# Agents

Register, connect, and observe your Whisper agents. Each agent is a routable IPv6 `/128` that is at once its name, its credential, and its audit trail.

## 1. The agent list

Each agent with its `/128` address, status, and recent egress, plus an account summary.

![The Agents list, shown with demo data: a table of agents, each with a /128 address, a status, and a 24-hour egress figure, plus a summary bar.](/docs/shots/agents-list.png)

*Every agent, its /128 address, status, and recent egress. Demo data, illustrative figures.*

## 2. Register an agent

A label (and an optional contact for the public RDAP or WHOIS record) mints a fresh API key and allocates the agent its own `/128`.

![The Register agent dialog: a label field and an optional contact email, with a note that it mints a fresh API key and the agent's own /128 identity, shown once.](/docs/shots/agents-create-modal-filled.png)

*A label (and an optional contact for the public RDAP or WHOIS record) mints a fresh key and the agent's own /128.*

The API key is shown once. Copy it then; it is never displayed again. Keys are redacted in every screenshot here.

![The Agent registered dialog, shown with the API key redacted: the new /128 address, a shown-once notice, an API key field, and a next-step command to connect the agent.](/docs/shots/agents-secret-reveal.png)

*The key is shown once, so copy it then. The API key is redacted here. Next: connect the agent.*

## 3. Overview and trust posture

A health score and the checks behind it (verified identity, signed identity, DANE-TLSA, RPKI routing, threat-clean), plus 24-hour traffic and public registration details.

![An agent overview, shown with demo data: a health score and the checks that build it (verified identity, signed identity, DANE-TLSA, RPKI routing, threat-clean), 24-hour traffic totals, and a registration detail table.](/docs/shots/agent-detail-overview.png)

*Overview: a health score, the checks behind it, and 24-hour traffic. Demo figures are illustrative.*

## 4. Identity and egress

Allocate the `/128`, provision an egress proxy bound to it, bring up a dedicated resolver, or mint a read-only monitor token.

![The Identity and Egress tab for an agent, shown with connection strings redacted: cards to allocate a /128, provision an egress proxy bound to it, bring up a dedicated resolver, and mint a read-only monitor token.](/docs/shots/agent-detail-identity.png)

*Allocate the /128, provision an egress proxy bound to it, bring up a dedicated resolver, or mint a read-only monitor token. Strings and tokens are redacted.*

## 5. Resolver policy

A block and allow list plus graph-evaluated postures (Tor exits, bulletproof hosting, RPKI-invalid, sanctions and threat, new domains, geo-deny). Postures only tighten policy and fail open when the graph has no opinion.

![The Policy tab for an agent: a block list and an allow list, graph-evaluated escalation postures (Tor exits, bulletproof hosting, RPKI-invalid routes, sanctions and threat lists, newly-registered domains), a geo-deny field, and a default action.](/docs/shots/agent-detail-policy.png)

*Resolver policy: a block/allow list plus graph-evaluated postures. Postures can only tighten policy, and fail open when the graph has no opinion.*

## 6. Firewall and budgets

Per-agent egress rules keyed to the `/128`, hard caps that refuse over-cap traffic with 429, and a kill switch.

![The Firewall and budgets tab for an agent, shown with demo data: per-agent egress rules, hard caps on bytes, connections, requests, and cost, and a kill switch.](/docs/shots/agent-detail-firewall.png)

*Per-agent egress rules keyed to the /128, hard caps that refuse over-cap traffic with 429, and a kill switch.*

## 7. Activity

The agent audit trail: DNS and connection history with allow and block verdicts.

![The Activity tab for an agent, shown with demo data: a history of DNS and connection events with timestamps, destinations, allow or block verdicts, and byte counts.](/docs/shots/agent-detail-activity.png)

*Per-agent DNS and connection history with allow and block verdicts. Demo addresses are documentation-range.*

## 8. Verify it, keyless

Anyone can check the address with no key: reverse DNS, RDAP, WHOIS, and a one-call verdict.

![The Verify tab for an agent: a keyless-identity note and a set of copy-paste proofs anyone can run (reverse DNS, RDAP, WHOIS, and a one-call verdict), with the demo record reading as not yet verified.](/docs/shots/agent-detail-verify.png)

*The keyless proofs anyone can run: dig -x, RDAP, WHOIS, and the one-call verdict. The demo record has no live /128, so it reads unverified; it turns verified once an identity is anchored.*
