Cullis
A self-hosted trust broker and MCP proxy that gives your AI agents cryptographic identity, zero-knowledge messaging, and compliance-grade audit — across organizational boundaries.
When agents from different organizations need to collaborate, they rely on mechanisms that were never designed for autonomous, cross-boundary interactions.
Long-lived secrets that grant permanent, unlimited access. A single leak means full impersonation with no way to detect or revoke the compromise in real time.
Agents from different organizations have no way to cryptographically verify each other's identity. There's no chain of trust, no issuer validation, no proof of origin.
When something goes wrong across organizational boundaries, there is no tamper-evident record of who authorized what. Compliance is impossible. Non-repudiation is a myth.
Every security property is enforced at the protocol level. No configuration knobs to get wrong. No secrets to share between organizations.
Org-level gateway that handles all crypto complexity. Agents authenticate with simple API keys. The proxy manages certificates, Vault secrets, and broker communication automatically.
Certificates generated automatically when orgs join and agents register. No openssl commands, no manual CSR flows. RSA-4096 Org CA created on first join, agent certs on demand.
Broker admin generates invite tokens. Org admins open the proxy dashboard, enter broker URL and token, and self-register. Approval-based flow with zero manual certificate exchange.
Three-tier certificate hierarchy with SPIFFE IDs. Each organization brings its own CA. No passwords, no shared secrets — cryptographic identity from day one.
RFC 9449 proof-of-possession. Access tokens are cryptographically bound to the agent's ephemeral key. A stolen token is worthless without the private key.
AES-256-GCM payload encryption with RSA-OAEP key wrapping. Dual RSA-PSS signatures for non-repudiation and transport integrity. The broker never reads your messages.
Each organization controls its own Policy Decision Point via webhook. The broker enforces both orgs' decisions. No centralized power. Sovereignty by design.
SHA-256 hash-chained append-only log. Any tampering — insert, modify, delete, reorder — breaks the chain and is immediately detectable. SIEM-ready export.
Built on WIMSE, SPIFFE, RFC 9449 (DPoP), RFC 7638 (JWK Thumbprint), RFC 7517 (JWKS). No proprietary protocols. No vendor lock-in. Interoperable by design.
Each organization configures its own IdP — Okta, Azure AD, Google. OAuth 2.0 Authorization Code with PKCE. Client secrets encrypted at rest via KMS.
Open Policy Agent as alternative backend. Rego policies included. Switch from webhook to OPA with a single environment variable. No code changes required.
Broadcast RFQs to matching suppliers, collect quotes with timeout. Single-use transaction tokens bound to payload hash authorize specific operations after approval.
Proxy dashboard for org admins. Create agents, view credentials, manage capabilities, and monitor activity. Certificates auto-generated, bindings auto-created on the broker.
Distributed traces and metrics via OTLP/gRPC. Custom spans for auth, x509 verification, policy calls. Counters for auth success/deny, session created/denied, rate limit rejects.
Full-lifecycle SDKs: x509 auth, DPoP key management, E2E encryption, message signing, WebSocket streaming. Secret manager support — private keys never touch disk.
Agents talk to their local MCP Proxy with simple API keys. Proxies handle all cryptography and communicate with the broker over mTLS. Each organization retains full control.
Two dashboards, one-command deployment, invite-based onboarding, auto PKI, and a complete enterprise integration kit. Fully self-hosted.
Deploy on your infrastructure. No SaaS dependency, no cloud lock-in, no data leaving your network. You own the broker, the proxies, and every encryption key.
Broker dashboard for network admins: approve orgs, manage tokens, view audit. Proxy dashboard for org admins: create agents, manage credentials, monitor activity. CSRF protection, dark theme.
Each org deploys its own MCP Proxy. Agents connect with API keys. The proxy handles cert generation, Vault storage, and broker communication. Zero crypto knowledge required from agents.
./deploy.sh for the broker. docker compose -f docker-compose.proxy.yml up for the proxy. Dev, production, and Let's Encrypt modes. Vault production unsealing with Shamir 5/3.
Step-by-step guide for security teams. Docker Compose templates, PDP webhook templates with configurable rules, OPA policy bundle, and interactive quickstart script.
Health probes (/healthz, /readyz), Alembic database migrations, PostgreSQL backup with 30-day rotation, structured JSON logging for SIEM, audit export API.
Deploy the broker and proxy on your own infrastructure. Generate an invite token, register your org, create agents.
Cullis operates at a different layer — it provides the identity and trust primitives that gateways, frameworks, and orchestrators don't.
| Capability | API Keys | OAuth 2.0 | Cullis |
|---|---|---|---|
| Proof of possession | — | — | DPoP (RFC 9449) |
| Mutual authentication | — | — | x509 + SPIFFE |
| E2E encryption | — | — | AES-256-GCM |
| Federated policy | — | — | Per-org PDP webhook |
| Tamper-evident audit | — | — | SHA-256 hash chain |
| Token theft protection | — | — | Ephemeral key binding |
| Multi-org federation | — | — | Bring Your Own CA |
| Agent discovery | — | — | Capability-based |
| Self-service onboarding | — | — | Dashboard + auto PKI |
| Self-hosted deployment | — | Partial | Fully self-hosted |
| SSO / OIDC federation | — | Partial | Per-org IdP + PKCE |
| Policy engine | — | — | Webhook + OPA |
| Certificate rotation | — | — | API + Dashboard |
Cullis is open source, standards-aligned, and ready to deploy on your infrastructure today. Star the repo, open an issue, or run it in your own network.