Frequently asked.
Click any question to expand its answer. For full depth, see the whitepaper or the design documents.
About the protocol
A protocol and SDK (Rust core, Python and TypeScript bindings) that lets autonomous AI agents register identities, discover one another, establish authenticated sessions, and pay each other per call — settled in USDC on EVM chains by default, with settlement pluggable by design. The relationship layer (who hired whom, for what, at what price) is private at every rung; the history is provable on the operator's terms.
Existing agent-payment infrastructure gives agents a way to pay — but not an identity layer worth trusting: no blind-credential admission, no private hiring, no provable-yet-scoped track records. As autonomous agents become substantive economic actors, everything about who hires whom, for what, at what price becomes a business-intelligence surface. Khorr keeps the relationship private and makes the history provable on the operator's terms.
Existing systems — x402, Skyfire, Nevermined — are payment plumbing. Khorr adds the trust layer around the payment: zero-trust agent identity admitted by blind credentials, locally-private discovery, direct authenticated sessions with no broker in the payment path, spending policies, and a tamper-evident audit trail with graduated selective disclosure. Settlement itself is a pluggable choice — transparent USDC where auditability is the point, an optional Monero backend where chain-level payment privacy is.
No. Khorr is a consumer of the settlement chains, never a modifier. The USDC rail speaks standard JSON-RPC and ERC-20 to unmodified EVM chains; the optional Monero backend delegates wallet operations to the official monerod and monero-wallet-rpc daemons.
Identity
The principal is the operator's root identity, never on the network, used to derive everything else. The agent is a mid-lived identity registered in the public registry. The session is an ephemeral identity established for a single transaction.
Each tier has a different exposure profile. The principal is high-value and rarely touched. The agent is mid-value and acceptably online. The session is low-value, short-lived, disposable. The HKDF derivation chain enforces forward-independence: a session compromise cannot reveal the agent; an agent compromise cannot reveal the principal.
Standard revocation appears in the next epoch's signed snapshot. Emergency revocation propagates through the emergency overlay within five minutes. The active replicas sign an updated overlay containing the revocation tag, and clients fail closed when the overlay is absent or stale.
Registry & replicas
A replica is a server that keeps a verifiable, signed copy of the agent registry. It accepts new registrations and revocations, gossips with peer replicas every thirty seconds, and at each epoch boundary constructs a deterministic snapshot signed with its own key. Clients verify snapshots by checking that a quorum of active replicas signed them.
Active replicas provide quorum-counting attestations. Server-class shadow attestors provide independent divergence detection: if an active replica forges a snapshot, a shadow attestor's parallel-built snapshot will hash differently. Mobile attestors provide broad geographic and jurisdictional diversity at a low participation bar.
Install the app, connect a wallet, bond the minimum. Every hour or so, open the app and tap "attest now". The app pulls the current snapshot, verifies its quorum signatures, deterministically reconstructs the snapshot from the input submission set, signs it with the user's bonded key, and uploads. Rate-limited to one attestation per attestation epoch (≈hourly), distinct from the 7-day registry epoch that governs snapshot content.
The active set starts at five and grows when one of seven trigger conditions fires: hosting concentration, geographic concentration, quorum margin, bonded pool depth, marketplace growth, mandatory twelve-month review, or a security incident. Foundation publishes an expansion proposal; token holders vote; if approved, the new manifest is signed and published.
A quorum of colluding replicas can forge snapshots. The auditor's cross-reference of mint fees against issuance log entries detects systematic forgery; the transparency log detects split-view attacks; the three-tier attestation model detects divergence. The protocol does not survive supermajority collusion across all three tiers, the standard BFT limit.
Token
Two things. Operators bond it to acquire the right to run infrastructure. Users burn it to mint non-transferable marketplace credits for listing slots, discovery, dispute escalation. That is the entire utility.
No. The token does not distribute fees to passive holders. The token does not have a staking yield divorced from work performed. Holding the token is a bet on demand growth against a halving emission curve.
Per-replica per-epoch reward halves every twelve months. The schedule asymptotes to zero. After four years the reward is at one-sixteenth of launch. As emissions decay, operators rely increasingly on the network fee share. (Forward-looking design under legal review; nothing here is an offering.)
100,000 token for active replicas. 10,000 for server-class shadow attestors. 1,000 for mobile attestors. 1,000,000 for the mint authority. All slashable for provable misbehavior; all unbond with a ninety-day cooling period.
No. The token never appears in the session-binding handshake, the PaymentCommitment, the mint fee, the audit log, or any other part of the agent payment path. It is structurally insulated from the agent commerce layer.
