Questions
What's free and what's paid?
The SDK (pip install nobulex, npm install @nobulex/core) is free, open source, MIT licensed, forever. You generate and sign receipts locally at no cost. The paid product is the hosted verification API: when a third party needs to independently verify your agent's receipts, check its trust score, or generate a compliance report, that verification goes through our infrastructure.
Why can't I just verify receipts myself?
You can. The whole point of content-derived identifiers is that anyone with the receipt and the public key can verify independently. The hosted API exists for when you need managed key infrastructure, compliance-grade audit reports, trust score aggregation across agents and deployments, or when a regulator needs a neutral third party's verification, not the operator's.
What standards does this implement?
The action_ref formula is normative implementation guidance in OWASP Agentic Skills Top 10 (AST09). Nobulex is cited as a third independent issuer in the x402 payment conformance spec. Sections 8-11 of the OWASP CheatSheetSeries are credited to us. The canonicalization is RFC 8785 (JSON Canonicalization Scheme).
Do I need a paid tier for EU AI Act compliance?
You need the receipts (free SDK) plus a way to produce a verifiable evidence bundle for a regulator (Pro or Scale). The Free tier verifies individual receipts but doesn't generate the compliance reports that Article 12 audits require.