
EMILIA Protocol
β 2from emiliaprotocol
Require a named human's offline-verifiable approval before an AI agent takes an irreversible action β payment release, record change, deploy. Two-person rule, Ed25519 Trust Receipts, IETF-drafted, Apache-2.0.
EMILIA Protocol
The engine without brakes
For fifty years, software security answered one question: who is allowed in? Firewalls, OAuth, and passwords β all built to verify a human identity at the door.
That era is ending. The dominant users of software are no longer humans; they're autonomous AI agents. Agents don't just log in β they write code, call tools, and change reality on the fly. Every CISO knows a single bad prompt can make an agent wipe a production database or wire money to the wrong account. So they're blocking deployment β sitting on billions in AI budget they can't spend because their compliance teams can't answer one question:
Who approved that action?
The crisis of our generation isn't authentication. It's authorization at the moment of action: how do you prove that what an agent is about to do is exactly what a named human authorized β before it executes?
EMILIA is the seatbelt for the agentic era.
Decision logs are testimony. EMILIA produces receipts.
No receipt, no irreversible action
If an agent tries to move money, delete code, deploy production, change permissions, or mutate regulated state without a valid EMILIA receipt, the tool refuses to run β and if it runs, anyone can verify who authorized exactly what, offline, trusting no one.
That is the whole protocol. The developer wedge is one wrapper around an irreversible MCP tool. See it cold, fully offline, no key, no account β each demo runs the entire loop (refused β named human signs the exact action β tool runs β forged receipt rejected):
node examples/mcp/payment-server.mjs # release_payment β refuses without a receipt
node examples/mcp/github-admin.mjs # delete_repo β refuses without a receipt
node examples/mcp/prod-deploy.mjs # deploy_production β refuses without a receiptWrap your own tool dispatcher in production β see examples/mcp/ and /mcp:
import { withMcpGuard } from '@emilia-protocol/mcp-guard';
const guarded = withMcpGuard(handleTool, {
annotations: { release_payment: { irreversible: true, action: 'payment.release' } },
}); // missing receipt β refused, never a silent passTry it in 30 seconds
# Issue a receipt offline β no API key, no backend needed
npx @emilia-protocol/issue demo# Add EMILIA to Claude / Cursor / Cline
npx -y @emilia-protocol/mcp-serverTry a real Face ID signoff β Approve an $82,000 wire with your own passkey. See what VERIFIED looks like. Forge the receipt. See it fail.
Verify any receipt in your browser β paste it in, nothing is uploaded.
How it works β four acts

Run it yourself:
node examples/crash-test.mjsβ fully offline, no API key.
[ INTENT ] [ DECISION ] [ CEREMONY ] [ RECEIPT ]
Agent calls a Policy-bound, hash- Named human signs Signed, offline-
tool via MCP β pinned: allow / β the EXACT action β verifiable proof.
allow-with-signoff / on their own Tamper it:
deny (+observe device (passkey). fails by design.
mode: zero change What they saw =
to production) what they signed.Act I β Interception (MCP-native). No rewrites. EMILIA hooks the tool call at the Model Context Protocol boundary β the moment an agent tries to delete a file or move capital, the action is caught mid-air.
Act II β Decision (policy-bound, deterministic). The action is checked against a hash-pinned policy: allow, allow-with-signoff, or deny. Plus an observe mode that changes nothing in production and reports what would have been held. Deterministic, auditable β not a black-box risk score.
Act III β The ceremony (device-bound human signoff). When policy requires a human, EMILIA runs a WebAuthn / passkey signoff bound to the exact action β Face ID / Touch ID on the operator's own device. This narrows the "what you saw is what you signed" gap (via the experimental display-attestation profile); it does not eliminate it. No autonomous loop can skip the ceremony.
Act IV β The receipt (the evidence). The result is a signed authorization receipt that anyone can verify offline, with open-source code, no backend, no vendor trust. Tamper it and verification fails by construction. Optionally anchor it for public timestamping β the core needs no blockchain.
Why developers use it
You want agents that actually do things β but you're paralyzed by runaway loops, API over-spend, and accidental data destruction. EMILIA gives you a plug-and-play MCP server + a thin SDK wrapper. Apply a policy hash, and irreversible tool calls gain a cryptographically hardened, NIST-AI-RMF-mapped approval-and-evidence layer β without building approval workflows or audit infrastructure from scratch.
# langchain-emilia β wrap any LangChain tool with an EP gate
from langchain_emilia import EmiliaGateClient
gate = EmiliaGateClient(base_url="https://www.emiliaprotocol.ai", api_key="...")
safe_tool = gate.wrap(your_destructive_tool)pip install langchain-emilia # PyPI
npm install @emilia-protocol/verify # npmYour agent can't outrun its leash.
