Set up IAP beta and create your first verified certificate

This path is for a fresh beta install. You will install iap-agent, create a project-local identity, connect to the registry, append local state into AMCS, issue certificates, and verify the result offline.

Before you start: run these commands inside the project workspace that should become its own agent.

Need beta access?

If you are ready to test IAP with a real agent, request onboarding and include a short description of your expected volume (number of agents and continuity frequency).

Open beta onboarding

1. Install the package

python3 -m venv .venv
source .venv/bin/activate
python -m pip install -U pip
python -m pip install -U iap-agent

2. Create a project-local identity

This creates a fresh local Ed25519 identity for the current project and avoids accidentally reusing a global identity from another workspace.

iap-agent init --project-local --show-public --json

3. Connect to the registry

If the operator sent you a handoff command, run that exact command. A typical setup command looks like this:

iap-agent setup --registry-base "https://registry.ia-protocol.com" --registry-api-key "iapk_live_optional" --account-token "iapt_live_optional" --check --json

4. Append local state into AMCS

AMCS is the local append-only state store. Append the files you want reflected in certifiable state.

iap-agent amcs append --project-local --amcs-db ./amcs.db --file ./AGENT.md --file ./SOUL.md --json
iap-agent amcs root --project-local --amcs-db ./amcs.db --json

5. Issue the identity anchor for a new agent

The identity anchor binds your agent_id to your local key. For a brand-new agent, issue this first.

iap-agent anchor issue --registry-base "https://registry.ia-protocol.com" --identity-file ./.iap/identity/ed25519.json --agent-name "Atlas" --payment-provider auto --open-browser --wait --json
iap-agent anchor cert --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --output-file ./identity_anchor.json --json

6. Issue a continuity certificate

After local state is in AMCS, request continuity certification for the latest memory_root/sequence.

iap-agent continuity request --registry-base "https://registry.ia-protocol.com" --project-local --amcs-db ./amcs.db --json
iap-agent continuity pay --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --payment-provider auto --open-browser --json
iap-agent continuity wait --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --timeout-seconds 600 --poll-seconds 5 --json
iap-agent continuity cert --registry-base "https://registry.ia-protocol.com" --request-id <request_id> --output-file ./continuity_record.json --json

7. Verify the certificate offline

In basic mode, the CLI can fetch the registry public key from the configured registry. For strict continuity verification, provide a pinned registry key and the saved identity anchor.

iap-agent verify ./continuity_record.json --registry-base "https://registry.ia-protocol.com" --json
iap-agent verify ./continuity_record.json --profile strict --registry-public-key-b64 <REGISTRY_PUBLIC_KEY_B64> --identity-anchor ./identity_anchor.json --json

What success looks like

A project-local identity exists under ./.iap/identity/....
iap-agent registry check --json reports registry_reachable: true.
iap-agent continuity cert writes a certificate bundle to disk.
iap-agent verify returns {"ok": true, "reason": "ok"}.

Next steps

Need the full flow?

Use the full user manual for setup, quota checks, identity anchors, continuity, and troubleshooting.

Open the user manual

Need help?

Use the troubleshooting page for setup failures, invalid credentials, and sequence mismatches.

Open troubleshooting

Want the action-provenance demo?

Use the offline Isnad walkthrough to see local action logging, receipts, and tamper detection.

Open the Isnad demo