWKS.

## Outcomes (the compounding loop)

`POST /v1/outcomes` records a learning signal anchored on a receipt id. Body fields:

- `receipt_id` — required.
- `outcome` — one of: `succeeded`, `partially_solved`, `failed`, `no_progress`, `regressed`, `user_satisfied`, `user_unsatisfied`, `tool_chain_succeeded`, `tool_chain_failed`, `review_pending`, `out_of_scope`.
- `source` — one of: `self_report`, `human_reviewer`, `webhook`, `automated_test`, `agent_runner`.
- `notes` — optional. Hashed sha-256 server-side at write time. Raw text never persists.

Outcomes are append-only and never mutate receipts. Positive outcomes (`succeeded`, `partially_solved`, `user_satisfied`, `tool_chain_succeeded`) feed the `memory_candidates` queue. A reviewer in lair `/dashboard/admin/memory-candidates` promotes useful candidates into the `patterns` table. We never auto-promote. Promoted patterns ride into future calls via the `patterns` module.

`GET /v1/receipts/:id/outcomes` lists the outcome rows for a receipt.

## Lair dashboard

Lair (https://lair.prxy.monster) exposes operator-facing dashboards backed by the receipt ledger:

- `/dashboard/transactions` — every routed call with attribution metadata.
- `/dashboard/cost` — cost over time; group by day / model / agent / project / tenant; CSV export; CUR drift card.
- `/dashboard/agents` — per-agent leaderboard with cache hit rate, block rate, failure count, latency p50/p95.
- `/dashboard/projects` — per-project leaderboard; same shape.
- `/dashboard/verify` — paste a receipt URL or JSON; in-browser Web Crypto Ed25519 verification.
- `/dashboard/admin/projects` — operator UI for projects + monthly_budget_usd + enforcement_mode (off / warn / hard_fail).
- `/dashboard/admin/api-keys` — operator UI for api_key metadata + browser-side X25519 keypair generation for `encrypted_at_rest` payloads.
- `/dashboard/admin/memory-candidates` — reviewer UI to promote / reject candidates into patterns.

Dashboard reads from `inference_receipts_daily` (nightly rollup) for older history and joins live `inference_receipts` for the last 24h. The cost-summary endpoint accepts `?format=csv` for chargeback-ready CSVs respecting the current filter set.

## Monster Log

Monster Log: `https://prxy.monster/monster-log/`.
Monster Log JSON: `https://prxy.monster/monster-log.json`.

The Monster Log maps dated public AI coding-agent incidents to modules and status:

- Claude Code issue #36068 -> `compaction-bridge`, production.
- Apideck MCP context-bloat post -> `mcp-optimizer`, production.
- Rapid Claude Code rate-limit drain reports -> `semantic-cache` and `exact-cache`, production.
- AI coding-tool budget pressure reports -> `cost-guard`, production.
- Cloudflare Code Mode context-footprint post -> `tool-cache` preview and MCP optimizer roadmap evidence.

## Benchmarks

Benchmark page: `https://prxy.monster/benchmarks/`.
Benchmark JSON: `https://prxy.monster/benchmarks.json`.

The local benchmark suite is reproducible with `pnpm --filter @prxy/benchmarks bench`. The installed CLI can run `prxy bench --remote` against an authenticated endpoint. Local results are synthetic fixtures using in-memory storage and stub embeddings; they are not production averages.

Latest local fixture results captured May 4, 2026:

- `mcp-optimizer`: synthetic average ~33.4% MCP tool-token reduction across five 120-tool scenarios (range 13.8% to 53.0%); up to ~90% on tool-heavy workloads where most of the catalog is irrelevant. Universal "~90% less overhead" claims are not supported by the synthetic average.
- `semantic-cache`: 98.5% hit rate in a repeated-seed synthetic workload; real hit rate depends on workload repetition.
- `exact-cache`: 0.004ms average cache-hit lookup against a static simulated provider-call baseline.
- `ipc`: no compression at 50% utilization; 98.4% and 98.7% token reduction at 75% and 90% utilization fixtures.
- `prompt-optimizer`: 100% stable prefix with optimizer enabled in the fixture.

