Register agents, issue scoped credentials, authorize every action, and prove it all with a tamper-evident audit trail. Built for the EU AI Act.
One API. Every control primitive your autonomous agents need โ from registration to retirement.
Every agent gets an Ed25519 keypair and a cryptographic ID. Human sponsors own every agent โ full provenance from day one.
Short-lived JWTs with embedded scopes. payments:write can't call data:delete. Credentials expire. Abuse doesn't persist.
Every action runs a policy check before it executes. Allow, deny, or challenge. Configurable per tenant โ JSON rules today, OPA tomorrow.
Append-only, tamper-evident audit trail. SHA-256 chained from the first event. Regulators ask โ you produce.
Human โ agent โ sub-agent. Scopes only flow down, never up. Suspend one node and the whole chain is denied.
3 consecutive denies within 60 minutes triggers automatic suspension. Configurable per tenant. Hard lock at 5+.
Works like Stripe. One API key, REST endpoints, a 5-minute integration.
# 1. Register an agent
curl -X POST https://ironweft.io/agents \
-H "Authorization: Bearer iw_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"agent_name": "Grace",
"sponsor_id": "user_margaret_chen",
"initial_roles": ["call_agent"]
}'
# Response
{
"agent_id": "agt_4ae283ac96dd4b40",
"public_key": "ed25519:272741c6...",
"status": "active"
}
# 2. Before your agent acts โ authorize it
curl -X POST https://ironweft.io/authorize \
-H "Authorization: Bearer iw_live_xxx" \
-d '{
"credential": "<short-lived JWT>",
"action": "call_initiate",
"resource": "+1-555-0100"
}'
# Response
{
"decision": "allow",
"audit_event_id": "evt_a1b2c3d4"
}Each event is SHA-256 chained to the previous one. Delete or alter any row and the chain breaks. Regulators can verify.
High-risk AI systems will require provable audit trails. IronWeft is that infrastructure. Get early access and ship compliant agents before the deadline.