> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Machine Identity (MAIP)

> Register, authorize, and monitor AI agents with cryptographic identity and behavioral constraints.

# Machine Identity & Agent Identity Protocol

The **Machine Agent Identity Protocol (MAIP)** gives every AI agent, bot, and automated service a cryptographic identity — just like TLS certificates for servers, but purpose-built for autonomous software.

## Why Machine Identity?

As AI agents proliferate across enterprise workflows, organizations face a critical challenge: **How do you know which agent did what, and whether it was authorized?**

MAIP solves this with:

* **Cryptographic agent identity** — Every agent gets a unique ID (`maip-agent:<ulid>`) and signing keys
* **Scope-based authorization** — Fine-grained permission scopes control what each agent can do
* **Runtime policy enforcement** — [MAIP policies](/guides/maip-policies) evaluate trust scores, scopes, and delegation depth before every sensitive action
* **Trust scoring** — Continuous behavioral evaluation produces a 0-100 trust score
* **Session management** — Time-bounded execution contexts with automatic expiry
* **Cross-tenant delegation** — Agents can delegate authority across organizational boundaries
* **Kill switch** — Instant emergency revocation of any agent's access

## Architecture

```
┌─────────────────────────────────────────────┐
│              Your Application                │
│  ┌─────────┐  ┌─────────┐  ┌─────────────┐  │
│  │ Agent A │  │ Agent B │  │  Agent C    │  │
│  └────┬────┘  └────┬────┘  └──────┬──────┘  │
│       │            │              │          │
│  ┌────▼────────────▼──────────────▼──────┐  │
│  │         MAIP SDK (JS / Go / Py)       │  │
│  └────────────────┬──────────────────────┘  │
└───────────────────┼─────────────────────────┘
                    │ HTTPS + mTLS
    ┌───────────────▼───────────────┐
    │   Machine Identity Service    │
    │  ┌──────┐ ┌───────┐ ┌──────┐ │
    │  │Agents│ │Scopes │ │Trust │ │
    │  │      │ │       │ │Scores│ │
    │  └──────┘ └───────┘ └──────┘ │
    └───────────────────────────────┘
```

## Try it in the playground

Every MAIP endpoint has an interactive API playground built into the docs. You can build requests, switch between [Sandbox and Production](/environments#try-it-in-the-api-playground) environments, and send them directly — no separate tool needed.

All MAIP endpoints are covered, spanning ten API groups: [Machine Agents](/api-reference/machine-identity/agents/register), [Agent Sessions & Tools](/api-reference/machine-identity/sessions/create), [Trust & Witness](/api-reference/machine-identity/trust-scores/get), [MAIP Policies](/api-reference/machine-identity/policies/list), [Truth Claims & Documents](/api-reference/machine-identity/truth-claims/create), [Compliance & Anomalies](/api-reference/machine-identity/compliance/create-check), [Datasets & Models](/api-reference/machine-identity/datasets/attest), [Orchestrations & Workflows](/api-reference/machine-identity/orchestrations/execute), [Guardrails & Delegation](/api-reference/machine-identity/guardrails/check), and [Observability](/api-reference/machine-identity/observability/events).

The playground supports both `X-API-Key` and Bearer JWT authentication. Use `X-API-Key` for quick testing and Bearer JWT when you need to authenticate with a session token from a running agent.

<Tip>
  Open any endpoint in the [Machine Agents](/api-reference/machine-identity/agents/register) API reference and click **Send** to try it live against the Sandbox.
</Tip>

## Quick start

### 1. Register an agent

<CodeGroup>
  ```bash cURL theme={null}
  curl -X POST https://api.truthlocks.com/v1/agents \
    -H "X-API-Key: $API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "order-processor",
      "type": "autonomous",
      "scopes": ["receipts:write", "attestations:read"],
      "metadata": {
        "framework": "langchain",
        "model": "gpt-4o",
        "owner": "platform-team"
      }
    }'
  ```

  ```javascript JavaScript theme={null}
  import { TruthlocksMAIP } from "@truthlocks/sdk";

  const maip = new TruthlocksMAIP({ apiKey: process.env.TL_API_KEY });

  const agent = await maip.agents.register({
    name: "order-processor",
    type: "autonomous",
    scopes: ["receipts:write", "attestations:read"],
    metadata: {
      framework: "langchain",
      model: "gpt-4o",
      owner: "platform-team",
    },
  });
  ```
</CodeGroup>

### 2. Create a Session

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/agent-sessions \
  -H "X-API-Key: $API_KEY" \
  -d '{
    "agent_id": "maip-agent:01JXXXX",
    "scopes": ["receipts:write"],
    "ttl_seconds": 3600,
    "ip_allowlist": ["10.0.0.0/8"]
  }'
```

### 3. Execute with Trust Scoring

Every action the agent takes is logged and scored. The trust score updates continuously:

```bash theme={null}
# Check current trust score
curl https://api.truthlocks.com/v1/trust-scores/maip-agent:01JXXXX \
  -H "X-API-Key: $API_KEY"
```

Response:

