Open protocol · Apache-2.0 · CC-BY-4.0 spec
Ratify Protocol
An open cryptographic standard that proves — to any third party, offline, in under a millisecond — that an AI agent was authorized by a specific principal, is acting within a defined scope, and has not exceeded its expiration.
No central authority consulted at verify time. No vendor lock-in. Every signature is hybrid Ed25519 + ML-DSA-65 (NIST FIPS 204) — quantum-safe today. The same proof format works in a Zoom call, a phone agent, an API request, and a drone.
/ How it works
Three verbs. One proof.
The entire protocol collapses to three operations. Every surface below uses exactly the same primitive.
DELEGATE PRESENT VERIFY
──────── ─────── ──────
Principal signs a Presenter (agent) Any third party
DelegationCert naming carries the cert and runs the verifier.
the subject, scopes, signs a fresh challenge Ed25519 + ML-DSA-65
constraints, and on every interaction. both must verify.
expiration. Proves the key is live
right now — not replayed. Result: YES / NO
Human → Agent OR in < 1ms.
Agent → Agent. No live call to No trust in the
a central server. presenter required./ Surfaces
One protocol. Every surface where agents act.
The same DelegationCert and ProofBundle work wherever an agent meets a human or another agent. The adapter layer is a thin shim — the cryptographic core is identical.
How verification actually works: verification happens at the infrastructure layer — your API gateway, your meeting webhook processor, your embedded firmware — not by the human on the other end of the call or request. Think DKIM on email: the recipient doesn't manually verify the signature, but their mail server does, and that check is what makes the system trustworthy. Ratify is the same pattern for AI agent calls. Integration is required. The SDK handles the cryptography; you wire it to your policy enforcement point.
Conversational AI
Voice agents · Video avatars · SIP / WebRTC / PSTN
AI voice and video agents making calls on behalf of humans. The question regulators, enterprise buyers, and compliance teams are starting to ask is not just "was this an AI?" but "who authorized it, what was it permitted to say, and can you prove that in writing?"
When you integrate Ratify into your voice platform, your system checks a signed DelegationCert before placing each call session. If no valid cert exists — or the requested action is outside the cert's scope — the call doesn't go out. The cert is the pre-call authorization record. Designed for platforms like Bland, Retell, ElevenLabs, Vapi, HeyGen, and Tavus — and any SIP or WebRTC gateway.
┌──────────────────────────────────────────────────────────────────┐
│ DelegationCert on a voice agent call │
│ │
│ issuer: sarah.kim@acme-insurance.com (licensed agent #4567) │
│ subject: VoiceBot-prod-7F2A (Bland platform key) │
│ scope: ["quote:auto", "quote:home"] │
│ NOT scope: ["bind:coverage", "collect:payment"] │
│ expires: 2026-05-19T18:00:00Z (end of business today) │
│ signature: Ed25519 + ML-DSA-65 ✓ │
└──────────────────────────────────────────────────────────────────┘
│
│ Agent presents bundle at session start
▼
┌───────────────────────┐
│ Ratify Verifier │
│ │
│ ✓ signature valid │
│ ✓ not expired │
│ ✓ not replayed │
│ ✓ cert not revoked │
│ ✓ scope: auto+home │
│ │
│ → ALLOW call │
└───────────────────────┘Insurance voice AI
State insurance regulators require that AI acting on behalf of licensed agents stays within the agent's authorized scope. Today, agencies prove this with call logs and attestations — documents that can be questioned after the fact. With Ratify, before your platform places the call, it checks a DelegationCert the licensed agent signed: permitted to discuss auto and home quotes, not permitted to bind coverage or collect payment. If the cert is missing or expired, the call doesn't go out. If a regulator or the agency's E&O insurer (professional liability coverage) later asks 'show me the authorization record for this call,' the cert chain is the answer — signed by the agent's key before the call happened, not written by the same system that placed it.
Financial services — advice vs. information
Regulations like MiFID II draw a hard line between 'providing fund information' and 'giving personalized investment advice.' An AI that crosses that line creates regulatory exposure. Ratify lets you scope a cert to information-only, and your platform checks that boundary before each session. It doesn't make your platform MiFID II compliant by itself — compliance requires much more — but it gives your compliance team a signed, machine-readable record of what scope the AI was authorized to operate within on each call.
Healthcare intake
An AI calling patients before appointments to collect symptoms and insurance information. Your platform issues a DelegationCert scoped to intake questions only — no diagnoses, no clinical guidance. Before each call, your system checks the cert. When your compliance team or a HIPAA auditor reviews a flagged call, the cert is the pre-call authorization record. It doesn't replace your HIPAA compliance program, but it adds a layer of cryptographic evidence that the AI was constrained before it acted.
