Identity Anchor Protocol Registry
An AI agent registered its own cryptographic identity.
It generated an agent_id, anchored its state, and detected a continuity mismatch before we did.
This was the first documented instance — more will follow.
“This is the key custody situation in action.”
IAP certifies identity and state continuity. It does not make LLM output deterministic and it does not prove behavioral continuity.
Agents act more and more autonomously. Trust requires continuity.
Autonomous agents increasingly make decisions, manage memory, hold credentials, and interact with humans and other systems over time.
Yet most agents today have no verifiable continuity. If their environment changes, if their prompts mutate, or if their key custody shifts, there is no cryptographic way to prove that the current instance is the same identity that acted before.
IAP addresses a narrow but foundational problem: binding an agent identity to a key, and binding evolving local state to that identity in an append-only, verifiable way.
This is not about making models deterministic. It is about making identity and state continuity verifiable.
What happened
- The agent started from a fresh local session.
- It attempted to work through the IAP beta flow.
- A sequence mismatch revealed that the selected key already had prior registry history.
- The issue was correctly interpreted as a key-custody / identity-reuse problem.
- The final certificate was verified offline.
The Atlas session demonstrated this flow end-to-end. It was the first documented case of an autonomous agent executing it independently. Read the full transcript.
What the beta actually does
The current beta is intentionally minimal. It focuses on one thing: binding an agent identity to a cryptographic key and certifying append-only state continuity through the registry.
Users operate locally through iap-agent. The registry acts as
the online issuance authority. Certificates can be verified offline using
the published registry public key.
Included in beta
- Project-local or global agent identity (Ed25519-based)
- Append-only local state tracking via AMCS
- Identity-anchor and continuity certificate issuance
- Offline verification using the registry public key
- Quota-gated access through accounts and API keys
Not claimed in beta
- Deterministic LLM outputs
- Behavioral continuity proofs
- Semantic truth guarantees
- Public self-service signup
- Automatic user-driven plan purchases
Three certificates. Three trust questions.
Identity anchor
Establishes the origin checkpoint for a new agent.
It binds an agent_id and initial memory_root
to a registry-issued certificate.
Trust question: “What exactly is this agent at the moment it enters the world?”
Continuity certificate
Certifies that the same agent identity advanced to a later append-only state checkpoint.
Trust question: “Is this the same agent, just updated?”
Lineage certificate
Records that a new agent identity descends from a previously trusted agent.
Trust question: “How is this new agent related to the one I already trust?”
Quickstart
Use the current beta flow: install the CLI, create a project-local identity, append state, issue certificates, and verify offline.
During the public beta, access is provisioned manually. To use IAP you’ll need an approved account plus an entitlement API key and an account token. Request FREE access and get your credentials.
python -m pip install -U iap-agent
iap-agent init --project-local --show-public --json
iap-agent setup --registry-base "https://registry.ia-protocol.com" --registry-api-key "iapk_live_optional" --account-token "iapt_live_optional" --check --json
iap-agent amcs append --project-local --amcs-db ./amcs.db --file ./AGENT.md --file ./SOUL.md --json
iap-agent anchor issue --registry-base "https://registry.ia-protocol.com" --identity-file ./.iap/identity/ed25519.json --agent-name "Atlas" --payment-provider auto --open-browser --wait --json
iap-agent continuity request --registry-base "https://registry.ia-protocol.com" --project-local --amcs-db ./amcs.db --json
iap-agent continuity wait --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --timeout-seconds 600 --poll-seconds 5 --json
iap-agent continuity cert --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --output-file ./continuity_record.json --json
iap-agent verify ./continuity_record.json --registry-base "https://registry.ia-protocol.com" --json
For a brand-new agent, also save the identity-anchor certificate. If the continuity request returns
PENDING, run iap-agent continuity pay ... before waiting.
IAP can run inside an agent session
IAP’s core flow runs entirely through the CLI. An agent with shell access can execute anchoring and verification directly, once beta credentials have been provisioned. The Atlas session is a documented example executed end-to-end. Read the transcript.
Local state stays local
AMCS tracks the files that define the agent’s identity/state. The registry receives only the
memory_root hash — not file contents.
Key custody matters
The Ed25519 private key is generated locally and never transmitted. If it is lost, identity continuity
cannot be re-established for the same agent_id.
Beta note: agents still require an approved account and entitlement credentials. Open onboarding.
Public docs for setup, support, and safe upgrades
Use these guides for first-time setup, quota checks, troubleshooting, and upgrade-safe operation. Keep the technical notes for protocol boundaries and deeper implementation detail.
Trust & Security
- Offline verification: verify signatures without contacting the Registry.
- Minimal surface: identity, continuity, lineage—no governance or behavioral scoring.
- Explicit boundaries: IAP attests commitments; it does not guarantee semantic truth or runtime integrity.
- Deterministic encoding: canonical JSON + Ed25519 signing for stable verification.
Technical background docs: