Every agent gets a real, routable IPv6 address that anyone can verify — from the DNSSEC root, with the tools already on your machine. No SDK. No broker. No account to check it.
$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 | jq { "is_whisper_agent": true, "fqdn": "acef2002a323d40d4.demo.agents.whisper.online", "dane_ok": true, # TLS key pinned in signed DNS "jws_ok": true # identity doc signed, chains to the IANA root } $
That verdict came from the internet's own records — reverse DNS, a DANE-pinned key, a registry entry, a signed document — not from an API you have to trust. Run dig -x yourself and you get the same answer.
A leaked API key is theft — whoever holds the string is your agent. A Whisper agent's credential is its /128, anchored in DNSSEC-signed DNS and a public registry. It can't be copied into being someone else, and it's still verifiable years later.
Point an agent at Whisper and every destination is weighed against a live graph — category, owner, geography, routing — before a packet leaves. Policy a static blocklist can't express. It fails open, and it's all logged.
Our own autonomous system (AS219419), our authoritative DNS, our certificate authority, our registry, our transparency log. No third party sits anywhere in the trust path — which is exactly why you never have to trust us.
Install, register your first agent, connect it, and confirm its identity — one terminal, start to finish.
The seven proofs anyone checks with dig, curl, and openssl — plus the eighth, from the DNSSEC root.
Identity, control, and cognition — the three layers, and exactly what runs on our own hardware.
DNSSEC, DANE, RDAP, RPKI, RFC-6962 — each the way Stevens would: real records, real traces, verify it yourself.
Everything here is a public standard, on our own address space, verifiable by anyone.
The only thing proprietary is how well we run it.