Your agents are authorized, scoped, and every action is in an auditable hash-chained log. Flip agents from liability to asset — built to withstand the EU AI Act.
One API. Every control your autonomous agents need — from registration to retirement.
Every agent gets an Ed25519 keypair and a cryptographic ID. Full provenance — every action traceable back to a human sponsor, always.
Short-lived JWTs with embedded scopes. payments:write can't call data:delete. Credentials expire. Stolen keys go stale before they can be used.
Every action runs a policy check before it executes. Allow, deny, or challenge. Configurable per tenant — JSON rules today, OPA tomorrow.
Append-only, tamper-evident audit trail. SHA-256 chained from the first event. Regulators ask — you produce.
Human → agent → sub-agent. Scopes only flow down, never up. Suspend one node and the whole chain is denied.
3 consecutive denies within 60 minutes trigger automatic suspension. Configurable per tenant. Hard lock at 5+.
Even a leaked API key is useless from an unauthorized IP. Lock your integration to specific CIDRs — tenant self-serve, CIDR-aware, no support ticket needed.
Your agents can't go rogue without you knowing immediately. Instant notification on every deny, challenge, suspend, or retire event — 3 retries, exponential backoff.
Every action records who triggered it — a user, a script, or another agent. Full attribution across your entire integration, immutably hash-chained. Enforce it tenant-wide.
Risk tier classification built in at registration — not bolted on. High-risk domains flagged, prohibited uses blocked at the gate. Compliance evidence on demand.
You can. That's credential lifecycle management.
An agent initiates a $2,400 transfer at 3am. Your ops team investigates.
Same scenario. Pull the audit trail. Answers in seconds.
An agent queries patient records for 847 individuals during a routine workflow run.
Same query. Pull the audit trail. HIPAA evidence ready in seconds.
An agent sends 3,200 promotional emails on behalf of your sales team.
Same send. Pull the audit trail. GDPR evidence exportable on demand.
Works like Stripe. One API key, REST endpoints, a 5-minute integration.
# 1. Register an agent
curl -X POST https://ironweft.io/agents \
-H "Authorization: Bearer iw_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"agent_name": "Grace",
"sponsor_id": "user_margaret_chen",
"initial_roles": ["call_agent"]
}'
# Response
{
"agent_id": "agt_4ae283ac96dd4b40",
"public_key": "ed25519:272741c6...",
"status": "active"
}
# 2. Before your agent acts — authorize it
curl -X POST https://ironweft.io/authorize \
-H "Authorization: Bearer iw_live_xxx" \
-d '{
"credential": "<short-lived JWT>",
"action": "call_initiate",
"resource": "+1-555-0100"
}'
# Response
{
"decision": "allow",
"audit_event_id": "evt_a1b2c3d4"
}
Provenance on demand. Each event is SHA-256 chained to the previous one — delete or alter any row and the chain breaks. Regulators ask, you produce.
Raw HTTP or SDK — your choice. All three are open source, zero external dependencies, and wrap the same REST API.
pip install ironweft
Decorator pattern, typed exceptions, httpx-based. One dependency.
github.com/ironweft/ironweft-python →npm install ironweft
Zero runtime dependencies, native fetch, full TypeScript types. Node 18+.
github.com/ironweft/ironweft-node →go get github.com/ironweft/ironweft-go
Standard library only, context-aware, idiomatic error types. Zero external deps.
github.com/ironweft/ironweft-go →Pay per authorization. Nothing more. Scale from prototype to production without repricing.
First 10 teams lock in founding rates forever — no rate hikes, no plan changes. Growth at $49/mo + $0.003/auth, or Pro at $199/mo + $0.002/auth. Standard pricing takes over when slots fill.
10 of 10 founding slots remaining Standard: Growth → $99/mo · Pro → $299/mo.EverHomeCall delivers scheduled AI-powered calls to people who benefit from regular check-ins — seniors, independent living, injury recovery, and remote caregivers. Every call is authorized through IronWeft before it reaches a recipient's phone. Zero unauthorized calls by design. Full audit trail on every decision.
Read the integration story →Controls and audit evidence your legal, security, and compliance teams can act on — without asking engineering to build it from scratch.
Every agent action is SHA-256 chained to the previous event. Modify or delete any record and the chain breaks — cryptographic proof of what happened and when.
Agents receive JWT credentials scoped to specific permissions with configurable TTLs. No agent can act outside its granted scope, even if compromised.
Declare what agents are allowed to do in code. Every action is evaluated at runtime — no policy match, no action. Policies are versioned and auditable.
IP allowlisting, API key rotation, and webhook alerts on every security event — deny, suspend, retire. No custom access-control code required.
Pull your full audit trail via API at any time. Every event includes agent ID, action, outcome, timestamp, and chain hash in JSON or CSV.
IronWeft never uses your agent data, actions, or audit events to train models. Your operational data stays operational.
Compliance review? forged@ironweft.io — we respond within 1 business day.
The EU AI Act requires provable audit trails for high-risk AI systems. IronWeft is that infrastructure — integrate now, prove compliance on demand.