AI-agent swap verification

How do AI agents verify a swap before signing?

By checking observable facts and keeping evidence — not by trusting a feeling. One keyed call before the signature returns an advisory verdict (clear / caution / unsupported) with machine-readable reasons, a token registry read, modeled slippage at the exact size, and pre-written caveats; the same call persists a hash-verifiable evidence record so the agent can later show what it verified, and when. Routescore is read-only decision support — it never signs, executes, or moves funds.

Add a pre-sign check to your agentVerifiable evidence records
Inspect it yourself

Model a swap and read the result the way an agent would — verdict, caveats, and gap states.

Verification means checkable facts, not confidence

An agent cannot verify the future, so honest pre-sign verification is about what is observable now: the modeled slippage and route leak at this exact notional, whether the chain settles through a public mempool or a sequencer, whether the output token’s contract address matches a registry entry (a registry match — never a safety, sellability, rights, or redemption verification), and which parts of the picture were not evaluated at all.

Just as important is what a point-in-time read cannot do: it cannot observe a transaction that has not happened yet. A privilege exercised after the purchase settles — a mint, a blacklist entry, a pool withdrawal — is invisible to every pre-sign check, Routescore’s included. Verification that claims more than that ceiling is claiming to see the future; the mechanics are covered in the rug-mechanics explainer linked below.

  • Checkable now: modeled slippage and leak at size, ordering regime, registry recognition state, named gaps and caveats.
  • Not checkable now: future behavior, privileges exercised after settlement (T+1), realized outcomes.
  • The honest output is a verdict plus reasons plus caveats — never a promise.

Step one: the pre-sign check, as structured data

One keyed POST /api/public/v1/check/swap call (or the check_swap MCP tool) returns an advisory verdict — clear, caution, or unsupported — with stable machine-readable reason codes, the token registry state, modeled route figures, per-source freshness states, pre-written caveat sentences, and a methodology version on every response. The design principle is schema-enforced honesty: the caveats arrive as structured fields an agent relays verbatim instead of paraphrasing away.

The verdict semantics are deliberately conservative. Unknown token: caution. Missing data: unsupported. Never a guess. A clear never upgrades an unknown — unverified tokens and unknown order flow downgrade the verdict instead — and nothing in the response marks anything "safe"; there is no such flag, by design. A caution is data for the agent’s policy, not a block; an unsupported means "not evaluated by Routescore", and the right agent behavior is to say so rather than substitute a guess.

Step two: the evidence record — showing what was verified

Verification an agent cannot show later is just a claim. Every keyed check_swap call persists a durable routescore.preflight_record.v0 evidence record and returns record_id, evidence_bundle_id, and record_output_hash on the response. The record nests the full response verbatim, adds an identity-free declared actor type and an identity-redacted request echo, and carries a canonical-JSON SHA-256 integrity hash a third party can re-derive offline.

That turns the post-mortem question — what did the agent know at signing time? — into a retrieval: fetch the record by id (REST or the get_preflight_record MCP tool, owner-scoped to your account), re-derive the hash, and read the verdict, caveats, and gap states exactly as they stood. If the record write ever fails, the check still returns with those fields null plus a record_persistence_failed caveat — a missing record is visible, never silent.

The limits, stated up front

Everything in the check is modeled and point-in-time: the figures describe a moment under a stated methodology version, and where realized outcomes are uncalibrated — Robinhood Chain today, for example — the response says so instead of smoothing it over. The verdict is advisory: it informs the agent’s own policy (or the human behind it); it is not a recommendation, not an instruction to execute, and not investment advice.

And the division of labor is fixed: Routescore is one composable evidence element of the agentic stack, alongside the planner, executor, and wallet elements — it hands over evidence with caveats attached, and the decision stays with you or your agent. It never signs, submits, executes, or custodies anything.

FAQ

Common questions

What can an AI agent actually verify before signing a swap?

Observable, dated facts: modeled slippage and route leak at the exact trade size, the ordering regime of the chain (public mempool vs sequencer-ordered), whether the token’s contract address matches a registry entry, per-source data freshness, and which surfaces were not evaluated. Each arrives as structured data with caveats. What no tool can verify is the future — privileges exercised after settlement and realized outcomes are outside every point-in-time check.

What does a clear verdict mean?

That no modeled downgrade triggered on the surfaces that were evaluated — and nothing more. It is not a recommendation, not an instruction to execute, and it never upgrades an unknown: unverified tokens and unknown order flow downgrade the verdict instead. The agent should still relay the caveats and check score_state for partial before weighing it.

How should an agent handle caution or unsupported?

Relay the reasons and caveats verbatim and let the user or a declared policy decide. Gate programmatically on the stable reason codes — for example, block on token_unverified or require confirmation on sequencer_ordering_uncalibrated. For unsupported: do not guess, do not substitute another chain’s model, and tell the user "not evaluated by Routescore" — that is the answer.

How does the agent show later what it verified?

Through the persisted evidence record. Every keyed check returns record_id, evidence_bundle_id, and record_output_hash; the full record — the response verbatim plus integrity hash — is retrievable by id (owner-scoped) over REST or the get_preflight_record MCP tool, and the hash re-derives offline so a third party can confirm the evidence was not edited after the fact.

Does a passing check mean the swap will turn out fine?

No. Every figure is modeled and point-in-time, and a check at time T cannot observe what happens at T+1. The check narrows uncertainty with observable facts and records what was known; realized outcomes are tracked separately through outcome labels, never promised in advance.

Do agents need an API key for this?

Yes — the keyed REST API and the @routescore/mcp server are bundled with the Power tier, and evidence records are created on keyed calls only. The browser route check at /route-check stays free and keyless for the modeled route-quality half, without a composite verdict or a persisted record.

Run it yourself — no signup, no wallet.

Routescore is read-only, non-custodial decision support. Run a check, keep the record, review the outcome — modeled and point-in-time, not investment advice.

Add a pre-sign check to your agent