Open source · v0.20

Every agent action,
signed and verified.

Treeship gives AI agents a cryptographic identity. Every tool call, decision, and session produces a signed receipt: auditable, verifiable, and portable. Like TLS certificates, but for agents.

Six primitives. One trust layer.

Every artifact is cryptographically signed, locally stored, and independently verifiable. No server required.

01
Signed Receipt
A tamper-evident record of a single agent action: tool call, decision, or handoff. Ed25519-signed, DSSE-wrapped, offline-verifiable.
treeship wrap
02
Session Report
A sealed summary of an entire agent session: what ran, what was approved, what was produced. Shareable as a permanent URL via the Hub.
treeship session report
03
Agent Identity
A cryptographic identity card for an agent: keypair, capabilities declared vs exercised, and a verifiable provenance trail across sessions.
treeship attest card
04
Transparency Log
An append-only Merkle log of all signed artifacts. Push to the Hub, publish publicly, or audit locally. Tamper detection built in.
treeship resolve · audit · publish
05
Work History
An agent's full signed session log, filtered, Merkle-verified, and sortable. Every entry re-verified locally against your own trust roots, never trusting the Hub's interpretation.
treeship history <agent>
06
Verifiable Profile
A checkpoint-pinned track record: N sessions, N actions, these tools, this time span. Every number is a deterministic aggregation over the log. verify-profile recomputes it locally and flags any mismatch field-by-field.
treeship profile · verify-profile

Trust isn't optional anymore.

As AI agents take autonomous actions in the real world, the question shifts from "did it work?" to "can I prove what it did, and has it done this before?"

Accountability by default

Every action an agent takes leaves a signed, verifiable artifact. No more "the agent did it" without proof. Receipts exist whether or not anything went wrong.

Offline & independent

Verification is fully local. No cloud dependency, no API call to verify a receipt. You own your keys. You own your receipts. Works anywhere, ships to anyone.

Drop-in, not redesign

One command wraps any existing agent workflow. No architecture changes. MCP bridge instruments Claude, Cursor, and friends automatically. Zero code.

Falsifiable reputation

A verifiable profile pins an agent's track record to a Merkle checkpoint. Anyone can recompute it locally. Every number either matches or it's a provable lie, named field by field.

TLS made the web trustworthy.
Treeship does the same for agents.

When you visit a website, TLS certificates silently prove the server is who it says it is. Nobody reads the certificate. The trust just works. Treeship is the same idea applied to AI agent actions.

Every receipt is a certificate of what happened. Every session report is an auditable chain. The agent doesn't need to explain itself. The cryptography speaks.

Read the protocol
Concept TLS / Web PKI Treeship
identity proof X.509 certificate Agent identity card
action record HTTPS request log Signed receipt
session summary TLS session ticket Session report
audit trail Certificate Transparency log Transparency log
signature algo RSA / ECDSA Ed25519 (DSSE)
human approval EV cert manual review Approval attestation
track record Certificate history logs Verifiable profile

Up in under a minute.

One command. No account required. Your keys stay local.

01

Install the CLI

One curl command sets up the binary, initializes your keypair, and detects installed agents.

02

Wrap any command

treeship wrap -- prefixes any command and produces a signed receipt on exit.

03

Verify & share

Verify locally with treeship verify last or push to the Hub for a shareable URL.

Terminal
# install & initialize
$curl -fsSL treeship.dev/setup | sh
✓ installed treeship v0.20.0
✓ generated Ed25519 keypair
✓ detected: claude-code, cursor
# onboard an agent: register, attest, anchor (v0.20)
$treeship onboard agent://deployer --publish
✓ registered · attested · anchored
trust add agent_cert:ed25519:4f3a…9c2e
# wrap any command
$treeship wrap -- npm run deploy
✓ signed · art_4f3a9c2e1b8d
Ed25519 · DSSE · Merkle-linked
# verify track record locally (v0.20)
$treeship history agent://deployer --limit 5
47 sessions · 312 actions · newest first
$treeship verify-profile
✓ checked · all fields match · pin: b7f2a1…

The full surface of agent work.

