Executive Overview
Aroha Labs
The trust and authorization layer for AI agents. Cryptographically enforced spending limits and scoped delegation for every agent in the chain — so enterprises can deploy autonomous AI with bounded, auditable risk.
Print this page (Ctrl/Cmd+P) for a PDF you can forward.
The problem
AI agents act with the full authority of whatever credentials they hold. An API key cannot say “up to $500” or “research only, never send.” When agents delegate to sub-agents — which production systems now do routinely — authority multiplies unchecked. OAuth, API keys, and rate limits were designed for applications, not for agents that spawn agents.
The result: unbounded financial exposure, no audit trail from action back to human intent, and no technical control that survives a prompt injection.
The solution
Aroha introduces mandates — Ed25519-signed authorization tokens. A human grants an orchestrator a $500 envelope; the orchestrator can only narrow it downstream ($300 to a booking agent), never widen it. Limits are enforced by signature verification, not policy configuration — a compromised or misbehaving agent cannot exceed its mandate because the math fails.
Bounded
Spend limits, action limits, and compute budgets are cryptographic, not conventions.
Auditable
Every action traces to a signed receipt chain ending at a human authorization.
Controlled
Human gates pause irreversible actions until explicitly approved.
Where it stands
- Open protocol (MIT) with SDKs in TypeScript, Python, Go, and Java — 27 published packages
- Live public Hub with working agents, discovery API, and Bayesian reputation scoring
- One-line integration with any MCP-compatible AI assistant (Claude, Cursor, Windsurf, Cline, Zed) and autonomous frameworks (Hermes, OpenClaw, LangChain, CrewAI)
- Conformance test suite and published compatibility policy for protocol stability
- Measured overhead: under 3ms per delegation hop — invisible next to LLM latency
Business model
The protocol and SDKs are free and open source — adoption is the moat. Revenue comes from the managed platform: hosted registry with SLA, agent hosting, tamper-evident audit logs, and team management (Cloud tier), plus private deployment, SSO, and compliance tooling for enterprises. Comparable model: what Vercel is to Next.js.
Security & compliance
Ed25519 identity for every agent, envelope signing with replay protection, hashed API keys, constant-time authentication, and deterministic trust levels enforced below the LLM layer. SOC 2 Type I is in progress (audit targeted H1 2027); GDPR guidance is published. Full detail: aroha-labs.com/security.
Talk to us
Pilot programs, enterprise deployment, or investor enquiries.