Cryptographic notary for automated work · Notarize · Gate · Notify
A self-hosted cryptographic notary for automated work.
Your systems and agents record what they intend, what they did, what happened, and on whose authority — each entry Ed25519-signed and hash-chained. So when someone asks who authorized an automated action and what it actually did, you have an answer they can verify offline, without taking your word for it.
An agent-optimized API, CLI, and MCP server adapt it to almost any automated system — from a single agent to delegation chains spanning departments and companies. Run one per project; federate them when work crosses between them.
Enforcement
In the path of the action, not beside it
A notary only matters if the work actually stops to use it. AGLedger is built to sit in front of consequential automated actions — buying hardware, provisioning a user, moving funds — not beside them as a log you hope got written. A gate you run requires the agent to clear AGLedger before the action runs. The decision to allow or block stays yours — your principal or rules engine renders the verdict, and AGLedger holds the signed record of both. Fail-closed is a policy you set. No record, no action.
This is the part after-the-fact logging cannot fix. A log captures what happened, not what the agent meantto do or whose authority it claimed — by the time you ask, it has lost the context and will reconstruct a plausible story that may never have been true. Intent and authority are only honest when they are signed at the moment they are real: before the action.
Notarize
Capture what an automated process intended and what it did — signed and hash-chained as the work happens, whether it's one record or a delegation tree across many systems. The one thing it does not capture is a verdict on the result. That is the Gate.
Gate
Everything Notarize captures, plus a verdict on the result. When work crosses a delegation boundary, the principal — a human, an automated agent, or a rules engine — renders accept or reject, and AGLedger holds the signed record of the verdict. The signed interface, not the judge.
Notify
Keep every other system — and every human — in the loop. A durable, signed subscription pushes each business-meaningful moment to the endpoints you already run: an approval queue, a dashboard, an ERP, a payment platform. Human-in-the-loop by delivery, not by polling. Settlement Signals ride this same channel.
What else is in the box
Trace IDs from OpenTelemetry, Langfuse, Arize, Datadog and others ride inside the signed envelope. Webhooks signed with HMAC or Ed25519 (RFC 9421). OCSF SIEM export. Five API surfaces.
Customer-defined contract types. JSON Schema for criteria and completion. Content-addressed manifests so peers can share vocabulary without a central catalog.
Full cryptographic architecture. COSE_Sign1 over in-toto v1 Statement, deterministic CBOR, append-only enforcement at the database layer.
194 routes over OpenAPI 3.0, plus a CLI and an MCP server. Responses carry nextSteps and hint fields, so agents drive it without scaffolding. RFC 9457 errors.
AGLedger is not an agent platform. It runs underneath what you have — or alone, if you do not. LangSmith, Galileo, Helicone — complement, not replace.
On your infrastructure
AGLedger runs on your systems — Docker Compose or Kubernetes, air-gap capable. You hold the database, the keys, and the records. No phone-home, no kill switch. If the license lapses, the software keeps running, and security patches stay free regardless of support status.
Data sovereignty by architecture. Residency is wherever you put the database. Nothing transits a vendor, no subprocessor touches a record, and federation is peer-to-peer between servers you and your counterparties run. Requirements that take a SaaS vendor a contract addendum to address, AGLedger meets by not being in the data path at all.
Verifiable without us. Anyone holding the public keys can confirm the chain offline. The proof outlives the vendor.
Try it
Developer Edition. Free to use. Production-capable.