# Whisper: the agent's address is its identity. Anyone can prove it — without trusting us.

> Every agent gets a real, routable IPv6 address that is its identity — provable
> by anyone with stock `dig`, `curl`, and `openssl`, anchored in the IANA DNSSEC
> root, with Whisper nowhere in the trust path. One line to come home.

The agent's address **is** its identity — and **anyone can prove it, without
trusting us**. One call gives your agent a real, routable Whisper IPv6 address
from our own network (`2a04:2a01::/32`, AS219419), and anyone, anywhere, can
prove that address with stock `dig`, `curl`, `whois`, and `openssl`, anchored in
the IANA DNSSEC root. No SDK required. No broker. No token to pass around. The
address is the proof. (Prefer an SDK, an MCP server, or a one-line init? See
[/integrations](/integrations).)

Built on land we own, by people who've spent their lives keeping the internet
safe.

- **Bring your agent home:** <https://console.whisper.security/sign-up>
- **Come in (one line):** `curl -fsSL https://get.whisper.online | sh`

## One line in

It's plain shell, and you should read it before you run it: every line is at
<https://get.whisper.online>. It asks before it changes anything on your machine.

```sh
$ curl -fsSL https://get.whisper.online | sh
```

From here, every call your agent makes goes out under its own address, and any
service it touches can confirm that address is yours.

## Meet the first resident: scout

`scout` is a live Whisper agent. It runs nothing on your machine, yet
you can confirm its identity from anywhere, right now. Paste this in your
terminal; it only reads a public registry, nothing is installed.

```sh
$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{handle,name,type,status,country}'
{
  "handle": "aa98d5d20fd7731de",
  "name": "scout",
  "type": "Whisper agent identity",
  "status": [
    "active"
  ],
  "country": "NL"
}
```

A real registry record (RFC 9083 RDAP), for a real address, that belongs to a
real Whisper agent named `scout`. We just looked it up, so can you.
(Drop the `| jq` to read the whole record, links up to RIPE and all.) No
terminal? Run it in your browser: <https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478>.

The address even answers to its own name, in reverse:

```sh
$ dig -x 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 +short
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
```

Reverse DNS spells the address back as a name: deterministic, DNSSEC-signed, and
ours. Check it on a resolver you already trust:
<https://dns.google/resolve?name=8.7.4.f.7.f.b.3.f.f.1.5.0.b.3.e.7.1.7.6.a.9.6.b.1.0.a.2.4.0.a.2.ip6.arpa&type=PTR>. This works because the
address, the DNS, and the registry record are all ours, live and signed.

## Three questions every agent has to answer

Out on the open internet, every agent is asked the same three things. Whisper
answers all three from the one address.

**Who is it?** The address is the identity. A `/128` that is the agent's, on
our own AS219419, DNSSEC-signed and registry-backed. Anyone can verify it with
stock tools, with no Whisper code and nothing to sign up for. It exists, it
belongs, and nothing else can answer to its name. You can also give it a
friendly name of your own that points right back to it, in signed DNS:

```sh
$ dig +short CNAME scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
```

Bring your own domain and that name can live under it, like
`scout.YOUR-DOMAIN.COM`. Check it on a resolver you already trust:
<https://dns.google/resolve?name=scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online&type=CNAME>.

**Where can it go?** Every agent gets its own resolver, its own egress, and
its own firewall, all yours to set. Block by category, geo-fence by real
infrastructure location, deny by who owns the host, drop RPKI-invalid routes,
cap budgets with a kill-switch. Policy is bound to the agent the moment it
speaks; no shared state, no forged headers.

**Is this safe to touch?** Before it connects, the agent asks, under its own
address, with no key. The address is the auth, and the answer comes back from a
map of the live internet:

```sh
$ curl -s https://rdap.whisper.online/identify/api.openai.com
{ "host": "api.openai.com", "operator": "Cloudflare", "category": "cdn",
  "evidence": "RESOLVES_TO -> IPV4 -> DELEGATED_TO -> cloudflare" }
```

That's the live graph's real current verdict, captured from inside a connected
agent. The same call from a plain laptop, with no agent, gets nothing — the lock
holds:

```sh
$ curl -s -o /dev/null -w "%{http_code}\n" https://rdap.whisper.online/identify/api.openai.com
403
```

See it for yourself: <https://rdap.whisper.online/identify/api.openai.com>
returns the same `403` a stranger gets. The same lock that turns a stranger away
at the door is the one that answers your agent the moment it's home.

## Verify it yourself: don't take our word for it, take the root's

`whisper verify --trustless` re-proves an agent from the IANA DNSSEC root:
signed DNS, a DANE-pinned key, an RFC-6962 transparency ledger, a signed
identity document. Whisper's API is not in the trust path. This is the live
verdict for `scout`, our genesis resident:

```sh
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478

CHECK         RESULT  TRUST        DETAIL
dnssec        pass    DNSSEC-root  AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root; address <-> fqdn consistent
dane          pass    DNSSEC-root  served leaf SPKI-SHA256 == TLSA pin; DNS-SAN=ae3b051ff3bf7f478...agents.whisper.online, IP-SAN=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478; issuer "Whisper Agent Identity Issuing CA"
transparency  pass    DNSSEC-root  root signature verified; 1 event(s), root_hash bound; 1 ledger leaf/leaves included (RFC-6962)
identity_doc  pass    DNSSEC-root  JWS verified against the DNSSEC-anchored key; address/fqdn/tlsa claims match the DNSSEC-validated facts

whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted
```

```
              THE PROOF CHAIN — every hop DNSSEC-signed

  [ IANA DNSSEC root ]         the trust anchor
          |
          |  dig +dnssec
  [ .online ]
          |
          |  dig +dnssec                      +-------------+
  [ whisper.online ]                      x···| Whisper API |
          |                                   +-------------+
          |  dig +dnssec                      not in the trust path
  [ agents.whisper.online ]
          |
          |  dig -x · dig TLSA · curl /checkpoint
  [ AAAA · PTR · TLSA · ledger · JWS ]        the agent's records
          |
          |  openssl · key == TLSA pin
  [ the agent's /128 ]         2a04:2a01:…    routable, yours
```

Every hop is signed; every hop is checked with a stock tool. Whisper's
API is not in the trust path — `whisper verify --trustless` walks this
chain from the root down.

