A cryptographic audit chain for AI agents — real-time verification, zero-TTL credentials, encrypted transcripts
LockStock maintains a cryptographic hash chain for every AI agent you deploy. Every action the agent takes — a chat completion, a tool call, a file write — extends the chain by one position. This gives you three things no other system provides simultaneously:
Any third party can verify your agent's identity with a single GET request. The response is one word: current (accept) or anything else (reject). Propagation delay: zero.
Every action produces a hash that depends on every previous action. Skip, reorder, or delete a record — the chain breaks. Mathematical proof, not access control.
Every prompt and response is encrypted before leaving your network. The server stores ciphertext it cannot read. Only your Account Key can decrypt — and you hold it, not us.
This is the most important design decision in the protocol: the agent does not know LockStock exists.
The agent sends a normal API request to the gateway. The gateway stamps the request (advancing the chain), forwards it to the upstream provider, and returns the response. The agent never handles a credential, never calls an auth endpoint, never manages a token lifecycle. The gateway handles everything.
This means adoption does not require modifying your agents. No SDK. No code changes. No credential management logic. Point your agent at the gateway instead of directly at the provider. The audit trail, the verification, and the encryption happen transparently.
Validated in production: A real agent authenticated to a real third-party counterparty service. The gateway stamped the request, attached a cryptographic credential, and the counterparty verified it with one GET call. The agent did not know it happened. Try the verify playground →
Every stamp produces a state_hash — a SHA-256 hash that depends on
the agent's entire action history. This hash is the credential. It has never existed
before, it will never be valid again, and it was not issued by anyone. It is a
mathematical consequence of the chain advancing.
Step 1 — Stamp. The gateway stamps an action. The server advances the
chain and returns the new state_hash.
Step 2 — Present. The gateway attaches the credential to the outgoing
request: Authorization: D3cipher {agent_id}:{state_hash}. The agent is oblivious.
Step 3 — Verify. The receiving service makes one GET call:
GET https://api.d3cipher.ai/v1/verify/{agent_id}?hash={state_hash}The response is one word:
| Status | Meaning | Action |
|---|---|---|
current | Credential matches the chain head | Accept |
stale | Agent has advanced past this hash | Reject |
frozen | Operator hit the kill switch | Reject |
revoked | Agent permanently decommissioned | Reject |
unknown | Agent not registered | Reject |
if status == "current" — that is the entire integration.
Everything else is a rejection. The secure behavior is the default behavior.
The instant the agent takes its next action, the previous credential becomes stale. There is no TTL, no expiry window, no grace period. The credential is valid for exactly one chain position.
| Mechanism | Valid For | Compromise Window |
|---|---|---|
| API Key | Until manually rotated | Hours to days |
| OAuth Token | 1 hour (typical) | Up to 1 hour |
| JWT | Minutes to hours | Full TTL window |
| Atomic Credential | Until next action | Zero |
Freeze an agent on the dashboard. The next verification call — from any
counterparty, anywhere — returns frozen. Propagation delay: zero.
LockStock is not a point solution for one auth pattern. The same protocol — one hash in, one bit out — covers every trust relationship in an AI agent deployment.
Gateway holds the API key. Agent sends to localhost. Gateway attaches auth and forwards. Agent never sees sk-ant-*.
MLS sidecar stamps, puts state_hash in BasicCredential. Mutual verification via /v1/verify. No shared secrets between organizations.
SSE connection presents a chain credential. Middleware verifies on connect. Identity stored for the session. Multi-tenant: one server, N agents.
Gateway stamps Authenticate, attaches D3cipher header. Counterparty calls /v1/verify. The agent never knows.
Every broadcast carries sender_chain_hash. Group membership, intent announcements, sync requests — all chain-linked.
The gateway itself is an agent. It authenticates to the server using its own chain state. Infrastructure auth, same protocol.
Org A's agent talks to Org B's agent. Both present chain credentials. Both verify. MLS encrypts the channel. No shared secrets between orgs.
Freeze an agent on the dashboard. Next /v1/verify returns frozen. Not "wait for token expiry" — dead now. Revoke is permanent.
Download the chain, recompute every hash offline. No server access needed. No trust needed. The chain is the proof. Non-repudiation: the math proves it.
Every prompt and response passing through the gateway is encrypted with AES-256-GCM envelope encryption before leaving your network. The d3cipher server stores only ciphertext. Your Account Key — generated in your browser, never sent to the server — is the only way to decrypt.
This is not "encryption at rest" on someone else's server. The server literally cannot read your data. Even if the server is compromised, the attacker gets encrypted blobs and wrapped keys — neither of which is useful without the Account Key that you hold.
To audit: open the Auditor tab in the dashboard, enter your Account Key, and read the full content of every conversation — decrypted entirely in your browser.
Authentication is one layer of a five-layer verification stack. Each layer answers a different question. They share the chain but not each other's inputs.
Did this happen in this sequence? — SHA-256 hash chain, each hash depends on the previous
Were the right types of actions performed? — Mathematical state evolution independent of content
Was this the exact content at this position? — Deterministic canonicalization + cryptographic seal
Can the server read the content? — AES-256-GCM envelope encryption, Account Key held by operator
Can the other organization read it? — MLS (RFC 9420) with per-agent keys
The atomic credential emerges from Layer 1. The state_hash is the
chain head after each stamp. Layers 2–5 provide additional guarantees — but
the credential itself requires only Layer 1. Each layer is independently verifiable.
Because the credential and the audit record are the same atomic operation, the authentication system is the compliance system. There is no separate logging pipeline to keep in sync.
| Framework | Requirement | How LockStock Satisfies It |
|---|---|---|
| SOC 2 CC7.2 | Monitor system components for anomalies | Every agent action is a chain entry. Anomalies break hash linkage. Verified by 6-pass verification kernel. |
| HIPAA §164.312(b) | Audit controls for information systems | Immutable audit trail. Envelope encryption ensures the server cannot read PHI. |
| PCI-DSS 10.5 | Secure audit trails against alteration | SHA-256 chain — altering any row invalidates all subsequent hashes. |
Deploy a gateway, see your first audit trail in minutes.
Get Started