Treeship gives AI agents a cryptographic identity. Every tool call, decision, and session produces a signed receipt: auditable, verifiable, and portable. Like TLS certificates, but for agents.
Every artifact is cryptographically signed, locally stored, and independently verifiable. No server required.
treeship wrap
treeship session report
treeship attest card
treeship resolve · audit · publish
treeship history <agent>
verify-profile recomputes it locally and flags any mismatch field-by-field.treeship profile · verify-profile
As AI agents take autonomous actions in the real world, the question shifts from "did it work?" to "can I prove what it did, and has it done this before?"
Every action an agent takes leaves a signed, verifiable artifact. No more "the agent did it" without proof. Receipts exist whether or not anything went wrong.
Verification is fully local. No cloud dependency, no API call to verify a receipt. You own your keys. You own your receipts. Works anywhere, ships to anyone.
One command wraps any existing agent workflow. No architecture changes. MCP bridge instruments Claude, Cursor, and friends automatically. Zero code.
A verifiable profile pins an agent's track record to a Merkle checkpoint. Anyone can recompute it locally. Every number either matches or it's a provable lie, named field by field.
When you visit a website, TLS certificates silently prove the server is who it says it is. Nobody reads the certificate. The trust just works. Treeship is the same idea applied to AI agent actions.
Every receipt is a certificate of what happened. Every session report is an auditable chain. The agent doesn't need to explain itself. The cryptography speaks.
Read the protocolOne command. No account required. Your keys stay local.
One curl command sets up the binary, initializes your keypair, and detects installed agents.
treeship wrap -- prefixes any command and produces a signed receipt on exit.
Verify locally with treeship verify last or push to the Hub for a shareable URL.
Treeship captures every significant event in an agent session, not just the final output.
Every tool invocation (file reads, web searches, API calls) is signed with its inputs and output digest.
treeship/action/v1Model reasoning steps and decision points, attested with actor identity and timestamp.
treeship/decision/v1Approval gates with nonce-bound signatures. Cryptographic proof a human authorized an action.
treeship/approval/v1When work moves between agents, a signed handoff records the transfer, the task commitment, and both actors.
treeship/handoff/v1The sealed summary of a complete session: all actions, approvals, and outcomes in one verifiable bundle.
treeship/receipt/v1Declared vs exercised capabilities tracked per session. Catch agents doing more than they claimed.
attest card · v0.20Receipts hash pairwise up a Merkle tree to a single root, signed once as a checkpoint. To prove any one action belongs to that history you only need the sibling hashes along its path, a handful of values, never the whole log. Click a leaf to trace its inclusion proof.
An agent card commits to its full capability set. A holder presents only the capabilities a given verifier needs. The rest stay unguessable salted digests, and the card's signature still verifies. SD-JWT-style disclosure, layered over the DSSE signature.
Click a capability to include or withhold it. Each is committed as sha256(salt ‖ name ‖ value); the signed card carries only the sorted digest list, so it verifies whether or not a value is revealed. A withheld entry is an unguessable digest, and a holder can never present a value that was not committed.
Look up any agent URI on the Hub: get their public key, capability declarations, full session history, and a checkpoint-pinned profile you can verify locally.
Run treeship onboard agent://name --publish to register, attest, and anchor your agent's identity chain to the Hub in a single pass.
Any party runs treeship resolve --hub agent://name to retrieve the agent's identity card, walking the certificate chain to a pinned ship key. No leaf-level trust required.
Run treeship history <agent> for their full session log, or treeship verify-profile to recompute their track record locally, field by field, against the checkpoint pin.
Under "Cryptographic Proofs of Identity". Treeship is one of the tools fighting AI slop and helping ensure agents can be held accountable for their actions.
Treeship is fully open source and local-first. The cryptographic invariants are public. The keys are yours. The receipts are yours. No cloud dependency, no lock-in, no trust required of us.
Your agents are already acting. Treeship makes sure there's a receipt for everything they do: signed, verifiable, and yours.