From one line to a named, verified agent. Under a minute.

Install the tools, give your agent its own identity and connect, then confirm its name yourself with nothing but what's already in your terminal. By the end, a stranger confirms your agent is real with one dig. Set policy and watch it live from the console whenever you like.

From one line to an agent at home

1

Install the tools. One line.

Read it first, then run it. It asks before it changes anything on your machine.

shell · installs the Whisper tools on this machine
$ curl -fsSL https://get.whisper.online | sh

Prefer your system package manager? whisper also ships from our own apt, dnf, and apk repositories, self-hosted and signed on AS219419 (the signing key is at get.whisper.online/whisper.gpg).

apt · Debian / Ubuntu
$ curl -fsSL https://get.whisper.online/whisper.gpg | sudo tee /usr/share/keyrings/whisper.asc >/dev/null
$ echo "deb [signed-by=/usr/share/keyrings/whisper.asc] https://get.whisper.online/deb stable main" | sudo tee /etc/apt/sources.list.d/whisper.list
$ sudo apt update && sudo apt install whisper
dnf · Fedora / RHEL
$ sudo tee /etc/yum.repos.d/whisper.repo >/dev/null <<'EOF'
[whisper]
name=Whisper
baseurl=https://get.whisper.online/rpm
enabled=1
gpgcheck=1
gpgkey=https://get.whisper.online/whisper.gpg
EOF
$ sudo dnf install whisper
apk · Alpine
$ wget -qO /etc/apk/keys/whisper-apk.rsa.pub https://get.whisper.online/apk/whisper-apk.rsa.pub
$ echo "https://get.whisper.online/apk" | sudo tee -a /etc/apk/repositories
$ sudo apk add whisper
2

Give your agent its identity, and connect.

shell
$ whisper create --register --label scout
$ whisper connect scout

One command gives your agent a /128 of its own; the next brings it home on that address. The address is the identity: from here on, every call it makes goes out under that address, and that address is its name.

3

Verify it yourself.

verify · stock tools, no Whisper code
$ dig -x 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 +short
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq -r .name
scout
$ whisper ip scout
2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478

A stranger confirms your agent is real with one dig, no Whisper code. The eight proofs below show every way to check it, on us, on an independent resolver, and — for the eighth — from the DNSSEC root itself, trusting nothing of ours.

Set resolution policy, watch live activity, and manage your agents from the console → console.whisper.security.

The journey home: from one line to a verified address of your own Five beats. One: one line, curl -fsSL https://get.whisper.online piped to sh. Two: identity minted — a /128 of your own, named in signed DNS. Three: connected — whisper connect brings a local tunnel or proxy up. Four: traffic leaves as the /128 — whisper run, and every packet's source address is your agent's own. Five: anyone verifies — a stranger's dig -x on that address returns your agent's name. The purple line is the packet's source address, from the moment it exists. 1 One line curl -fsSL https://get.whisper.online | sh 2 Identity minted a /128 of your own, in signed DNS 2a04:2a01:… 3 Connected whisper connect · local proxy up 4 Traffic leaves as the /128 whisper run -- python agent.py src = 2a04:2a01:… (your /128) 5 Anyone verifies $ dig -x 2a04:2a01:… +short your-agent.agents.whisper.online
The purple line is the packet's source address, from the moment it exists: minted at beat 2, on the wire from beat 4 — and a stranger's dig -x gets your agent's name back at beat 5.

Your code, unchanged, under its own address

The agent has an address. whisper run puts your code behind it, the same script you already have, not a rewrite of it.

shell · your command, through the agent's egress
$ whisper run -- python agent.py
$ whisper run -- node agent.js
$ whisper run claude   # shorthand: Claude Code, through the agent's egress

It brings the agent's egress up and starts your command with ALL_PROXY (a local SOCKS5) and HTTPS_PROXY (a local HTTP proxy) already set in its environment, so curl, git, Python's requests and httpx, and Node's fetch route through it on their own. Your code does not change.