Treeship captures every significant event in an agent session, not just the final output.

01
Tool calls

Every tool invocation (file reads, web searches, API calls) is signed with its inputs and output digest.

treeship/action/v1
02
LLM decisions

Model reasoning steps and decision points, attested with actor identity and timestamp.

treeship/decision/v1
03
Human approvals

Approval gates with nonce-bound signatures. Cryptographic proof a human authorized an action.

treeship/approval/v1
04
Agent handoffs

When work moves between agents, a signed handoff records the transfer, the task commitment, and both actors.

treeship/handoff/v1
05
Session receipts

The sealed summary of a complete session: all actions, approvals, and outcomes in one verifiable bundle.

treeship/receipt/v1
06
Capability provenance

Declared vs exercised capabilities tracked per session. Catch agents doing more than they claimed.

attest card · v0.20

Every receipt folds into one signed root.

Receipts hash pairwise up a Merkle tree to a single root, signed once as a checkpoint. To prove any one action belongs to that history you only need the sibling hashes along its path, a handful of values, never the whole log. Click a leaf to trace its inclusion proof.

inclusion_proof leaf 03
proof path sibling hash

Prove a subset. Reveal nothing else.

An agent card commits to its full capability set. A holder presents only the capabilities a given verifier needs. The rest stay unguessable salted digests, and the card's signature still verifies. SD-JWT-style disclosure, layered over the DSSE signature.

agent_card.v1 · commitmentholder
what the verifier seesrevealed 3 of 6
signature valid over the committed digest set

Click a capability to include or withhold it. Each is committed as sha256(salt ‖ name ‖ value); the signed card carries only the sorted digest list, so it verifies whether or not a value is revealed. A withheld entry is an unguessable digest, and a holder can never present a value that was not committed.

Resolve any agent's identity, history, and track record.

Look up any agent URI on the Hub: get their public key, capability declarations, full session history, and a checkpoint-pinned profile you can verify locally.

1

Onboard in one command

Run treeship onboard agent://name --publish to register, attest, and anchor your agent's identity chain to the Hub in a single pass.

2

Resolve any agent URI

Any party runs treeship resolve --hub agent://name to retrieve the agent's identity card, walking the certificate chain to a pinned ship key. No leaf-level trust required.

3

Verify history and profile

Run treeship history <agent> for their full session log, or treeship verify-profile to recompute their track record locally, field by field, against the checkpoint pin.

treeship history agent://my-assistant --format json
agent_uri agent://my-assistant
sessions_total 47 verified sessions
actions_total 312 signed actions
tools_exercised read_file, web_search
profile.checkpoint b7f2a1…e8c3d4
profile.verdict ✓ checked · all fields match
last_active 2026-07-07T12:22Z
chain_verdict ✓ PASS · all inclusions verified
v0.20 Latest release
8MB Single static binary
100% Offline-verifiable
Apache 2.0 Open source license
"

Under "Cryptographic Proofs of Identity". Treeship is one of the tools fighting AI slop and helping ensure agents can be held accountable for their actions.

Published in The New Stack
Built in the open.

Treeship is fully open source and local-first. The cryptographic invariants are public. The keys are yours. The receipts are yours. No cloud dependency, no lock-in, no trust required of us.

Apache 2.0 Rust core Ed25519 DSSE Sigstore-compatible RFC 8785
View on GitHub Read the article →

Start signing.
In under a minute.

Your agents are already acting. Treeship makes sure there's a receipt for everything they do: signed, verifiable, and yours.

curl
npm
python
$curl -fsSL treeship.dev/setup | sh
# installs CLI, initializes keypair, detects agents
$treeship session start --name "my task"
$treeship wrap -- npm run build
$treeship verify last
$npm install -g treeship
# or add the MCP bridge (zero-code instrumentation)
$npm install @treeship/sdk @treeship/mcp
$treeship init && treeship add --all
$pip install treeship-sdk
# Python SDK
from treeship_sdk import Treeship
ts = Treeship()
receipt = ts.attest_action(actor="agent://me", action="tool.call")