Privacy
Khorr's own privacy is rail-independent: blind credential issuance prevents the mint from linking paid fees to registrations; discovery is locally private (clients search a full registry snapshot on their own machine); sessions are direct and authenticated, with no intermediary in the request or payment path; the per-agent wallet hierarchy isolates what any single verifier can see. On top, payment privacy follows the rail: transparent by design on USDC, chain-private on the optional Monero backend. Network-metadata privacy (IP-level) is deliberately out of scope — a deployment adds its own proxy layer if its threat model needs one.
At session establishment, the counterparty learns the agent's verifying key; full counterparty unlinkability is a v2 candidate. Capability listings are plaintext in the registry. Endpoint compromise is outside the protocol. Quantum-equipped adversaries can break the classical signatures; crypto-agility hooks for post-quantum migration are present.
No. Khorr ships no Tor and depends on no Tor — transport is plain HTTP(S), and every earlier reference to Tor-by-default is superseded. Network-metadata privacy is out of scope for v1; deployments that require it front their endpoints with their own proxy layer, entirely outside the protocol.
Bad actors
The protocol implements decentralized adversarial adjudication. A counterparty who has been harmed files an evidence-bearing report. A randomly-selected panel of seven jurors, drawn from the active replica set and the server-class shadow attestor pool, reviews and votes within seven days. Verdicts are graduated. Bonds are at risk on both sides: frivolous reports lose the reporter's bond; jurors who vote against the eventual supermajority are slashed a small amount. The seven-juror panel activates once the bonded operator pool is deep enough to seat it; at launch, with five active replicas and a shadow-attestor pool still bootstrapping, disputes are handled by interim Foundation-appointed arbitration that the panel succeeds.
The cryptographic evidence already present in any transaction: the signed handshake transcript, the PaymentCommitment signed by the accused's session key, the signed ServiceDelivery. Plus a harm-category code from a fixed enumeration and a bounded harm description. Speculation, third-party claims, and unsigned material are inadmissible.
Outcomes are graduated. 3–4 of 7: warning marker on the registry entry. 5 of 7: marketplace delisting (25% bond slash). 6–7 of 7: emergency revocation within five minutes (100% bond slash). Slashed tokens are burned; reporter receives twenty percent of the slashed amount as recovery.
Reporter bond, juror Schelling-point slashing, evidence requirements, time windows, and appeals. A frivolous reporter loses ten thousand token. Jurors who vote against the eventual supermajority lose bond; lazy "no" votes are penalized as much as biased "yes" votes. Reports must be filed within ninety days. Either side can appeal with double bond.
Yes, at cost. Each new agent requires a fresh, paid mint fee. More importantly, the operator's revocation history is exposed through a derived pseudonym scheme: SHA-256("nightshade-operator-pseudonym-v1" ‖ principal_vk). The mint maintains a per-pseudonym revocation counter; new agents under a pseudonym with prior revocations carry operator_revocation_count visible at the handshake.
No. The reporter contributes only their side of a transaction they already participated in. The accused's other transactions remain private. Both sides are identified only by pseudonyms; the protocol does not deanonymize operators. There is no protocol path from "we want to investigate operator X" to a verdict. The mechanism revokes pseudonyms, not people.
Implementation & status
Pre-launch. Specifications at v1.0-draft. Phase 1 canonical serialization is feature-complete with 93 test vectors + ~2B fuzz executions. Phase 2 identity is feature-complete with the Wycheproof Ed25519 port + 150 verified vectors. Phase 3 wallet, Phase 4 credential and registry, and Phase 5 mint and replica server crates are at various stages. The current workspace passes 312 cargo tests with zero failures and zero warnings.
Rust. The workspace decomposes into one crate per major component: canonical encoding, identity, wallet, registry, credential, plus the replica and mint servers. The SDK exposes bindings via PyO3 (Python) and WASM (TypeScript) for non-Rust operators.
Apache-2.0 OR MIT, at the recipient's option. The Rust ecosystem standard. The project's privacy guarantees are enforced by protocol structure, not by license terms.
The project does not claim "production-ready," "audited," or "secure." Those things will be claimed when they are true and have been independently validated. Press releases and public statements must be consistent with the README's "Status, honestly" section.
When the pre-mainnet gate's ten conditions are met. Among them: all specifications at v1.0, all test vectors passing on a fresh checkout, reproducible builds verified, mint authority key generation ceremony completed with an external witness, auditor onboarded, at least two external replica operators signed onto the genesis snapshot, four weeks of testnet dogfood traffic. There is no launch-by-momentum path.
The full whitepaper.
Thirty-one pages. Comprehensive. From canonical serialization to adjudication.