Proof, live. Ask a third party what address it sees:

proof · a third party reads the source address off the wire
$ whisper run -- curl -s https://api64.ipify.org
Connected as 2a04:2a01:c899:2496:2b9b:ccde:6a8e:2f64 — 2a04:2a01:c899:2496:2b9b:ccde:6a8e:2f64 ✓ verified
2a04:2a01:c899:2496:2b9b:ccde:6a8e:2f64

That last line is ipify, not us, reporting the source address it saw: the agent's own /128. An IPv6-reachable destination sees your agent as itself.

Three ways an agent gets a Whisper IP

From a fully-routed kernel WireGuard tunnel down to plain DoH, pick the integration depth you want.

Tier 1 · best

Routed Whisper IPv6 via WireGuard

A routed Whisper /128 over a WireGuard tunnel: kernel, userspace (boringtun), or wireproxy (a userspace WireGuard client) to a local SOCKS5 (no root). The server-side peer is live; you bring it up with a wg-quick config today, and one-line whisper connect ergonomics for this tier are on the way. Packets source from the agent's /128; reverse DNS resolves to the identity.

Tier 1.5

Whisper SOCKS5 / HTTP egress

Source-bound to the agent's /128 via AnyIP and IP_FREEBIND over 2a04:2a01::/32. Point ALL_PROXY at it and every connection leaves as the identity.

Tier 2 · DoH or :53

Use our resolver

Keep your own address; use our resolver for control via DoH on :443 (API key), or point an agent at a dedicated per-tenant IPv6 /128 resolver on standard :53 the way it would at 1.1.1.1. Each tenant applies its own policy.

DoH · query with stock curl
$ curl -H "X-API-Key: whisper_live_xxx" \
      -H "content-type: application/dns-message" \
      --data-binary @query.bin \
      https://doh.whisper.online/dns-query

# or plain :53 against your dedicated resolver /128
$ dig @2a04:2a01:0:53::53 example.com AAAA +dnssec

The IPv4 question, answered in ink. An IPv6-reachable destination sees your agent's own /128 on the wire; the address is the identity, end to end. An IPv4-only destination is reached through the egress gateway, and what it sees on the wire is the gateway's shared IPv4 — attribution on the wire there is the gateway, and per-connection attribution lives in your Whisper logs. The internet's agent infrastructure is v6-first, and that is the honest boundary today: identity on the wire wherever IPv6 reaches, identity in the log where only IPv4 does.

Already home somewhere else? We come to you.

whisper init

One command wires an identity into the place your agent already lives: whisper init claude, python, k8s, compose, and more — zero config, standard ports.

SDKs

whisper-id on npm and PyPI, and whisper-edge for serverless runtimes — verify and connect from code, the same proofs as the terminal.

One MCP server

whisper mcp gives any MCP-speaking agent the same two tiers: verify an identity with no key at all; register, govern, and revoke with yours.

Every channel — brew, scoop, go, mise, the signed apt/dnf/apk repos, GitHub Actions, GHCR, n8n — on one page: see all the ways in →

Verify it yourself. Eight proofs, and none of them trust us.

Seven with stock tools and no Whisper code at all; the eighth with one open-source command that re-proves everything from the IANA DNSSEC root — with the Whisper API explicitly not trusted.

verify · stock tools, no Whisper code
$ dig -x 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 +short
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online

$ dig +short AAAA ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478

$ dig +short CNAME scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online

$ dig +short TLSA _443._tcp.ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
3 1 1 9EC1EF18A1F15E5480A0FC3C8D6E9690B2CCF1A7FA7146201940F28C 422BB47D

$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq -r .name
scout

$ whois -h whois.whisper.online 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
netname     scout
descr       Whisper agent identity
status      active
country     NL

$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{is_whisper_agent,dane_ok,jws_ok}'
{
  "is_whisper_agent": true,
  "dane_ok": true,
  "jws_ok": true
}

No terminal handy? Run each check in your browser. The DNS ones go to an independent public resolver, so you are verifying it anywhere, not just on us: reverse PTR, forward AAAA, friendly CNAME, DANE TLSA; and on us, the RDAP record and the keyless full-chain check. (The WHOIS port-43 check is terminal-only.)

