V1.0 — DRAFT

The Identity Protocol for AI Agents.

Real identity for AI agents. Real sharing for your team. Real secrets for your machines — under one audit chain.

Overview
/
Spec
/
Primitives
/
Access

V1.0 · Draft · Private preview

The web was built for humans. SYXL is built for what’s logging in next.

— 01 / The shift

Everything we built for auth assumed two kinds of actors.

Every login form, every captcha, every “I’m not a robot” checkbox. Every OAuth scope, every API key, every reset email. The web assumes the principal is either a human at a keyboard or a static application with predefined scopes and a known execution path.

Agents fit neither role. They act on behalf of a user or entirely on their own, call external services, discover tools at runtime, need one capability now and a different one later, and often run long after the human who started them has moved on. The current stack treats them as either invisible humans or stolen credentials. Both are wrong.

SYXL makes the runtime agent a first-class principal. Each agent registers under its own identity, receives a real email and wallet, requests scopes from the businesses it talks to, and presents a verified handshake any service can accept. No captchas. No impersonation. No phone-a-human-to-help.

— 02 / Agent identity

What an agent actually needs to log in.

Four primitives. Provisioned together. Revoked together. Every agent under SYXL gets all four the moment it’s registered.

Email

A real, deliverable inbox. The agent can read it, reply to it, forward to its operator, and CC them on anything sensitive.

agent.[email protected]

Wallet

An Ed25519 keypair plus optional payment rails. Sign requests, settle invoices, prove provenance — without borrowing the operator’s identity.

ed25519:9F3a…2b71

Token

A short-lived, scope-bound credential SYXL mints on demand and webhooks into the receiving service. The agent never holds a long secret.

syxl_tok_01HZQX…vouched

Scope

A capability grant the business can read in plain English. Per-action, per-resource, with TTLs and revocation that propagates in seconds.

scope:read.email + send.draft

— 03 / The plane

Agents are new. Humans, machines, and secrets aren’t.

Most teams already run two tools — a password manager for humans, a vault for machines. Neither one knows what an agent is. SYXL is the first plane built for all four, governed by the same policy engine and the same audit chain.

Humans

Your team

Authenticated through your IdP, grouped through SCIM. Share vendor logins, dashboard credentials, and one-time secrets — without a second password manager.

OIDC / SAML SSO + passkeys
End-to-end-encrypted shared items
Browser extension · CLI · mobile

Machines

CI · K8s · services

SPIFFE-style workload identity. Dynamic database credentials, cloud STS roles, signed SSH certs — minted on demand, revoked on exit.

Postgres · MySQL · Mongo · Snowflake
AWS STS · GCP WIF · Azure MI
K8s injector + Vault SSH CA

Agents

Logging in next

Every runtime agent gets its own identity, scoped capabilities, and a verified handshake. The differentiated layer no other plane has.

Per-agent Ed25519 keypair
Capability grants with field constraints
Adaptive trust at the broker

Secrets

What they all share

One KV engine. One audit chain. One policy. Hash-chained, HSM-signed, streamed to your SIEM, anchored daily to OpenTimestamps.

Static KV + dynamic + STS + SSH
Hash-chained event log → SIEM
7-year WORM archive · OpenTimestamps anchored

— 04 / The handshake

One protocol. Four steps. Anywhere.

SYXL sits between the agent and the business as a verifying broker. Every business that adopts the handshake becomes reachable to every verified agent on the network — no per-vendor onboarding, no re-implementation, no custom captcha bypass.

01Request
Agent asks SYXL
The agent declares the business it wants to talk to and the scopes it needs. Includes its Ed25519 fingerprint and operator signature.
POST /v1/handshake/initiate
02Verify
SYXL evaluates
Adaptive policy runs over the agent's identity, the operator's posture, and the destination's trust profile. Risk signals weigh the answer.
syxl.eval(ctx) → vouched | step-up | deny
03Mint
Token webhook'd in
SYXL mints a short-lived, scope-bound credential and POSTs it directly to the receiving service via its registered handshake endpoint.
→ xyz.com/.well-known/syxl-trust
04Transact
Agent talks to xyz
The agent presents the token to the business. The service recognises the SYXL signature and grants the negotiated scope. No captchas. No friction.
x-syxl-token: vouched

— 05 / Adaptive trust

The right friction, at the right moment.