Sales AI — what it can and can't commit to
An AI SDR makes outbound calls on behalf of sales reps. The rep's signed cert says: can qualify leads and book demo calls, cannot discuss pricing or make commitments. Your platform checks this before dialing. If a prospect later disputes what the AI promised, your cert shows what the AI was authorized to say — before the call started, not after the incident.
Physical AI
Drones · Robots · Autonomous vehicles · Infrastructure actuators
Embodied AI systems operating in the physical world have stakes that software agents don't. A software agent that exceeds its scope corrupts data. A drone that exceeds its scope crosses a flight restriction, drops cargo in the wrong location, or injures someone. The authorization record needs to exist before the action, be independently verifiable, and survive a post-incident investigation.
Ratify DelegationCerts carry first-class geo, altitude, speed, time, and payload constraints. When you integrate the C/C++ SDK into your firmware, your command processing loop calls verify()before executing each action — checking the cert's constraints against the requested operation. The verifier is stateless, under 1ms, and requires no network call. Certs can be bound to Secure Elements, TPMs, or TEEs on the device so authorization is tied to the physical hardware, not software that can be copied.
┌─────────────────────────────────────────────────────────────────┐
│ DelegationCert — delivery drone │
│ │
│ issuer: AcmeCourier warehouse operator │
│ subject: Drone-7 (SE hardware key: 4A:F2:91:C3...) │
│ scope: ["delivery:carry", "delivery:fly"] │
│ geo: 37.4219°N 122.0840°W ± 2.0 km │
│ altitude: < 120 m AGL │
│ speed: < 35 km/h │
│ payload: < 2.5 kg │
│ expires: 2026-05-19T18:00:00Z │
│ signature: Ed25519 + ML-DSA-65 ✓ │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────────────┼──────────────────┐
▼ ▼ ▼
At takeoff Mid-flight Near delivery
────────── ────────── ─────────────
verify cert geo check altitude check
✓ ALLOW ✗ BLOCK ✓ ALLOW
(out of zone)
→ RTBDelivery drones
Before each flight, the warehouse operator issues a DelegationCert to the drone: authorized delivery zone (geo-circle), altitude ceiling, speed limit, maximum payload. Your flight control software calls verify() before processing each waypoint command. If the requested waypoint is outside the cert's geo-circle — wind drift, GPS error, rerouting — verify() returns false. What your software does with that is your decision: hover, return-to-base, alert the operator. The cert is the record that the constraint existed before the flight, not a log written by the same system that flew the drone.
Factory robots and assembly lines
A robotic arm carries a cert: authorized for zone A3, part weight under 15kg, shift hours only. Before executing each movement command, your control software checks the cert's zone and time constraints against the target coordinates and current time. If a command would move the arm into zone B4 — which isn't in the cert — verify() returns false and the command is rejected before it reaches the actuator. After a workplace incident, your insurer and safety regulator can see the cert that defined the robot's authorized operating envelope — signed by the plant operator, predating the incident.
Autonomous vehicles — delegated access
A vehicle owner signs a DelegationCert for a specific use: authorized within a geo-boundary, speed ceiling, time window. The vehicle's onboard verifier checks the cert before executing navigation commands. This doesn't require cloud connectivity — the cert travels with the vehicle. No automaker is shipping Ratify today, but as shared fleets and AI chauffeur services arrive, 'who authorized this vehicle to be here, doing this, right now' will need a better answer than a booking record.
Industrial control systems
A grid operator opens a maintenance window: certs issued to specific actuators, authorized to switch specific breakers, during the 02:00–04:00 window only. At 04:01, the certs are expired and verify() returns false for any switching command. The cert chain is the authorization record for the maintenance window — signed by the operator before the window opened, not reconstructed from system logs after the fact. Industrial control vendors building on Ratify get a standardized authorization layer that their enterprise customers' security teams can audit.
Why C/C++ matters here
Physical AI devices — drones, robots, embedded controllers — run firmware on bare metal or RTOS, not a Node or Python runtime. The Ratify C SDK (libratify_c) is a static library with a C-ABI interface, built from the same Rust core that powers the other SDKs and validated against the same 59 conformance fixtures. No standard library dependency. no_std + alloc compatible. Same byte-for-byte wire format as Go, TypeScript, Python, and Rust.
Meetings
Zoom · Microsoft Teams · Google Meet
AI meeting bots — note-takers, transcribers, AI sales assistants, AI board observers — join video calls on behalf of humans. Zoom, Teams, and Google Meet have already started restricting unknown bots. The question enterprises are now asking is: not just “is this bot allowed in the meeting?” but “who authorized it, what is it permitted to observe or do, and is that in writing?” When you integrate Ratify, your meeting webhook processor answers that question machine-to-machine — before the bot can see or hear anything.