Every proof resolves back to the same agent, and every DNS answer carries a DNSSEC signature you can validate on 1.1.1.1 or 8.8.8.8 (AD=YES). No third party sits anywhere in the trust path. (The full inet6num record, verbatim, is on the nest page.)

And the eighth proof is the deepest one. One command walks every check above — and the transparency log behind them — anchored at the IANA DNSSEC root, with the Whisper API explicitly not trusted. The CLI is open source (MIT), so you can read exactly what it checks before you believe it. This is a real run against the resident, verbatim:

proof #8 · whisper verify --trustless, verbatim
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
FIELD        VALUE
address      2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
fqdn         ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
agent        ae3b051ff3bf7f478
tenant       tdc38e7c55bad3306a92b830f9bb1e4f9
tlsa_sha256  9ec1ef18a1f15e5480a0fc3c8d6e9690b2ccf1a7fa7146201940f28c422bb47d
served_spki  9ec1ef18a1f15e5480a0fc3c8d6e9690b2ccf1a7fa7146201940f28c422bb47d

CHECK         RESULT  TRUST        DETAIL
dnssec        pass    DNSSEC-root  AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root; address <-> fqdn consistent
dane          pass    DNSSEC-root  served leaf SPKI-SHA256 == TLSA pin; DNS-SAN=ae3b051ff3bf7f478...agents.whisper.online, IP-SAN=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478; issuer "Whisper Agent Identity Issuing CA"
transparency  pass    DNSSEC-root  root signature verified; 1 event(s), root_hash bound; 1 ledger leaf/leaves included (RFC-6962)
identity_doc  pass    DNSSEC-root  JWS verified against the DNSSEC-anchored key; address/fqdn/tlsa claims match the DNSSEC-validated facts

whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted

tlsa_sha256 and served_spki are the same digest: the key the agent's TLS socket actually serves is the key pinned in signed DNS. That is the whole point, in two matching lines.

The transparency log it checks is public. Read the signed head of the ledger yourself, with nothing but curl:

the ledger checkpoint · origin, tree size, root hash, signature
$ curl -s https://whisper.online/checkpoint
whisper.online/ledger
64
B66DTSD3Eq5OYm29c8oVMuDuVjbTgsokKEk4sdyRiKU=

— whisper.online/ledger ijpd8I14cmGnMp9HajPjCRadLGL8Bs+E8weqY/EiPQd3lvnxC7hT6eMyGVJFImQfCIPc1O6jyDid9cEjABz1II+7aw4=

Captured live; the tree only grows. The ledger's Ed25519 key is published in DNSSEC-signed DNS at _whisper-ledger.whisper.online, so the log verifies from the same root the DNS does. It is tamper-evident and signed today; independent witnesses are being recruited. How the log is built — and why you shouldn't have to trust us — is on the platform page.

Public archives. An anonymous, read-only FTP archive at ftp.whisper.online (port 21, RFC 959) mirrors the NIC / registry documents you can verify over RDAP and WHOIS — the calm, ancient protocol a stock ftp / lftp / curl ftp:// client already speaks. The same identity also answers FINGER at finger.whisper.online (port 79, RFC 1288).

Want to know why every one of these answers can be trusted? See how the nest is built →

That's it.

A real agent, with a name of its own, at home on land we own. Welcome in.

Free to start: sign up with your email and a 6-digit code, and you hold a live key in under a minute. No card, no call.

Your first agents are included, up to 1,000 per account; trial keys carry 10 graph requests a minute, 500 a day.

$curl -fsSL https://get.whisper.online | sh