Why enterprises need it
Every platform shift mints a new security primitive: the web got SSL, the cloud got Okta / IAM, the agent economy needs action-level trust. Enterprises are sitting on AI budgets that compliance won't let them spend β EMILIA is the key that unlocks them, by turning unpredictable agents into audit-ready infrastructure that maps primitive-by-primitive to NIST AI RMF, EU AI Act, and SOC 2 CC6/7 controls.
The managed layer (GovGuard / FinGuard) extends the open standard with sector-specific policy packs, observe-mode pilots, and audit-ready evidence packages β with no procurement required to start.
The standard
EMILIA is an open standard, not a product moat. The core is Apache-2.0 and tracked as an IETF Internet-Draft.
| IETF Internet-Drafts | Posted: authorization-receipts Β· quorum. Staged in standards/: authorization-evidence-chain (EP-AEC, composition) Β· evidence-record (EP-EVIDENCE-RECORD, long-term retention). |
| Cross-language verifiers | JavaScript Β· Python Β· Go β all three proven to agree on adversarial conformance vectors, every push (npm run conformance). That is the IETF bar for a real standard: multiple independent interoperable implementations. |
| Formal verification | 26 TLA+ safety properties (0 errors) Β· 35 Alloy facts, 22 assertions β both run in CI |
| MCP registries | Official MCP registry Β· Glama (Grade A, Official badge) Β· Smithery |
| License | Apache-2.0 |
Three independent implementations proven to agree β see CONFORMANCE.md, or verify a receipt yourself at emiliaprotocol.ai/verify.
The EP stack
Eye observes. Handshake verifies. Signoff owns. Commit seals.| Layer | What it does |
|---|---|
| EP Eye | Observes and classifies agent behavior (OBSERVE β SHADOW β ENFORCE) |
| EP Handshake | Cryptographic consent ceremony with 7-property binding |
| EP Signoff | Named human ownership β WebAuthn / passkey Class A, device-bound; multi-party quorum (M-of-N / ordered β the two-person rule) for the highest-stakes actions |
| EP Commit | Atomic, immutable action close with Merkle-chained receipts |
Proof points
| Metric | Value |
|---|---|
| Automated tests | 4,821 across 234 files |
| TLA+ safety properties | 26 verified (T1βT26), 0 errors β see PROOF_STATUS.md |
| Alloy relational assertions | 35 facts + 22 assertions across two models β verified in CI |
| Red-team cases cataloged | 85 β RED_TEAM_CASES.md |
| Security findings remediated | 31 |
| Conformance (7/7) | node conformance/ep-conformance-test.js https://www.emiliaprotocol.ai |
| Cross-language conformance | 8 suites β receipts Β· device signoffs Β· multi-party quorum Β· revocation Β· time-attestation Β· trust-receipt Β· provenance Β· evidence-record β JS / Python / Go verifiers agree (node conformance/run.mjs) |
| Handshake create p95 | 575ms at 50 VUs β PERFORMANCE_PROOF.md |
EP Core objects
EP standardizes three interoperable objects that any conforming implementation can produce and verify:
| Object | What it is |
|---|---|
| Trust Receipt | A portable, signed record of an authorization event β what happened |
| Trust Profile | A standardized summary of observable trust state β what is known |
| Trust Decision | A policy-evaluated result with reasons and appeal path β what to do now |
EP Extensions (Handshake, Signoff, Commit, Delegation) add stronger enforcement where systems must constrain execution. The product layers (GovGuard / FinGuard) are built on top β not the protocol itself.
What EP is β and is not
EP is authorization at the moment of action, not an identity system, not a wallet, not a reputation score.
- Is: a trust standard for binding actor identity, authority, policy, and exact action context before execution
- Is not: a replacement for OAuth / OIDC (those answer who are you β EP answers who approved this exact action)
- Is not: a proprietary product (the core is Apache-2.0 and IETF-tracked)
- Is not: a blockchain (the receipt is the hero; optional public timestamping is a footnote)
See CONFORMANCE.md Β· SECURITY.md Β· THREAT_MODEL.md Β· GOVERNANCE.md Β· Neutrality Covenant
# Issue a receipt offline β no API key, no backend needed
npx @emilia-protocol/issue demoQuickstart in five calls
- Create policy
- Initiate handshake
- Present evidence
- Verify
- Signoff and consume
90-second demo Β· Quickstart Β· Agent walkthrough Β· IETF Draft Β· Discord
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.