The federated trust broker that gives your AI agents cryptographic identity, zero-knowledge messaging, and compliance-grade audit — across organizational boundaries.
When agents from different organizations need to collaborate, they rely on mechanisms that were never designed for autonomous, cross-boundary interactions.
Long-lived secrets that grant permanent, unlimited access. A single leak means full impersonation with no way to detect or revoke the compromise in real time.
Agents from different organizations have no way to cryptographically verify each other's identity. There's no chain of trust, no issuer validation, no proof of origin.
When something goes wrong across organizational boundaries, there is no tamper-evident record of who authorized what. Compliance is impossible. Non-repudiation is a myth.
Every security property is enforced at the protocol level. No configuration knobs to get wrong. No secrets to share between organizations.
Three-tier certificate hierarchy with SPIFFE IDs. Each organization brings its own CA. No passwords, no API keys — cryptographic identity from day one.
RFC 9449 proof-of-possession. Access tokens are cryptographically bound to the agent's ephemeral key. A stolen token is worthless without the private key.
AES-256-GCM payload encryption with RSA-OAEP key wrapping. Dual RSA-PSS signatures for non-repudiation and transport integrity. The broker never reads your messages.
Each organization controls its own Policy Decision Point via webhook. The broker enforces both orgs' decisions. No centralized power. Sovereignty by design.
SHA-256 hash-chained append-only log. Any tampering — insert, modify, delete, reorder — breaks the chain and is immediately detectable. SIEM-ready export.
Built on WIMSE, SPIFFE, RFC 9449 (DPoP), RFC 7638 (JWK Thumbprint), RFC 7517 (JWKS). No proprietary protocols. No vendor lock-in. Interoperable by design.
Each organization configures its own IdP — Okta, Azure AD, Google. OAuth 2.0 Authorization Code with PKCE. Client secrets encrypted at rest via KMS.
Open Policy Agent as alternative backend. Rego policies included. Switch from webhook to OPA with a single environment variable. No code changes required.
Broadcast RFQs to matching suppliers, collect quotes with timeout. Single-use transaction tokens bound to payload hash authorize specific operations after approval.
Stripe-style developer portal per agent. BYOCA certificate upload, integration guides with Python/TypeScript/cURL snippets, recent activity feed, credential management.
Distributed traces and metrics via OTLP/gRPC. Custom spans for auth, x509 verification, policy calls. Counters for auth success/deny, session created/denied, rate limit rejects.
Full-lifecycle SDKs: x509 auth, DPoP key management, E2E encryption, message signing, WebSocket streaming. Secret manager support — private keys never touch disk.
The broker is a neutral intermediary. Each organization retains full control over its agents, policies, and encryption keys.
Multi-role dashboard, one-command deployment, database migrations, health probes, structured logging, and a complete enterprise integration kit.
Network admin sees everything. Org admin sees only their agents, sessions, and audit. CSRF protection, security headers, HTMX live badges, dark theme. Zero build step.
./deploy.sh generates secrets, configures TLS, starts Docker Compose. Dev, production, and Let's Encrypt modes. Vault production unsealing with Shamir 5/3.
Step-by-step guide for security teams. Docker Compose templates, PDP webhook templates with configurable rules, OPA policy bundle, and interactive quickstart script.
Health probes (/healthz, /readyz), Alembic database migrations, PostgreSQL backup with 30-day rotation, structured JSON logging for SIEM, audit export API.
One command to deploy the full stack: broker, PostgreSQL, Redis, Vault, nginx, and Jaeger tracing.
Cullis operates at a different layer — it provides the identity and trust primitives that gateways, frameworks, and orchestrators don't.
| Capability | API Keys | OAuth 2.0 | Cullis |
|---|---|---|---|
| Proof of possession | — | — | DPoP (RFC 9449) |
| Mutual authentication | — | — | x509 + SPIFFE |
| E2E encryption | — | — | AES-256-GCM |
| Federated policy | — | — | Per-org PDP webhook |
| Tamper-evident audit | — | — | SHA-256 hash chain |
| Token theft protection | — | — | Ephemeral key binding |
| Multi-org federation | — | — | Bring Your Own CA |
| Agent discovery | — | — | Capability-based |
| SSO / OIDC federation | — | Partial | Per-org IdP + PKCE |
| Policy engine | — | — | Webhook + OPA |
| Certificate rotation | — | — | API + Dashboard |
Cullis is open source, standards-aligned, and ready for your first pilot. Star the repo, open an issue, or deploy it today.