WAB v1.3 · Trust Layer

Cryptographic Trust for Agent Discovery

WAB v1.3 binds every domain's discovery manifest to an Ed25519 signature, with the public key published in DNS and protected by DNSSEC. No CA. No central registry. Trust is rooted exactly where it should be — in domain ownership.

Verify any domain

Runs the full 5-check trust report: DNS · DNSSEC · public key · HTTPS manifest · signature.

Generate Ed25519 keypair

Stateless. The server never stores your private key — save it offline and use it to sign your wab.json.


          
          

          
          

          
⚠ This is the only time the private key is shown. Copy it now.

        

      

    


    
    

    
    

      
How WAB v1.3 trust works

      
    
        
  1. Generate keypair (Ed25519, 32 bytes each) — offline or via the button above.
    2. 
        
  2. Publish public key in DNS: _wab IN TXT "v=wab1; endpoint=https://example.com/.well-known/wab.json; pk=ed25519:<BASE64>".
    3. 
        
  3. Enable DNSSEC on your zone (most registrars: 1-click). DNSSEC chain protects the key from spoofing.
    4. 
        
  4. Sign your manifest with the private key: node wab-sign.js sign wab.json key.privwab.signed.json.
    5. 
        
  5. Upload signed manifest to https://example.com/.well-known/wab.json.
    6. 
        
  6. Agents fetch the TXT (verify DNSSEC) → fetch the manifest (verify signature with DNS-published key) → trust established.
    7. 
      

      
Compare to ANS, sitemap.xml, llms.txt, ai.txt:
        WAB vs other protocols →

      
Offline tools: wab-sign.js · wab-verify.js