/ Peer-verifiable agent authorization
Authorize
your AI.
Verify anyone else’s.
Peer-verifiable cryptographic delegation: anyone can verify the bond between an AI agent and the human who authorized it — in under a millisecond, offline, with no vendor in the path. Voice, video, API, and Physical AI.
/ The problem
Every AI agent
claims authorization.
None can prove it.
What's happening
Agents act, constantly
AI agents are already making phone calls, joining meetings, sending emails, and executing transactions on your behalf — and on behalf of people you do business with. Every agent claims authorization. None can prove it.
What the industry tries
Ask the vendor
The current answer is to bolt a vendor's policy server onto each integration and trust whatever the API returns. That moves the trust from the agent to the vendor — convenient, but the receiving party hasn't verified anything cryptographically. The vendor is now the load-bearing trust anchor.
What you actually need
Math, not a phone call
A signed, peer-verifiable proof that travels with the agent. Anyone can check it in under a millisecond, offline, with the principal's public key. No live API call, no vendor in the loop, no trust delegated to a third party that has to be online and honest.
/ How it works
One protocol.
Three verbs.
Ratify is a single primitive applied consistently. Every integration is some subset of Delegate, Present, Verify.
Delegate
A principal signs a certificate naming the authorized agent, granted scopes, and expiry. Private key never leaves the principal's device.
cert := ratify.Delegate(
alice.Key,
scheduler.ID,
[]string{"meeting:attend"},
7*24*time.Hour,
)Present
The agent attaches a proof bundle — the cert plus a fresh signature over a server-issued challenge. Proves the key is live right now.
bundle := ratify.Present(
cert,
agent.Sign(nonce),
)Verify
The receiving party runs five deterministic checks: signature, freshness, expiry, revocation, scope. Under a millisecond. Yes or no.
ok, scope := ratify.Verify(bundle)
if ok {
allow(scope)
}/ The flow
One signed bundle
crosses the room.
A principal signs once. The agent presents on demand. Any third party can verify in under a millisecond — with no shared infrastructure, no live token call, and no trust relationship with the agent ahead of time.
Principal · Alice
Alice signs a DelegationCert binding her agent's public key to a scope, optional geo/time/speed constraints, and an expiry. Private key never leaves Alice's device.
Agent
Agent collects its delegation chain and signs a fresh verifier-issued challenge. Proves the agent's key is live right now — not a replay of an earlier exchange.
Anyone · Verifier
Five deterministic checks: signature (Ed25519 AND ML-DSA-65), freshness, expiry, revocation, scope. Under a millisecond. Offline. No live call to a central authority.
The same primitive works for humans authorizing agents and for agents sub-authorizing other agents — same wire format, same verifier algorithm.
/ Where it runs
Authorization everywhere
your agents act.
Ratify is channel-agnostic. The same bundle format works wherever an agent meets a human — or another agent. Software agents today, embodied agents as they arrive.
Ratify Meetings — live
Meetings
An AI agent joining a Zoom meeting presents a Ratify bundle. Our Ratify Meetings verifier checks it at the edge and reports who authorized the agent, what it may do, and how long it has. No detection, no guessing.
v1 spec — shipping
Conversational AI
Voice agents, video avatars, and real-time AI personas present a bundle at session setup. Your gateway verifies and scopes what the agent may transact. Works with SIP, WebRTC, PSTN, and platforms like Bland, Retell, HeyGen, and Tavus.
v1 spec — shipping
Agentic API
An MCP client or A2A agent attaches a bundle to every request. Your API gateway verifies before the agent touches any tool — giving you the same authorization story you already use for humans, now for agents.
v1 spec — shipping
Physical AI
Drones, robots, and infrastructure actuators verify bundles before performing physical actions. On-device verification with geo/time/speed constraints ensures safety and authorization in the real world.
Backed by
/ Why peer verification
A network call isn’t a proof.
Math doesn’t go offline.
The standard model for agent authorization sends every check across the wire: the receiving party asks a vendor’s policy API, and trusts the reply. Convenient — but no one verified anything cryptographically. The receiver has just delegated their trust to a third party they hope is online, honest, and reachable.
Ratify replaces that handshake with a signed, portable proof. Any party — your gateway, an embedded device, a regulator auditing six months later, an agent talking to another agent offline — can verify the bond between the agent and the human who authorized it in under a millisecond, with the principal’s public key, with no vendor in the path.
Cryptographic proof works offline. Policy servers don’t.
Policy server model
- · Receiver calls a vendor’s API per check
- · Trust anchor = the vendor
- · Verification requires connectivity
- · Vendor outage = your outage
- · Audit = the vendor’s log
- · Replay defense = bearer-token expiry
Ratify (peer-verifiable)
- · Receiver verifies with the principal’s public key
- · Trust anchor = the principal’s signature
- · Verification works offline
- · No vendor in the path; no SaaS outage exposure
- · Audit = hybrid-signed receipts chained by
prev_hash - · Replay defense = fresh challenge-response
/ Why not detection
Detection is a losing bet.
We should know —
we tried it first.