## Modules

Canonical module availability lives at `https://prxy.monster/modules.json`. Marketplace UI at `https://modules.prxy.monster`.

12 official `@prxy-official` modules, all verified and free, all cloud + local: `compaction-bridge`, `cost-guard`, `exact-cache`, `guardrails`, `ipc`, `mcp-optimizer`, `patterns`, `prompt-optimizer`, `rehydrator`, `router`, `semantic-cache`, `tool-cache`.

Each module declares: `compatibility.providers` (which of Anthropic / OpenAI / Google / Groq / Bedrock / OpenRouter), `compatibility.requires` (chat, streaming, tools, prompt caching, embeddings, etc.), `compatibility.optional`, `compatibility.fallback` (skip / degrade / block), and `receiptMetadataEmitted` (which receipt fields the module stamps).

## Providers

Provider support is machine-readable at `https://prxy.monster/providers.json` and `https://api.prxy.monster/v1/capabilities`.

API-key BYOK users register or supply their provider keys. Provider bills go directly from provider to customer. Managed MPP uses prxy-managed provider access and includes the upstream call in the MPP price.

## Compatibility

Machine-readable compatibility is at `https://prxy.monster/integrations.json`.

Supported today: Anthropic Messages, OpenAI Chat Completions, Claude Code through Anthropic base URL, local mode, SSE streaming.

Partial today: Cursor, Cline, Aider, Continue, and streaming post-hooks.

Planned or unsupported today: OpenAI Responses API, OpenAI Assistants API, Realtime API.

## Trust and security

- Security: `https://prxy.monster/security`
- Privacy: `https://prxy.monster/privacy`
- Data retention: `https://prxy.monster/data-retention`
- Subprocessors: `https://prxy.monster/subprocessors`
- Security contact: `security@prxy.monster`

Data handling summary:

- prxy.monster does not train foundation models on customer requests, completions, or outcome notes.
- Default payload capture is hash-only — sha-256 of canonical request/response on the receipt; no plaintext stored.
- `encrypted_at_rest` is opt-in per api_key under a customer-held X25519 public key (algorithm `x25519-xchacha20-poly1305-v1`).
- `payload_capture: none` disables capture beyond receipt hashes and bypasses cache.
- Cache modules can retain response payloads for replay (per-user scoped); encrypted-at-rest and none bypass cache.
- Outcome notes are sha-256 hashed server-side at write time. Raw text never persists.
- Pattern modules retain reviewer-promoted problem/solution patterns scoped to the owning tenant.
- Context modules retain compressed or archived context per the policy of `ipc` and `rehydrator`.
- Sentry events have request/response bodies + sensitive headers redacted by `beforeSend` before they leave the process.
- Anonymous sandbox sessions persist `anon_key_hash` + `ip_hash` + counters; the bare anon token never persists at rest.
- Local mode stores state in the local volume and has no prxy.monster telemetry.

Full row-by-row data-retention matrix at `https://prxy.monster/data-retention/`.

## Links for agents

- Homepage: `https://prxy.monster/`
- Docs: `https://docs.prxy.monster/`
- Modules marketplace: `https://modules.prxy.monster/`
- Dashboard: `https://lair.prxy.monster/`
- Public receipts surface: `https://receipts.prxy.monster/`
- Anonymous sandbox: `https://prxy.monster/sandbox/`
- Outcomes endpoint: `https://api.prxy.monster/v1/outcomes`
- Receipt JWKS: `https://api.prxy.monster/.well-known/prxy-receipt-keys.json`
- Receipt verification doc: `https://api.prxy.monster/.well-known/prxy-receipts.md`
- Public benchmarks: `https://prxy.monster/benchmarks/`
- Status JSON: `https://prxy.monster/status.json`