Your RAG pipeline retrieves real documents — and still hallucinates. Here's the retrieve → generate → verify pattern that catches it before your agent acts, with working Python code you can run right now.
Your RAG pipeline retrieves three real documents. The LLM reads them. It generates a response that cites those exact sources. Everything looks clean.
And it's still wrong about 8–15% of the time.
If you've deployed RAG to production, you already know this. The answer looks grounded in the retrieved chunks, but a closer read reveals the model invented a date, swapped a name, overstated a number, or fused two unrelated facts into a single plausible-sounding sentence. The citations point to real documents. The statement the citations supposedly support was not actually in those documents.
This is the hardest class of hallucination to catch. It doesn't look like a hallucination. It looks like a correct answer.
This tutorial shows you how to add a verification step to your RAG pipeline in about 15 lines of Python. The verifier runs independently of your retrieval stack and your generation model. It reads the final output, extracts individual claims, checks each one across four independent sources, and returns a verdict before your agent acts.
Why RAG Hallucinations Are Different
Classic LLM hallucination: the model is asked a question it doesn't know the answer to, so it invents one.
RAG hallucination: the model has correct context in its window, and still produces a statement that isn't supported by that context. The three failure modes I see most in production:
- Fabrication under citation. The response cites source [2], but the claim it attributes to source [2] isn't actually there. The citation exists; the grounding doesn't.
- Fact fusion. Two unrelated facts from two different retrieved chunks get combined into a single sentence. Each half is correct. The combined sentence is false.
- Confident extrapolation. The model extrapolates from what the documents say to a related claim the documents don't support, and delivers it with the same confidence as the verified parts.
All three survive retrieval-quality metrics. They survive BLEU, ROUGE, and BERTScore. They survive your "faithfulness" eval if it runs off the same LLM that generated the answer.
The only reliable catch is a second, independent verification pass — different model, different evidence source, different prompt — that reads the final output and scores each claim against the open web.
The Retrieve → Generate → Verify Pattern
Standard RAG is two stages:
query → retrieve → generate → return
Add one stage:
query → retrieve → generate → verify → return
The verify stage decomposes the generated response into individual atomic claims, checks each one, and returns a per-claim verdict plus an overall act / verify / reject recommendation. Your application decides what to do with a reject: surface the bad claims to a user, regenerate with tighter constraints, fall back to a safer response, or abort.
Install
For the simple programmatic case (the bulk of this tutorial), the only dependency is requests:
pip install requests
For full LangChain tool integration:
pip install langchain-agentoracle
No API keys. No configuration. The free /preview endpoint gives you 10 verifications per hour to test with; the production /evaluate endpoint is $0.01 per call via x402 on Base.
A Minimal RAG Pipeline That Hallucinates
First, let's build a RAG pipeline that's deliberately vulnerable. We'll use a tiny in-memory corpus about OpenAI so the hallucinations are easy to spot:
from langchain_openai import ChatOpenAI
from langchain.schema import HumanMessage, SystemMessage
# Three real documents — our "retrieved context"
corpus = {
"doc_1": """OpenAI was founded in December 2015 as a non-profit
research organization. Co-founders included Sam Altman, Elon Musk,
Ilya Sutskever, and Greg Brockman, among others.""",
"doc_2": """ChatGPT was released by OpenAI on November 30, 2022.
It reached 100 million monthly active users by January 2023, making
it the fastest-growing consumer application in history at the time.""",
"doc_3": """OpenAI has received major investments from Microsoft,
including a multi-year, multi-billion dollar commitment announced
in January 2023."""
}
def retrieve(query):
# Toy retriever — in production, use your vector DB
return [corpus["doc_1"], corpus["doc_2"], corpus["doc_3"]]
def generate(query, docs):
llm = ChatOpenAI(model="gpt-4o-mini", temperature=0.3)
context = "\n\n".join(docs)
response = llm.invoke([
SystemMessage(content=f"Answer from this context:\n{context}"),
HumanMessage(content=query)
])
return response.content
answer = generate(
"Who founded OpenAI, when was ChatGPT released, and how fast did it grow?",
retrieve("OpenAI founding and ChatGPT growth")
)
print(answer)
Run this a few times. On some runs you'll get a clean answer. On others you'll get a response that invents a co-founder not in the documents, or claims ChatGPT reached one billion users in two months, or attributes the wrong investment figure to Microsoft. Same retrieval, same prompt — different hallucination profile per run.
This is the exact scenario the verification layer is built for.