The consumer-facing “is this a real human” market is being commoditized by biometric partnerships like Zoom+World. We built deepfake detection before pivoting to Ratify, so we know the arms race firsthand: synthesis gets cheaper every quarter; detection always ends up chasing.
Ratify takes the opposite position. Stop trying to detect what’s fake. Require every legitimate agent to carry a signed, portable authorization. Everything that lacks one is unauthenticated by definition — not because a model guessed, but because cryptography said so.
Cryptographic authorization works forever, regardless of AI quality.
/ Who it’s for
Built for enterprises
deploying agents.
Financial Services
SOX, FINRA, NYDFS demand authorization trails. Voice agents already transact.
Healthcare
HIPAA requires auditable access. AI scribes are in clinical calls today.
Legal
Privilege depends on identity. Counterparties bring AI note-takers.
Enterprise Agent Buyers
Agentforce, Copilot Studio, custom voice agents — compliance won't sign off without an identity story.
/ The protocol
Open protocol.
Enterprise infrastructure.
The Ratify Protocol is open and free, forever. Five SDKs under Apache-2.0, the spec under CC-BY-4.0, cross-language byte-identical conformance fixtures, quantum-safe hybrid crypto (Ed25519 + ML-DSA-65). The verifier algorithm lives in the protocol, not on our servers — you can run a verifier in production today with no commercial relationship and no live call back to Identities AI.
On top of the protocol we sell Ratify Verify in four motions: a managed verifier with hosted Policy Studio and push revocation, a compliance-grade signed-receipt audit chain, and a licensed self-hosted control plane for sovereign deployments. You never pay to use the protocol — you pay for the infrastructure that makes it defensible at scale. Verify is in private alpha; the waitlist is open.
/ Enterprise-ready
Answers to the questions
procurement will ask.
Boring but essential. Deployment shape, revocation, audit retention, key custody, compliance mapping — sourced from the protocol spec and the Verify product docs, not marketing.
Deployment
Sold in four motions. Open Protocol (Apache-2.0 SDKs + CC-BY-4.0 spec, free forever). Verify Operational (managed verifier, hosted Policy Studio, push revocation — $0.002/verification; personal workspaces start with $50 in alpha credits, no monthly minimum). Verify Trust (compliance-grade audit chain, annual contract, from $30K/yr). Verify Sovereign (licensed self-hosted control plane, no phone-home, customer-owned root keys — from $50K/yr). Pre-built adapters for Meetings, Conversational AI (voice + video), Agentic API (MCP / A2A), and Physical AI.
Revocation
Signed revocation lists issued by the principal — only the principal's private key can mint them. Verifiers fail-closed on sustained unavailability (`revocation_unavailable`). Recommended TTLs: 30–60s for Meetings / Conversational AI / Agentic API, 5 min for Physical AI. Verify Operational adds push-based propagation to connected verifiers (designed for <100ms; architecture per SPEC §17.1). Always per-cert; no `revoke everything from Alice` button.
Audit
Verify Operational: 30-day searchable audit retention with webhook outputs into your SIEM. Verify Trust: 90-day standard, optional 365-day for regulated workloads. Every verify decision can produce a hybrid-signed `VerificationReceipt` chained by `prev_hash` — tamper-evident by construction, downloadable as a SOC2/ISO evidence bundle. Open SDK also exposes the receipt primitive if you want to roll your own archive.
Crypto posture
Every signature is hybrid Ed25519 + ML-DSA-65 (NIST FIPS 204). Both components must verify. Bundles signed today remain unforgeable when a cryptographically-relevant quantum computer exists — that's the harvest-now-decrypt-later defense. JSON wire format. Open spec under CC-BY-4.0. 59 canonical conformance fixtures regenerate byte-identical across Go, TypeScript, Python, and Rust on every CI run.
Key custody
Three modes, documented and supported. Self-custody — the user's private key never leaves the device; strongest threat model. Custodial — Verify generates and stores the key under envelope encryption (AES-256-GCM data key wrapped by Cloud KMS); convenient default for enterprise SaaS. Self-custody upgrade — migrate from custodial to device-held without losing identity, via a `KeyRotationStatement` double-signed by both old and new keys.
Compliance
Designed for SOC 2 / ISO 27001 (in progress). Verify Trust adds contractual data-residency commitments (US / EU / Switzerland), a custom DPA, sub-processor list, and SAML/SSO for the Studio. Audit fields pre-mapped for SOX, FINRA, NYDFS 500.11, HIPAA 164.312(a)(2), and EU AI Act Art. 14. Verify Sovereign for FedRAMP-style isolation and air-gapped deployments.
Every claim above traces to either the open protocol spec or the Verify product documentation. For the audit-control mappings, the threat model, and the hybrid-signature security argument, email security@identities.ai.
/ Get started
Ready to stop trusting AI
and start verifying it?
We are currently in private alpha, working with select design partners to establish the delegated-authority proof layer for AI-agent workflows.
Enterprises
Secure your agent interactions across voice, video, and API.
Platforms
Provide verifiable identity to every agent on your platform.