Whisper · Explainers

How agent identity works, in pictures.

Two flagship films tell the whole story, and twelve short explainers go deep on each piece. New here? Start with the films. Then start with the foundations if DNS is new to you, jump to how Whisper does it for the product story, or go straight to the backend for the machinery underneath. Every address, record and hash you will see on screen is real: you can run the same lookups yourself and get the same answers.

Start here

2 films

Two longer films that tell the whole story. The whole story is for developers deciding whether to adopt: the problem, the idea, and the one call that gives an agent a real, verifiable identity. The big picture steps back to why this is foundational for the entire agent economy. Everything on screen is real, and verifiable with the tools already in your terminal.

Film2:52
The whole story
For developers. The pain of proving an agent's identity with API keys, the older and sturdier idea that fixes it, and how a single call gives your agent a real, routable address that anyone can verify with dig, curl and openssl. It ends where you begin: bring your agents home.
Film2:46
The big picture
Agents will soon outnumber people online, and every one has to prove who it is. Today that means a secret string that cannot scale. Whisper makes the address itself the identity, verifiable by anyone, on infrastructure we run ourselves. Why this is the identity layer for the agent economy.

Foundations

4 videos · vendor-neutral

Vendor-neutral groundwork, in order: how a name becomes an address, how an answer is proven true, how agents authenticate today and where that model strains, and why two strangers can trust each other without ever being introduced. Watch these four in sequence and the rest of the gallery needs no prior DNS knowledge.

010:59
How DNS works
Follow one lookup from your resolver to the root, down through the top-level domain, to the servers that actually know the answer. You will see why no single machine holds the whole map, what caching and TTLs do, and the one weakness this design leaves open.
020:56
How DNSSEC works
A forged DNS answer looks exactly like a real one. This film shows how zones sign their records, how each parent vouches for its child's key, and how one anchor at the root lets a resolver reject a forgery by arithmetic alone.
030:48
How agents prove themselves today
API keys and bearer tokens run most of today's machine-to-machine auth. See how the model works, then its three structural limits: a leaked string is a stolen identity, both sides must trust the same middleman, and outside its platform a token means nothing.
040:55
Trust without a handshake
The zero-trust idea, made concrete: verification that never depends on asking the counterparty. One side publishes a proof in a public, signed record system; the other checks it against a public anchor. The passport-versus-business-card difference, animated.

How Whisper does it

5 videos

The same idea told two ways. The first two videos use everyday language and no protocol names, for anyone deciding whether this matters. The last three are for engineers who live in DNS: the exact records, the exact chain, and what the resolver does with your policy.

050:49
Your agent gets a real address
plain languageNo jargon, one idea: instead of a name tag someone else printed, your agent gets a real address in the internet's own land registry, and anyone can look up who lives there. No account needed, and Whisper itself steps out of the checking path.
060:45
Check any agent in ten seconds
plain languageThe practical one. An unknown agent calls your API; in three short checks you learn its name, verify its cryptography, and confirm its standing in the public registry. Ten seconds, stock tools, nothing to sign up for.
070:56
The /128 is the identity
for DNS peopleWatch a real /128 from 2a04:2a01::/32 become a handle, then a DNS name, and resolve back to exactly the same address. Forward and reverse agree because they are derived from each other; the registry record for that one address completes the picture.
080:55
DANE-EE, anchored at the root
for DNS peopleDANE-EE in practice: the agent's key fingerprint published as a TLSA record at its own name, the record signed, the zone signed, and the chain running unbroken to the root. No certificate-authority list to trust, and the full audit fits in two commands.
090:57
Graph-first resolution
for DNS peoplePoint an agent at the Whisper resolver and every lookup is first assessed against a security graph billions of nodes deep: geography, category, ownership, your rules. When the graph has no opinion, real DNS answers at full speed; policy never becomes an outage.

The backend

3 videos

How the service earns the claims the other videos make: a public, append-only log of every identity we issue, two authoritative servers that answer byte-for-byte identically, and a certificate authority scoped to a single address. This is the part most providers keep opaque; we would rather you check it.

100:57
Nothing is issued in the dark
Every identity we issue becomes a leaf in a public Merkle tree: hashes in, privacy preserved, nothing erasable. See how a signed checkpoint pins the whole history and how a short audit path proves any single issuance with stock cryptography.
110:55
Two servers, one truth
Two authoritative servers, both live, answering identically, kept in step with the same serials-and-transfers discipline DNS has used for decades, plus one extra guarantee: a registration only returns once every node can answer for it.
120:55
One CA per address
Why one shared certificate authority is one fat target, and what changes when every address gets its own: a compromise reaches exactly one agent, the trust root lives at the agent's own name in DNS, and rotation is a record update instead of an outage.