# prxy.monster

> Make AI agent work visible, controllable, verifiable, and reusable — with a base URL change.

prxy.monster is the control and receipt layer for AI calls. Drop it in front of your existing model calls (Anthropic, OpenAI, Google, Groq, AWS Bedrock, OpenRouter). Every call gets cost attribution, policy metadata, an Ed25519-signed receipt, and an outcome loop. BYOK by default — providers bill inference; prxy bills the gateway. The MIT prxy-monster-local edition runs the same module pipeline on your own infrastructure with no telemetry.

## Four pillars

- **Visible** — see every call, provider, model, cost, cache hit, policy decision, receipt, and outcome.
- **Controlled** — enforce budgets, policies, provider routing, payload-capture rules, and sandbox limits.
- **Verified** — every call can carry a signed receipt, verifiable against public JWKS — no prxy code required.
- **Compounding** — outcomes create memory candidates; reviewer-promoted candidates become reusable patterns. Receipts → outcomes → patterns → better future calls.

## Production APIs

- Homepage: https://prxy.monster/
- Sandbox (no signup, 5 real calls + 5 signed receipts): https://prxy.monster/sandbox/
- Docs: https://docs.prxy.monster/
- OpenAPI: https://api.prxy.monster/openapi.json
- API health: https://api.prxy.monster/health
- Catalog: https://api.prxy.monster/v1/catalog
- Capabilities: https://api.prxy.monster/v1/capabilities
- Anthropic Messages-compatible: `POST https://api.prxy.monster/v1/messages`
- OpenAI Chat Completions-compatible: `POST https://api.prxy.monster/v1/chat/completions`
- Outcomes: `POST https://api.prxy.monster/v1/outcomes`
- Anonymous sandbox session: `POST https://api.prxy.monster/v1/anon/sessions`

## Receipts

- Receipt JWKS: https://api.prxy.monster/.well-known/prxy-receipt-keys.json
- Active signing kid: prxy-receipt-2026-q2
- Receipt verification flow (markdown): https://api.prxy.monster/.well-known/prxy-receipts.md
- Receipt fetch: `GET https://api.prxy.monster/v1/receipts/:id`
- Public receipt detail page: https://receipts.prxy.monster/r/<id>
- Public receipts surface: https://receipts.prxy.monster
- Algorithm: Ed25519
- Canonicalization: RFC 8785 JCS + Unicode NFC
- Default payload capture: hash_only (four sha-256 hashes; no plaintext stored)
- Opt-in payload capture: encrypted_at_rest under customer X25519 public key (live; algorithm x25519-xchacha20-poly1305-v1)
- Compliance opt-out: payload_capture: none (no capture beyond receipt hashes)

Every successful call returns three response headers: `Payment-Receipt` (URL), `Payment-Receipt-Digest` (RFC 9530 sha-256), and `Payment-Receipt-Kid` (JWKS key id). Streaming calls also get `Payment-Receipt-Provisional: true` at stream open and a finalized triple at stream close. Customers verify the receipt offline by canonicalizing the body via JCS and checking the signature against the JWKS public key.

## Visibility levels

- `private` — default. Visible only to the owning tenant + lair operator.
- `public_demo` — anonymous sandbox receipts. receipt_id, verified status, provider, model, status, tokens, cost, module_chain, cache_status, policy_decision, payload_capture, environment, signing metadata. Tenant / project / agent / IP / trace IDs hidden.
- `public_minimal` — opt-in. Same shape as public_demo with the agent handle attached when an agent_profile is claimed.
- `public_redacted` — opt-in. Public proof of work, redacted by policy before publish.
- `public_full` — opt-in. Full receipt body published; nothing redacted.

## Outcomes (the compounding loop)

- POST /v1/outcomes with `receipt_id`, `outcome` (one of 11 enum values), optional `notes` (hashed sha-256 server-side), and a `source` enum (5 values).
- Positive outcomes (succeeded, partially_solved, user_satisfied, tool_chain_succeeded) feed the `memory_candidates` queue.
- A reviewer in lair (/dashboard/admin/memory-candidates) promotes useful candidates into the `patterns` table. We never auto-promote.
- Patterns ride into future calls via the `patterns` module (system-prompt injection on relevant requests).
- Outcomes themselves are append-only; receipts are never mutated.

## Auth and billing

API-key BYOK routes use `Authorization: Bearer <prxy_key>`. Customers bring provider keys; providers bill customers directly. Per-request gateway pricing; prxy.monster does not mark up provider inference. Human pricing page: https://prxy.monster/pricing/

Managed MPP uses `POST /v1/agent/messages` and `Authorization: Payment ...`. The $0.05 managed MPP price includes prxy pipeline execution and the upstream model call. MPP discovery, the HTTP 402 challenge flow, /v1/agent/quote, and /v1/agent/sessions are live end-to-end. Production Stripe SPT settlement is gated on Stripe Link SPT GA + production-payment credentials. Until configured, paid retries can return verification-failed.

