Executive Overview

Aroha Labs

The trust and authorization layer for AI agents. Cryptographically enforced spending limits and scoped delegation for every agent in the chain — so enterprises can deploy autonomous AI with bounded, auditable risk.

Print this page (Ctrl/Cmd+P) for a PDF you can forward.

The problem

AI agents act with the full authority of whatever credentials they hold. An API key cannot say “up to $500” or “research only, never send.” When agents delegate to sub-agents — which production systems now do routinely — authority multiplies unchecked. OAuth, API keys, and rate limits were designed for applications, not for agents that spawn agents.

The result: unbounded financial exposure, no audit trail from action back to human intent, and no technical control that survives a prompt injection.

The solution

Aroha introduces mandates — Ed25519-signed authorization tokens. A human grants an orchestrator a $500 envelope; the orchestrator can only narrow it downstream ($300 to a booking agent), never widen it. Limits are enforced by signature verification, not policy configuration — a compromised or misbehaving agent cannot exceed its mandate because the math fails.

Bounded

Spend limits, action limits, and compute budgets are cryptographic, not conventions.

Auditable

Every action traces to a signed receipt chain ending at a human authorization.

Controlled

Human gates pause irreversible actions until explicitly approved.

Where it stands

  • Open protocol (MIT) with SDKs in TypeScript, Python, Go, and Java — 27 published packages
  • Live public Hub with working agents, discovery API, and Bayesian reputation scoring
  • One-line integration with any MCP-compatible AI assistant (Claude, Cursor, Windsurf, Cline, Zed) and autonomous frameworks (Hermes, OpenClaw, LangChain, CrewAI)
  • Conformance test suite and published compatibility policy for protocol stability
  • Measured overhead: under 3ms per delegation hop — invisible next to LLM latency

Business model

The protocol and SDKs are free and open source — adoption is the moat. Revenue comes from the managed platform: hosted registry with SLA, agent hosting, tamper-evident audit logs, and team management (Cloud tier), plus private deployment, SSO, and compliance tooling for enterprises. Comparable model: what Vercel is to Next.js.

Security & compliance

Ed25519 identity for every agent, envelope signing with replay protection, hashed API keys, constant-time authentication, and deterministic trust levels enforced below the LLM layer. SOC 2 Type I is in progress (audit targeted H1 2027); GDPR guidance is published. Full detail: aroha-labs.com/security.

Talk to us

Pilot programs, enterprise deployment, or investor enquiries.

contact@aroha-labs.comwww.aroha-labs.com