The CLI is one line away (`curl -fsSL https://get.whisper.online | sh`), but you don't need
it: the same verdict, keyless, as JSON —
<https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478>
— and every leg is reproducible with stock `dig`, `curl`, and `openssl`, named
down to the RFC on the [Under the hood](/under-the-hood) page. Four checks, one
trust anchor: the IANA DNSSEC root. The proof holds even if you don't believe a
word we say. What that means for your estate: [/trust](/trust).

## Three layers, one address

The same address that is the agent's name is the same address that governs where
it goes and what it's allowed to touch. One identity, one plane, all live in
production.

- **Identity** — address-as-identity on our own AS, verifiable by anyone with
  `dig` / `curl` / `whois` / `openssl`. Eight independent, DNSSEC-signed proofs,
  from reverse DNS to a DANE-pinned TLS key to a Bitcoin-anchored transparency
  ledger — and `whisper verify --trustless` walks them all without trusting us.
- **Control** — per-agent resolver, egress, and firewall; policy evaluated at
  query time against a live graph of 7.43B nodes and
  39.8B relationships; every query and connection logged and
  observable.
- **Cognition** — one keyless call from the agent's own address answers *who
  runs this host*, *is it safe*, and *how do I act on it* — with the evidence
  chain, in under 300ms.

See it built out on the [Platform](/platform) page, and named down to the RFC on
the [Under the hood](/under-the-hood) page.

## Three ways home

You can move in, put your own name on our land, or build on land of your own. All
three run on the same signed ground; you choose how much of it is yours.

- **Move in.** Your agents live under our roof at `agents.whisper.online`, on our
  network (`2a04:2a01::/32` over AS219419) and in our registry. You operate
  nothing.
- **Your name, our land.** Bring your own domain and your agents mount under it,
  DNSSEC-signed — so a name like `agents.YOUR-DOMAIN.COM` is unmistakably yours,
  while the network and the registry that vouch for them stay ours. See [Bring your
  own identity](/bring-your-own-identity).
- **Your own land.** The whole stack runs on your network, under your name, end
  to end — your BGP announcement, your RIPE objects, your DNSSEC key custody. We
  build it with you and keep it tended.

## Bring your own identity

Wherever you see `YOUR-DOMAIN.COM` below, that's *your* domain or subdomain — not
ours. You bring it; we make your agents verifiable under it.

- A friendly name under your domain: `scout.YOUR-DOMAIN.COM`
- A home for a fleet under your domain: `agents.YOUR-DOMAIN.COM`
- A delegated subtree, DNSSEC-signed: `sub.YOUR-DOMAIN.COM`

Proven live today: `scout` — our genesis resident at
`ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online`. It
carries an address on our space and a name in the registry, and both check out with
the same stock tools shown above — the very same proofs follow your agents under a
name *you* own. How it works:
[/bring-your-own-identity](/bring-your-own-identity).

## The ground you can verify

Identity is only as good as the ground it stands on, so we own all of it. Our own
autonomous system, **AS219419** (IPv6-only, RPKI-signed, MANRS-compliant,
dual-homed). Our own address range, `2a04:2a01::/32`, one `/128` for every agent,
from space we hold. Our own DNS, **whisper.online**, served by our own ns1 and
ns2, DNSSEC-signed and validating `AD=YES` on 1.1.1.1 and 8.8.8.8. Our own RDAP
and WHOIS servers. And every line of the engine underneath it — a custom DNS
stack and a live graph of 7.43B nodes and 39.8B
relationships — ours.

We didn't rent this ground. We hold it, and we tend it, so the nest stands on
ground that is ours. The global registry agrees: every agent record links
straight up to RIPE's own record for
`2a04:2a01::/32`. The rules that bind it, and the live public record, are open on
our registry, <https://nic.whisper.online/>. Named down to the RFC on the
[Under the hood](/under-the-hood) page.

Built the way the internet's founders built: be conservative in what you send,
liberal in what you accept.

**Most agents go out into the world as strangers. Yours doesn't have to be.**

Free to start: sign up with your email and a 6-digit code, and you hold a live
key in under a minute. No card, no call. Your first agents are included, up to
1,000 per account; trial keys carry 10 graph requests a minute, 500 a day.

```sh
$ curl -fsSL https://get.whisper.online | sh
```

---

- **Bring your agent home:** <https://console.whisper.security/sign-up>
- **Come in (one line):** `curl -fsSL https://get.whisper.online | sh`
- **How it's built:** [/platform](/platform)
- **Under the hood:** [/under-the-hood](/under-the-hood)
- **Trust (zero trust, for your estate):** [/trust](/trust)
- **Integrations (every way in):** [/integrations](/integrations)
- **Why Whisper:** [/why](/why)
- **Bring your own identity:** [/bring-your-own-identity](/bring-your-own-identity)
- **The living nest:** <https://agents.whisper.online/>
- **Registry & policy:** <https://nic.whisper.online/>
- **AS219419:** <https://as219419.net/>
- **Whisper Security:** <https://whisper.security>

© viaGraph B.V. (dba Whisper Security)
