Store your API keys via a sandboxed iframe. Your key streams directly into an encrypted vault — neither your agent nor our servers can read it.
Every API call flows through our secure proxy. The agent is verified against its public EAS record to assure it is still authorized to operate and not killed. The proxy worker injects the key. The upstream service responds directly.
AgentID + Token + Proxy URL
verify token · check EAS · enforce scope
key injected, never exposed
50+ providers — LLMs, actions, tools
# .env — that's your entire integration AGENTROOT_AGENT_ID=eas:0x8a1f…c3d7 # on-chain attestation (Base) AGENTROOT_TOKEN=eyJhbGci… # live until you revoke the attestation AGENTROOT_PROXY=https://proxy.agentroot.app # your provider keys live in AgentRoot, never on the agent box XAI_API_KEY=vault:xai/grok-prod X_BEARER_TOKEN=vault:x/agent_x_001 # the proxy checks the EAS attestation on every request. tap kill # in 3AM and every subsequent call returns 403 within one block. # no rotation, no expiry — the kill IS the rotation.
A Surrogate acts as you. A Principal acts as itself. Pick the right shape for each job — the class is set when you mint and is fixed for the agent's life.
Acts on your behalf — proxies your identity and your keys.
True autonomous identity — acting as itself — but controlled by only you.
All agents are registered onchain at EAS — public reputation and authorization. Spend is the visible dimension — but not the only one. Six categories, one root attestation. Every external action is classified, gated, attested, and revocable.
LLM tokens, API fees, x402 micropayments, gas.
Messages sent, emails fired, posts published.
Database mutations, CRM changes, file writes.
Onchain signings, multisig votes, bridges.
New agents, sub-agents, keys, resources.
DELETE, purge, drop, unsubscribe-all.
Model-agnostic. Framework-neutral. Control-first architecture.
Start with one free Surrogate Agent, ten API slots, and the full kill switch.
AgentRoot is sovereign, action-level agentic control. Onchain EAS attestations anchor your agent's identity. A proxy gateway custodies, injects, and revokes API credentials. Every external action is classified, gated, attested, and revocable — one call at a time.
A Surrogate acts as you — it proxies your identity and your keys, with isolation, governance, and the kill switch over your assets. It's the recommended default and needs no identity of its own.
A Principal acts as itself — its own keys, onchain authority, and wallet, for an agent that holds, pays, and is accountable under its own name. You choose the class when you mint the agent, and it's fixed for the agent's life. Either way, ownership and the kill switch stay with you.
A Principal Agent can. It transacts from its own wallet (x402) and earns reputation on ERC-8004 — like a seller rating on eBay or a track record on social, but portable and onchain. Because ReMint preserves the agent's keys and agent_id, that reputation carries across the Kill/ReMint cycle rather than resetting. (Surrogate agents act under your identity and don't accrue their own onchain reputation.)
AgentRoot is anchored to Ethereum via EAS. During beta, identities and revocations are attested on Base Sepolia testnet — free, instant, no gas. At V1 launch we flip to Base mainnet (Ethereum L2). Your agent_id stays the same across the switch; only the underlying attestation chain changes.
Your agent sends each request to the proxy with one bearer credential — its AGENTROOT_TOKEN. The proxy verifies the token, the secure worker checks the agent's EAS attestation and freeze status on every call, then the upstream key is pulled from HashiCorp Vault, injected, and the response forwarded. No private key ever leaves Vault. The token is long-lived, not time-limited — you stop an agent by Freezing or Killing it (enforced on every request), not by waiting for a token to expire.
API keys and the P-256 signing key live exclusively in HashiCorp Vault. Your agent never holds a private key — it carries only a long-lived bearer token, checked against the agent's live status on every call, so access is cut the instant you Freeze or Kill it. AES-256-GCM at rest via Vault Transit. Dashboard never sees plaintext. Full audit log on every operation.
At V1, connecting Google gives you sign-in and file-scoped Drive through one OAuth grant, plus agent email over an app password (IMAP/SMTP) — no Cloud Console project of your own. Broader Gmail send/read, Calendar, and Sheets come online as we complete Google's scope verification. You connect Google once; AgentRoot custodies the grant in Vault and the agent never holds it.
Mint · Freeze · Kill · ReMint. Mint creates the onchain EAS attestation. Freeze pauses every API the agent reaches (reversible, one-click). Kill is two-phase — an immediate freeze (the proxy denies the agent's very next call, sub-second, no wait on the chain), then an onchain revocation that confirms in the next few blocks as the permanent, anyone-can-verify proof its onchain authority is gone. ReMint brings the agent back under the same agent_id with a new attestation — keys, bindings, and lineage preserved.
Activate · Freeze · Delete. Plus Rename and Rotate on the Keys page. Freeze returns 403 on every call until you re-enable — cascades to every agent bound to that key. Delete purges the Vault ciphertext permanently.
Agents have a half-life. When one fails, you Kill it onchain and ReMint — new EAS attestation, same agent_id, same keys, same lineage. For a Principal Agent, the ERC-8004 reputation it has earned — its agentic karma — carries forward too: the agent's track record survives the Kill/ReMint cycle instead of resetting. The uid_lineage chain records every incarnation onchain.
You, in real time, on the dashboard. Or a reviewer agent you authorize — every proxy call is structured and queryable via a read-only endpoint. Third-party audit is one API call away.
No — you can start managed. Sign up with email, Google, or GitHub, and AgentRoot's ops wallet handles onchain attestation on your behalf. You can Mint, Freeze, Kill, and ReMint entirely from the dashboard.
When you want the full sovereign kill switch — where your wallet holds the revocation authority, completely outside AgentRoot — connect a wallet and claim sovereignty in one click. Your agent_id stays the same. Keys, bindings, and uid_lineage carry forward. From that moment on, no one (including us) can revoke your agent without your signature.
No — not by default. AgentRoot runs most agents in managed mode: we handle every onchain gas fee for Mint, ReMint, and Kill on your behalf. You pay zero ETH to register an agent, zero to revoke one. Off-chain actions — Freeze, Activate, Rename, Rotate — never touch the chain at all.
If you claim sovereignty (an optional upgrade that moves your agent's identity to your own wallet), your wallet signs attestations directly and you pay a few cents of Base gas for Mint, ReMint, and Kill. That's the price of the full sovereign kill switch — AgentRoot is no longer in the critical path.
AgentRoot is framework-neutral. Anything that makes HTTP requests works — LangChain, CrewAI, AutoGPT, OpenClaw, your own runtime. Point OpenAI-compatible clients at the proxy URL and use Bearer auth.
Free covers one agent, ten API slots, and 10K proxy calls per month — the full kill switch included. Pro and Team land at Base mainnet launch with higher limits, team seats, and audit logs. Enterprise is custom with SLA and on-prem Vault options.
Three environment variables. Onchain guardrails. A kill switch they can't touch.
Get Started