## Anonymous sandbox

- POST /v1/anon/sessions returns a token; the token never persists at rest (only its sha-256 hash + ip_hash + counters).
- 5 real Bedrock Nova Micro inference calls per session.
- Receipts emitted with `visibility: public_demo`, `environment: demo`, `cost_estimate_confidence: complete`.
- Tenant / project / agent / IP / trace IDs hidden on the public receipt page; signature still verifiable.
- Sandbox is for evaluation only — do not paste secrets, private code, or customer data.

## Per-project budgets + payload capture controls

- `enforcement_mode`: off / warn / hard_fail per project. hard_fail emits a signed `blocked` receipt for the audit trail.
- `payload_capture` per api_key: hash_only (default) / encrypted_at_rest / none.
- Cost computed via signed pricing tables for Anthropic, OpenAI, Google, Bedrock. OpenRouter rides cost_estimated_usd: null + low confidence pending /generation/:id lookup.

## Operator dashboard (lair.prxy.monster)

- /dashboard/transactions — every routed call with attribution metadata
- /dashboard/cost — cost over time grouped by day / model / agent / project / tenant; CSV export; CUR drift card
- /dashboard/agents — per-agent leaderboard with cache rate, block rate, latency p50/p95
- /dashboard/projects — per-project leaderboard; same shape
- /dashboard/verify — paste a receipt URL or JSON; in-browser Web Crypto Ed25519 verification
- /dashboard/admin/projects — operator UI for projects + budgets + enforcement mode
- /dashboard/admin/api-keys — operator UI for api_key metadata + browser-side X25519 keypair generation
- /dashboard/admin/memory-candidates — reviewer UI to promote / reject candidates

Lair is operator-internal today; per-tenant Clerk auth lands in a follow-up.

## Machine-readable files

- Full LLM context: https://prxy.monster/llms-full.txt
- Status: https://prxy.monster/status.json
- Pricing JSON: https://prxy.monster/pricing.json
- Modules JSON: https://prxy.monster/modules.json
- Providers JSON: https://prxy.monster/providers.json
- Integrations JSON: https://prxy.monster/integrations.json
- Agent manifest: https://prxy.monster/agents.json
- Monster Log: https://prxy.monster/monster-log/ (JSON: https://prxy.monster/monster-log.json)
- Benchmarks: https://prxy.monster/benchmarks/ (JSON: https://prxy.monster/benchmarks.json)

## Modules (12 verified)

12 official @prxy-official modules, all verified, all free, all cloud + local.

`compaction-bridge`, `cost-guard`, `exact-cache`, `guardrails`, `ipc`, `mcp-optimizer`, `patterns`, `prompt-optimizer`, `rehydrator`, `router`, `semantic-cache`, `tool-cache`.

Each module declares: `compatibility.providers` (which of Anthropic / OpenAI / Google / Groq / Bedrock / OpenRouter), `compatibility.requires` (chat, streaming, tools, prompt caching, embeddings, etc.), `compatibility.fallback` (skip / degrade / block), and `receiptMetadataEmitted` (which fields land on the receipt).

Marketplace: https://modules.prxy.monster

## Compatibility

- Supported: Anthropic Messages, OpenAI Chat Completions, Claude Code via Anthropic base URL, OpenAI / Google / Groq / Bedrock / OpenRouter providers, SSE streaming, hash-only and encrypted-at-rest payload modes, BYOK and managed MPP routes.
- Partial: Cursor, Cline, Aider, Continue (single base URL configuration), streaming post-hooks (some modules run pre-hooks only when streaming is enabled).
- Not supported today: OpenAI Responses API, OpenAI Assistants API, Realtime API.

## Trust

- Security: https://prxy.monster/security/
- Privacy: https://prxy.monster/privacy/
- Data retention matrix: https://prxy.monster/data-retention/
- Subprocessors: https://prxy.monster/subprocessors/
- Public receipts surface: https://receipts.prxy.monster
- Receipt JWKS: https://api.prxy.monster/.well-known/prxy-receipt-keys.json
- No foundation-model training on customer requests, completions, or outcome notes.

## What we are not

- Not an inference provider. The provider runs the model and bills inference; prxy bills the gateway / control layer.
- Not a generic log sink. We provide agent-call visibility through receipts, outcomes, cost dashboards, and module metadata — the auditable output of the gateway pipeline, not a dumping ground for arbitrary log lines.
- Not a web proxy or VPN.
- Not affiliated with prxy.com.