Add Verification in 15 Lines
import requests
def verify(text):
r = requests.post(
"https://agentoracle.co/evaluate",
json={"content": text},
timeout=30,
)
return r.json()["evaluation"]
def retrieve_generate_verify(query):
docs = retrieve(query)
draft = generate(query, docs)
verdict = verify(draft)
refuted = [c["claim"] for c in verdict["claims"] if c["verdict"] == "refuted"]
unverifiable = [c["claim"] for c in verdict["claims"] if c["verdict"] == "unverifiable"]
if refuted:
return {"answer": None, "reason": "refuted", "claims": refuted}
if verdict["recommendation"] == "reject" and unverifiable:
return {"answer": None, "reason": "unverifiable", "claims": unverifiable}
return {"answer": draft, "confidence": verdict["overall_confidence"]}
result = retrieve_generate_verify(
"Who founded OpenAI and how fast did ChatGPT grow?"
)
print(result)
That's the whole integration. Before your agent acts on draft, verify(draft) extracts the atomic claims, checks each across four independent verification sources, and returns a structured verdict.
LangChain users: if you want the verifier as a tool callable from an agent loop instead of a function call, use
from langchain_agentoracle import AgentOracleEvaluateTool— it returns formatted text suitable for LLM consumption. The plain HTTP call above is what you want when you need the JSON for application logic (gating, branching, repair).
What a Real Verification Run Looks Like
Here's actual output from feeding AgentOracle a deliberately-hallucinated RAG response. The input text was:
"OpenAI was founded in 2015 by Sam Altman, Elon Musk, and Mark Zuckerberg. The company released ChatGPT in 2022, which reached 1 billion users within 2 months."
Four of those facts are true. Two are hallucinated: Mark Zuckerberg was never an OpenAI co-founder, and ChatGPT reached 100 million users in two months, not one billion.
The verifier response (trimmed for readability):
{
"recommendation": "reject",
"overall_confidence": 0.47,
"total_claims": 6,
"verified_claims": 4,
"refuted_claims": 2,
"claims": [
{
"claim": "OpenAI was founded in 2015",
"verdict": "supported",
"confidence": 0.83
},
{
"claim": "OpenAI was founded by Sam Altman",
"verdict": "supported",
"confidence": 1.0
},
{
"claim": "OpenAI was founded by Elon Musk",
"verdict": "supported",
"confidence": 1.0
},
{
"claim": "OpenAI was founded by Mark Zuckerberg",
"verdict": "refuted",
"confidence": 0.75,
"evidence": "No search results mention Mark Zuckerberg as a founder; founders listed include Sam Altman, Elon Musk, Ilya Sutskever, Greg Brockman."
},
{
"claim": "OpenAI released ChatGPT in 2022",
"verdict": "supported",
"confidence": 0.95
},
{
"claim": "ChatGPT reached 1 billion users within 2 months",
"verdict": "refuted",
"confidence": 0.48,
"evidence": "ChatGPT reached 100 million users in 2 months (Jan 2023), not 1 billion. 1 billion milestone was later."
}
]
}
Two hallucinations caught. Four true claims confirmed. One reject recommendation that short-circuits the downstream agent action.
Notice what the verifier does not do: it doesn't grade the answer against the retrieved documents. RAG-specific evals that do that miss fabrication-under-citation and fact-fusion every time. Instead, the verifier treats the generated claim as a free-standing statement and checks it against the open web through four independent sources. The retrieved documents are only as good as the next step of your pipeline, and the next step is the LLM — which already had them and still hallucinated.
When To Use Each Recommendation
The verifier returns one of three top-level recommendations, plus per-claim verdicts from a richer 4-way space.
Top-level recommendation:
| Recommendation | Rough confidence band | What your agent should do |
|---|---|---|
act |
≥ 0.80 | Proceed. Claims are well-supported across sources. |
verify |
0.50 – 0.80 | Soft-pass. Log the claims that dragged confidence down. Consider human-in-the-loop for high-stakes actions. |
reject |
< 0.50, OR any refuted claim | Do not act on the response as-is. |
Per-claim verdicts:
| Verdict | Meaning | Recommended action |
|---|---|---|
supported |
Multiple sources confirm the claim. | Trust. |
refuted |
Evidence directly contradicts the claim. | Always block — this is a hallucination. |
unverifiable |
Couldn't find supporting or contradicting evidence. | Treat as soft-flag, not hard fail. Often means the claim is too specific, too recent, or too obscure for the open web. Not the same as "false." |
A common production mistake is treating unverifiable the same as refuted. Don't. A draft can get a reject recommendation purely on low overall confidence from several unverifiable claims even when nothing is actually wrong. Check verdict["refuted_claims"] separately before deciding what to do — the code above does this.
Handling The Three RAG Failure Modes
The three failure modes from the start of this post — fabrication-under-citation, fact-fusion, confident-extrapolation — all get caught by the same pattern. Here's why:
Fabrication under citation. The verifier decomposes the response into atomic claims and checks each one against the open web. The cited source is irrelevant to the verifier; what matters is whether the claim itself is supported. If the response says "source [2] reports 47% revenue growth" and source [2] actually reports 4.7%, the 47% claim gets refuted independently of the citation.