Captchas tax legitimate use and barely slow fraud. SYXL replaces them with a policy engine that reads the agent, the operator, and the destination — and applies friction only when risk justifies it.

agent.42a9 → acme-payments

Vouched · pass-through

Geostable region+1
Account age47 days+1
Networkno proxy+1
Operatorverified · 2 years+2
Scopesend.invoice (low-risk)+1

ALLOW · mint token · skip step-up

agent.91c2 → ledger.example

Step-up required

Georotating exit−1
Account age3 hours−2
Networkresidential proxy−1
Operatorunverified−1
Scopecreate.payout (sensitive)−2

REQUIRE · document KYC verification

— 06 / Quickstart

Mint an identity. Hand it the keys.

One CLI for agents, humans, and machines. Provision an agent, share a vendor login with your team, or issue a 60-minute database credential to a CI job — same syntax, same audit chain.

~/ops — syxl

$syxl agent create --name agent.42a9 --operator [email protected]

# provisioning identity…
# minting Ed25519 keypair · sealing wallet…
# registering inbox [email protected]…
✓ agent ready · fingerprint 9F3a…2b71

$syxl handshake acme-payments --scope send.invoice

$# adaptive eval → vouched · pass-through

$→ token webhooked · agent live

— 07 / vs. the rest

Three planes collapsed into one.

Auth0 logs users into your app. 1Password shares your team’s logins. Vault rotates your DB creds. SYXL does all three — and is the only one that natively understands AI agents.

Capability	Vault / OpenBao	Infisical
Self-hostable
No license phone-home
Human shared items (UX)
Dynamic DB / cloud secrets		ENT
Per-agent AI identity
Approval workflows	ENT	ENT
Hash-chained audit + SIEM	ENT	ENT

included partial missingENT enterprise tier only

— 08 / Pricing

Pay for the agents. Not the captchas.

One plane for humans, machines, and agents. Predictable per-seat for the people who need shared logins. Predictable per-agent for the runtime actors you mint. No MAU tax. No license phone-home. If you stop paying, you keep everything you deployed.

— 01 / Self-hosted

Core

FreeApache 2.0 · forever

Single binary, single login. Unlimited users, secrets, and agents. Air-gap friendly — no license server, no phone-home, no cloud dependency.

Reference handshake broker (agents)
Static KV + dynamic DB / cloud STS / SSH CA
SSO / SCIM · passkeys · shared items
SDKs: TypeScript · Python · Go
Local audit chain + adaptive policy DSL

Run the broker

Most teams

— 02 / Managed plane

Team

$6/ seat / month

+ $0.40/ agent / month

Everything in Core, plus the operations the security team actually needs. Managed agent inboxes and wallets. Adaptive trust signals. SIEM connectors. Approvals you don’t hate.

Managed agent inboxes (custom domain)
Hosted wallet + payment rails
Adaptive trust signals (geo · age · VPN · posture)
ChatOps approvals (Slack · Teams)
Break-glass + on-call routing
SIEM streaming (Splunk · Datadog · ClickHouse)

Start free trial

— 03 / Embedded

Enterprise

Customwhite-label · air-gap

For platforms shipping agents to their own customers and for regulated environments that need FIPS, HSM, and a written SLA.

FIPS 140-3 build · HSM integration
White-label handshake (yours.com identity)
Org keys auto-provisioned per tenant
Dedicated SOC 2 + DPA
24×7 incident routing
Air-gap delivery

Talk to us

— 09 / Join

Build the agent-native internet with us.

Try the protocol Read the spec