Every way in.
One CLI on eight signed channels, twelve whisper init targets, one MCP server, SDKs on npm and PyPI, a container image, a CI action, an edge SDK, workflow nodes. Every surface is the same product, two tiers deep: verify any agent with no key at all; provision, govern, and egress with one.
Every surface has two tiers
Be liberal in what you accept: auth is optional. Without a key, every integration still verifies any Whisper agent against the DNSSEC root — real value, zero friction. With your key, the full control plane and egress unlock.
/128.
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
… (dnssec pass · dane pass · transparency pass · identity_doc pass, all anchored at the DNSSEC root)
whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted
In plain terms: a surface that only verifies would be half a product, and a surface that demands a key before doing anything would be a wall. So every integration below does both — and the badge tells you exactly how much of it is live today.
One CLI, eight signed channels
Every channel delivers the same signed binary. Keyless, it verifies any agent (whisper verify --trustless). With your key, it creates, connects, sets policy, reads logs, revokes. The apt, dnf, and apk repositories are self-hosted on our own network and signed with our own key — no third party in the supply chain.
curl · the one line
LiveRead it first, then run it. It asks before it changes anything.
$ curl -fsSL https://get.whisper.online | sh
Homebrew · macOS / Linux
LiveOur own tap; the formula pins per-arch SHA-256 of the signed release.
$ brew install whisper-sec/tap/whisper
Scoop · Windows
LiveOur own bucket, hash-pinned per release.
$ scoop bucket add whisper https://github.com/whisper-sec/scoop-bucket
$ scoop install whisper
go install / mise
LiveStraight from source through the Go module proxy, or the mise GitHub-release backend.
$ go install github.com/whisper-sec/whisper-cli/cmd/whisper@latest
$ mise use -g "github:whisper-sec/whisper-cli[exe=whisper]"
apt · Debian / Ubuntu
LiveSigned, self-hosted on AS219419.
$ curl -fsSL https://get.whisper.online/whisper.gpg | sudo tee /usr/share/keyrings/whisper.asc >/dev/null
$ echo "deb [signed-by=/usr/share/keyrings/whisper.asc] https://get.whisper.online/deb stable main" | sudo tee /etc/apt/sources.list.d/whisper.list
$ sudo apt update && sudo apt install whisper
dnf · Fedora / RHEL
LiveSame repo host, per-package RPM signatures.
$ sudo tee /etc/yum.repos.d/whisper.repo >/dev/null <<'EOF'
[whisper]
name=Whisper
baseurl=https://get.whisper.online/rpm
enabled=1
gpgcheck=1
gpgkey=https://get.whisper.online/whisper.gpg
EOF
$ sudo dnf install whisper
apk · Alpine
LiveSigned index, container-friendly.
$ wget -qO /etc/apk/keys/whisper-apk.rsa.pub https://get.whisper.online/apk/whisper-apk.rsa.pub
$ echo "https://get.whisper.online/apk" | sudo tee -a /etc/apk/repositories
$ sudo apk add whisper
Check the signing key yourself
LiveDon't take the repos on faith either. The key that signs them, verified with stock gpg:
$ curl -fsSL https://get.whisper.online/whisper.gpg | gpg --show-keys --with-fingerprint --dry-run
pub rsa4096 2026-06-30 [SC]
FCE3 EE8D 3F98 48ED E746 96C6 7570 D759 316F 7C1F
uid Whisper Security (Package Repositories) <security@whisper.security>
Wire it into what you build
One command per tool, one MCP server for every MCP host, one SDK name on both registries.
whisper init · 12 targets
LiveOne command wires a tool, framework, or runtime for Whisper identity and egress — zero config in the common case.
- keyless —
whisper verifyworks out of the box - with key — the tool's traffic egresses from its own
/128
$ whisper init claude
whisper mcp · one MCP server
LiveOne server for Claude, Zed, and every MCP host — explicitly two-tier by tool.
- keyless tools —
verify,rdap - key-gated tools —
register,list,policy,logs,revoke,egress-config
$ whisper mcp
# registry entry: io.github.whisper-sec/whisper
whisper-id · npm + PyPI
LiveThe SDK, same name on both registries. Verify with no key or CLI at all; govern with one.
- keyless — verify / RDAP / reverse-DNS checks, serverless-ready
- with key — register, policy, logs, revoke, egress config
$ npm i whisper-id
$ pip install whisper-id
Containers, edge, and CI
The same identity wherever the agent actually runs.
Container image · GHCR
LiveMulti-arch (amd64/arm64), entrypoint whisper. Modes: mcp, run, egress sidecar — pair it with whisper init compose / init k8s.
- keyless —
verify,mcpverify/rdap tools - with key —
runyour workload egressing from its/128
$ docker run --rm ghcr.io/whisper-sec/whisper --version
whisper-edge · npm
LiveDependency-free TypeScript SDK for edge runtimes — Workers, Vercel, Deno, Netlify, Lambda, Supabase. Fetch-only; nothing to compile.
- keyless —
verify/verifyDetails/resolve/rdap - with key —
control(apiKey): the full verb, plus egress where the runtime allows
$ npm i whisper-edge
setup-whisper · GitHub Action
LiveInstalls the signed CLI on any runner OS/arch; optionally connects the job so CI itself runs as a named agent.
- keyless — install + verify in any workflow
- with key —
api-key:input +whisper connectfor the job
- uses: whisper-sec/setup-whisper@v1
Workflows and serverless
n8n · community node
Liven8n-nodes-whisper: ten operations across both tiers, proven by executing the published node in a real n8n — a real /128 minted, confirmed externally, revoked.
- keyless — verify / RDAP nodes in any workflow
- with key — register, policy, logs, revoke from your flows
# n8n → Settings → Community nodes → Install
n8n-nodes-whisper
Serverless connectors · 6 platforms
Hosted demo comingCloudflare Workers, Vercel, Deno Deploy, Netlify, AWS Lambda, Supabase Edge — ready-to-deploy functions on whisper-edge, two-tier like everything else. The code ships today; the public hosted demos go live in a later phase, and this badge flips when they do.
- keyless — a verify endpoint you deploy in minutes
- with key — control plane from your function; egress where the platform allows
Nine doors, one house. Whichever you walk through, the same address answers — and anyone can check it.
Pick a door.
The keyless tier works right now, from this page. The rest takes one key.
curl -fsSL https://get.whisper.online | sh