Fact fusion. Each atomic claim gets verified independently. If the response fuses "Apple's Q4 revenue was $120B" (true) with "announced on March 3" (true for a different product) into "Apple's $120B Q4 revenue was announced on March 3" (false), the fused claim gets checked as-is and refuted.
Confident extrapolation. The verifier doesn't care how confident the generation model sounded. It cares what the open web says. An extrapolation that looks authoritative in context but is unsupported by any independent source returns unverifiable or refuted.
Upgrading: Per-Claim Regeneration
Once you have verdict["claims"], you can do more than reject the whole response. You can surgically regenerate only the failed claims:
def verify_and_repair(query):
docs = retrieve(query)
draft = generate(query, docs)
verdict = verify(draft)
refuted = [c["claim"] for c in verdict["claims"] if c["verdict"] == "refuted"]
if not refuted:
return draft
# Re-generate with explicit "do not include" list
repair_prompt = (
f"Answer the following using ONLY the retrieved context. "
f"Do not include these claims that were refuted: {refuted}\n\n"
f"Original query: {query}"
)
repaired = generate(repair_prompt, docs)
return repaired
This is the pattern I see most in production RAG pipelines. Soft reject → named failure list → targeted regeneration. You get the speed benefits of auto-generation with the safety of verification, and the user never sees the hallucinated version.
Production Notes
A few things I've learned from running this in real pipelines:
-
Latency.
/evaluatetypically returns in 3–6 seconds for a short paragraph with 3–6 claims. If your RAG pipeline runs hot and that's too slow, add verification only to high-stakes agent actions (writes, transactions, external messages) — not to every chat turn. -
Cost. The free tier (10/hour) is fine for development. For production,
/evaluateis pay-per-query over x402 on Base at $0.01 per call. An agent making 100 verifications/hour costs ~$1/hour. Typically cheaper than the LLM call that generated the response you're verifying. -
Thresholds. Default is 0.80 for
act. Bump to 0.90 for regulated workflows (medical, legal, financial) where a 10% false-positive on true claims is cheaper than a 1% false-negative on hallucinations. -
Failure modes. Sometimes
/evaluatereturnsunverifiableinstead ofsupported/refuted. That usually means the claim is too specific, too recent, or too obscure for the open web. Treatunverifiablethe same asverify— soft-flag, don't hard-fail. The code in this tutorial separates refuted from unverifiable on purpose.
The Full Minimal Example
For easy copy-paste, here's the complete working example in one block:
import requests
from langchain_openai import ChatOpenAI
from langchain.schema import HumanMessage, SystemMessage
corpus = [
"OpenAI was founded in December 2015 as a non-profit research organization.",
"ChatGPT was released by OpenAI on November 30, 2022 and reached 100 million users by January 2023.",
]
def verify(text):
return requests.post(
"https://agentoracle.co/evaluate",
json={"content": text},
timeout=30,
).json()["evaluation"]
def rag_with_verification(query):
# Retrieve
docs = corpus
# Generate
llm = ChatOpenAI(model="gpt-4o-mini", temperature=0.3)
draft = llm.invoke([
SystemMessage(content=f"Answer only from this context:\n{chr(10).join(docs)}"),
HumanMessage(content=query),
]).content
# Verify
verdict = verify(draft)
refuted = [c["claim"] for c in verdict["claims"] if c["verdict"] == "refuted"]
if refuted:
return f"REJECTED — hallucinated claims: {refuted}"
return draft
print(rag_with_verification("When was OpenAI founded and how fast did ChatGPT grow?"))
Run it. Break it on purpose by loosening the temperature or narrowing the corpus. Watch what the verifier catches.
Getting Started
Playground (no setup): agentoracle.co
Packages:
-
pip install langchain-agentoracle— PyPI -
pip install crewai-agentoracle— PyPI -
npx agentoracle-mcp— npm (Claude Desktop, Cursor, Windsurf)
Source: GitHub
Verifiable receipts spec: github.com/TKCollective/agentoracle-receipt-spec — every /evaluate response commits to a JWS-signed receipt format you can verify offline against the public JWKS. See the /examples directory for verifying examples in Node and Python.
Earlier in this series:
- How to Add Claim Verification to Your LangChain Agent in 5 Minutes
- 3 Agent Integration Patterns for Claim Verification (LangChain + CrewAI + MCP)
RAG was supposed to solve hallucinations. It solved some — then introduced a harder class. The fix is the same fix it's always been: a verification step that runs on the output, independent of whatever pipeline produced it.
Fifteen lines of Python. Free tier to try. The code above works as-is.