```json theme={null}
{
  "agent_id": "maip-agent:01JXXXX",
  "score": 87,
  "factors": {
    "behavioral_compliance": 92,
    "scope_adherence": 95,
    "anomaly_score": 12,
    "peer_attestations": 78
  },
  "trend": "stable",
  "computed_at": "2026-04-06T12:00:00Z"
}
```

### 4. Emergency Kill Switch

Instantly revoke all agent access:

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/agents/maip-agent:01JXXXX/kill \
  -H "X-API-Key: $API_KEY" \
  -d '{ "reason": "Anomalous behavior detected", "revoke_sessions": true }'
```

## Core Concepts

### Agent Types

| Type         | Description                                  | Use Case                       |
| ------------ | -------------------------------------------- | ------------------------------ |
| `autonomous` | Fully autonomous decision-making             | Trading bots, workflow engines |
| `supervised` | Requires human approval for critical actions | Content moderation, compliance |
| `delegated`  | Acts on behalf of another agent or user      | Service accounts, proxies      |
| `system`     | Infrastructure-level agent                   | Monitoring, health checks      |

### Scopes

Scopes follow a `resource:action` pattern:

* `agents:read` / `agents:write` — Agent management
* `receipts:write` — Issue action receipts
* `attestations:read` — Read attestation data
* `trust-scores:read` — Access trust scores
* `delegations:offer` / `delegations:accept` — Cross-tenant delegation
* `compliance:write` — Run compliance checks
* `orchestrations:execute` — Execute multi-agent workflows

### Trust Score Components

| Factor                | Weight | Description                         |
| --------------------- | ------ | ----------------------------------- |
| Behavioral compliance | 35%    | Actions within declared scope       |
| Scope adherence       | 25%    | No out-of-scope access attempts     |
| Anomaly score         | 20%    | Deviation from historical patterns  |
| Peer attestations     | 10%    | Other agents vouching for behavior  |
| Session hygiene       | 10%    | Proper session creation/termination |

## Billing & Quotas

Machine identity features are metered per your plan. Four MAIP usage counters are tracked each billing cycle:

| Metric                   | What it counts                     | Developer | Business | Enterprise |
| :----------------------- | :--------------------------------- | :-------- | :------- | :--------- |
| `maip.agents`            | Registered machine agents          | 2         | 50       | Unlimited  |
| `maip.sessions`          | Agent sessions created per month   | 100       | 10,000   | Unlimited  |
| `maip.trust_computes`    | On-demand trust score calculations | 50        | 5,000    | Unlimited  |
| `maip.compliance_checks` | Compliance verification requests   | 10        | 500      | Unlimited  |

Monitor your consumption with the [usage API](/api-reference/billing/usage) or in the console at **Settings > Billing > Usage** under the **MAIP** section.

<Info>
  See the [billing overview](/billing/overview#metered-products) for the full list of 16 metered products. Upgrade your plan at [console.truthlocks.com/billing](https://console.truthlocks.com/billing) to increase limits.
</Info>

## Editor and pipeline integrations

MAIP integrates with the tools your team already uses. Each integration generates cryptographic receipts automatically.

| Category           | Integrations                                                                                                                                                                                                     |
| :----------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Editor plugins** | [VS Code](/guides/maip-integrations#vs-code-extension), [JetBrains](/guides/maip-integrations#jetbrains-plugin), [Neovim](/guides/maip-integrations#neovim-plugin) (Telescope, statusline, auto-receipt on save) |
| **AI assistants**  | [MCP Server](/guides/maip-integrations#mcp-server) — 20 tools for AI coding assistants to query agents, receipts, and trust scores                                                                               |
| **Data pipelines** | [Event streaming gateway](/guides/maip-integrations#event-streaming) — Kafka, EventBridge, Kinesis, NATS, Redis Streams with deduplication and retry                                                             |
| **CI/CD**          | [GitHub Action](/guides/maip-integrations#github-action) — receipts for commits, PRs, releases, and build artifacts                                                                                              |
| **AI frameworks**  | LangChain, LlamaIndex, CrewAI, AutoGen, OpenAI, Anthropic, AWS Bedrock                                                                                                                                           |
| **Team tools**     | Slack, Linear, Notion                                                                                                                                                                                            |

See the [MAIP integrations guide](/guides/maip-integrations) for setup instructions and code examples.

## Next steps

<CardGroup cols={2}>
  <Card title="Agent authorization" href="/guides/agent-authorization" icon="key">
    Deep dive into scope-based authorization and session management.
  </Card>

  <Card title="MAIP policies" href="/guides/maip-policies" icon="shield-halved">
    Runtime enforcement rules based on trust scores, scopes, and delegation depth.
  </Card>

  <Card title="Trust scores" href="/guides/trust-scores" icon="chart-line">
    Understanding and configuring continuous trust evaluation.
  </Card>

  <Card title="Cross-tenant delegation" href="/guides/cross-tenant-delegation" icon="arrow-right-arrow-left">
    Enable agents to operate across organizational boundaries.
  </Card>

  <Card title="AI orchestration" href="/guides/ai-orchestration" icon="diagram-project">
    Multi-agent workflow execution with safety guardrails.
  </Card>

  <Card title="MAIP integrations" href="/guides/maip-integrations" icon="plug">
    Connect agents to Slack, GitHub, VS Code, Neovim, LangChain, and more.
  </Card>
</CardGroup>