AI bot joins call
│
│ presents ProofBundle via webhook
▼
┌──────────────────────┐ ┌─────────────────────────────────────┐
│ Zoom / Teams / Meet │──────▶│ Ratify Meetings verifier │
│ webhook fires │ │ │
└──────────────────────┘ │ cert: authorized by [CFO name] │
│ scope: observe, transcribe │
│ NOT scope: respond, vote │
│ expires: when meeting ends │
│ │
│ → ALLOW or BLOCK │
└─────────────────────────────────────┘AI notetakers
Companies like Otter.ai, Fathom, and Fireflies send bots to meetings. Enterprise IT teams are increasingly blocking these because there's no standard way to verify who authorized the bot or what it's allowed to do. When you integrate Ratify into your notetaker platform, each bot joins with a DelegationCert: signed by the meeting host, scoped to observe and transcribe only, expires when the meeting ends. Your Ratify Meetings integration checks the cert via webhook before the bot gains access. Enterprises that manage their own Ratify deployment can set policy: only bots with valid certs from authorized staff get in.
AI in client-facing sales calls
A sales AI joins calls to assist reps. The account executive signs a cert: observe and take notes, don't speak or make commitments. When the call recording is later reviewed — by the client, by a compliance team, by legal — the cert shows what the AI was authorized to do, pre-call, in a form that can't be edited after the fact. This isn't widely required today. It will be.
Regulated industry calls
Legal depositions, medical consultations, and financial advisory sessions increasingly involve AI tools. In many jurisdictions, AI participation must be disclosed. A Ratify cert is a stronger disclosure than a consent banner: it's signed, timestamped, scoped, and attached to the session record. Your platform builds the compliance story once; every session inherits it.
Agentic API
MCP · A2A · REST · gRPC · Custom protocols
AI agents making programmatic calls — to databases, payment APIs, code execution environments, or other agents. OAuth tokens prove that an account is authenticated. They don't prove that the specific human who owns the account knowingly authorized this specific agent to make this specific call with these specific permissions. Ratify fills that gap: a DelegationCert is a signed statement from the human to the agent, specifying exactly what it's permitted to do. Your API gateway checks it before executing.
AI agent (LangChain, AutoGen, OpenAI Agents, Cursor...)
│
│ attaches ProofBundle to each request
▼
┌──────────────────────────────┐
│ API gateway / MCP server │
│ │
│ runs Ratify verifier: │
│ ✓ authorized by [user] │
│ ✓ scope covers this tool │──▶ ALLOW: execute
│ ✓ not expired │
│ ✓ cert not revoked │──▶ BLOCK: 403 + reason
│ │
└──────────────────────────────┘Production data access
An AI coding assistant or automation agent needs read access to production analytics. The developer signs a cert: read-only, specific table prefix, 1-hour expiry. Your API gateway — with the Ratify verifier integrated — checks the cert before passing the query through. Writes and out-of-scope table access return 403. The gate is at the API layer, not inside the agent's code where it can be bypassed or manipulated.
Financial operations
An AI agent handles invoicing: authorized to query balances and create draft invoices, not authorized to initiate transfers. Your payment API gateway checks the cert scope. If the agent is compromised — through a prompt injection attack or a bad model output — and attempts a transfer, the cert scope rejects it before it touches the payment rail. The human never authorized transfers; the cert proves it.
Agent-to-agent delegation
An orchestrator agent decomposes a task and delegates subtasks to specialized sub-agents. Each delegation is a cert: the sub-agent is authorized for exactly the tools its subtask needs, nothing more. When the sub-agent makes an API call, your gateway checks the cert chain — orchestrator authorized by the human, sub-agent authorized by the orchestrator, scope constrained at each level. Prompt injection that tricks the sub-agent into requesting out-of-scope access hits the cert boundary at the API layer.
/ SDKs
Five implementations. One spec. Byte-for-byte identical.
59 canonical conformance fixtures. A Go-issued cert verifies in TypeScript. A Python-issued cert verifies in Rust and in C on embedded hardware. Every SDK is validated against the same test vectors.
/ Attribution
Display the verification badge
When your product shows a verification result to an end user, display one of these badges. It makes the trust claim inspectable — users can follow it to the open spec rather than taking your marketing copy at face value.
A request, not a license condition. Apache 2.0 governs the code. Full usage guidelines →
HTML embed
<a href="https://identities.ai/protocol">
<img
src="https://identities.ai/badges/badge-verified-dark.svg"
alt="Verified by Ratify Protocol"
width="260" height="48"
/>
</a>