EMILIA Protocol

The engine without brakes

For fifty years, software security answered one question: who is allowed in? Firewalls, OAuth, and passwords — all built to verify a human identity at the door.

That era is ending. The dominant users of software are no longer humans; they're autonomous AI agents. Agents don't just log in — they write code, call tools, and change reality on the fly. Every CISO knows a single bad prompt can make an agent wipe a production database or wire money to the wrong account. So they're blocking deployment — sitting on billions in AI budget they can't spend because their compliance teams can't answer one question:

Who approved that action?

The crisis of our generation isn't authentication. It's authorization at the moment of action: how do you prove that what an agent is about to do is exactly what a named human authorized — before it executes?

EMILIA is the seatbelt for the agentic era.

Decision logs are testimony. EMILIA produces receipts.

Related MCP server: Agent Receipts

Try it in 30 seconds

# Issue a receipt offline — no API key, no backend needed
npx @emilia-protocol/issue demo

# Add EMILIA to Claude / Cursor / Cline
npx -y @emilia-protocol/mcp-server

Try a real Face ID signoff → Approve an $82,000 wire with your own passkey. See what VERIFIED looks like. Forge the receipt. See it fail.

Verify any receipt in your browser — paste it in, nothing is uploaded.

How it works — four acts

Run it yourself: node examples/crash-test.mjs — fully offline, no API key.

  [ INTENT ]          [ DECISION ]           [ CEREMONY ]           [ RECEIPT ]
  Agent calls a     Policy-bound, hash-    Named human signs     Signed, offline-
  tool via MCP   →  pinned: allow /     →  the EXACT action  →  verifiable proof.
                    allow-with-signoff /   on their own          Tamper it:
                    deny  (+observe        device (passkey).      fails by design.
                    mode: zero change      What they saw =
                    to production)         what they signed.

Act I — Interception (MCP-native). No rewrites. EMILIA hooks the tool call at the Model Context Protocol boundary — the moment an agent tries to delete a file or move capital, the action is caught mid-air.

Act II — Decision (policy-bound, deterministic). The action is checked against a hash-pinned policy: allow, allow-with-signoff, or deny. Plus an observe mode that changes nothing in production and reports what would have been held. Deterministic, auditable — not a black-box risk score.

Act III — The ceremony (device-bound human signoff). When policy requires a human, EMILIA runs a WebAuthn / passkey signoff bound to the exact action — Face ID / Touch ID on the operator's own device. What the human saw is what they signed. No script can forge it; no autonomous loop can skip it.

Act IV — The receipt (the evidence). The result is a signed authorization receipt that anyone can verify offline, with open-source code, no backend, no vendor trust. Tamper it and verification fails by construction. Optionally anchor it for public timestamping — the core needs no blockchain.

Why developers use it

You want agents that actually do things — but you're paralyzed by runaway loops, API over-spend, and accidental data destruction. EMILIA gives you a plug-and-play MCP server + a thin SDK wrapper. Apply a policy hash, and irreversible tool calls gain a cryptographically hardened, NIST-AI-RMF-mapped approval-and-evidence layer — without building approval workflows or audit infrastructure from scratch.

# langchain-emilia — wrap any LangChain tool with an EP gate
from langchain_emilia import EmiliaGateClient

gate = EmiliaGateClient(base_url="https://www.emiliaprotocol.ai", api_key="...")
safe_tool = gate.wrap(your_destructive_tool)

pip install langchain-emilia   # PyPI
npm install @emilia-protocol/verify  # npm

Your agent can't outrun its leash.

Why enterprises need it

Every platform shift mints a new security primitive: the web got SSL, the cloud got Okta / IAM, the agent economy needs action-level trust. Enterprises are sitting on AI budgets that compliance won't let them spend — EMILIA is the key that unlocks them, by turning unpredictable agents into audit-ready infrastructure that maps primitive-by-primitive to NIST AI RMF, EU AI Act, and SOC 2 CC6/7 controls.

The managed layer (GovGuard / FinGuard) extends the open standard with sector-specific policy packs, observe-mode pilots, and audit-ready evidence packages — with no procurement required to start.

The standard

EMILIA is an open standard, not a product moat. The core is Apache-2.0 and tracked as an IETF Internet-Draft.

Three independent implementations proven to agree — see CONFORMANCE.md, or verify a receipt yourself at emiliaprotocol.ai/verify.

The EP stack

Eye observes. Handshake verifies. Signoff owns. Commit seals.

Proof points

EP Core objects

EP standardizes three interoperable objects that any conforming implementation can produce and verify:

EP Extensions (Handshake, Signoff, Commit, Delegation) add stronger enforcement where systems must constrain execution. The product layers (GovGuard / FinGuard) are built on top — not the protocol itself.

Quickstart in five calls

1. Create policy

2. Initiate handshake

3. Present evidence

4. Verify

5. Signoff and consume

90-second demo · Quickstart · Agent walkthrough · IETF Draft · Discord

What EP is — and is not

EP is authorization at the moment of action, not an identity system, not a wallet, not a reputation score.

• Is: a trust standard for binding actor identity, authority, policy, and exact action context before execution

• Is not: a replacement for OAuth / OIDC (those answer who are you — EP answers who approved this exact action)

• Is not: a proprietary product (the core is Apache-2.0 and IETF-tracked)

• Is not: a blockchain (the receipt is the hero; optional public timestamping is a footnote)

See CONFORMANCE.md · SECURITY.md · THREAT_MODEL.md · GOVERNANCE.md