circle-check
zkPassport is now live — verify ePassport authenticity with zero-knowledge proofs, a trust anchor for identity in the age of AI.
Learn morechevron-right
search
GitHubTwitterDiscord

Agent Trust Gateway Stack

As the AI agent economy expands, autonomous agents are increasingly tasked with interacting with high-value, sensitive resources: executing trades, accessing private data APIs, signing smart contracts, and managing financial instruments. This shift from human-to-machine to machine-to-machine interaction creates a massive trust deficit.

How can a resource provider (a Verifier) trust that an AI agent is authorized by a verified human? And how can the human trust that the agent will not misuse their credentials?

The zkMe Agent Trust Gateway is the solution. It acts as a secure, privacy-preserving middleware layer, a “trust gatekeeper”, that mediates all interactions between AI agents and external resources.

hashtag
Core Positioning

The Agent Trust Gateway is not an agent execution environment itself. It is the authorization and policy enforcement layer that sits between the agent and the target resource. Its primary functions are:

  1. Real-Time Policy Evaluation. Checking if an agent’s request complies with the human user’s predefined rules (time windows, value limits, target constraints).

  2. Credential Verification. Validating the Agent-Ready Credentials (and underlying user credentials) presented by the agent against on-chain state.

  3. Secure Context Provisioning. Injecting verified data or authorization tokens into the agent’s context only when all conditions are met, inside a hardware-secured enclave.

hashtag
Architectural Components

The Gateway is designed with a hardware-grade security foundation to ensure that even the gateway operators cannot tamper with the verification process or access sensitive data.

               ┌────────────────────────────────────────────────────────┐
               │                    TEE Enclave                         │
               │  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐  │
               │  │   Policy     │  │  Credential  │  │   Protocol   │  │
               │  │   Engine     │  │  Verifier    │  │   Adapters   │  │
               │  │              │  │              │  │              │  │
               │  │ Time/Freq    │  │ Signature    │  │ MCP Server   │  │
               │  │ Value/Risk   │  │ Revocation   │  │ x402/APF     │  │
               │  │ Target       │  │ Expiration   │  │ OIDC4VP      │  │
               │  │ Constraints  │  │ Merkle Root  │  │ W3C VC/DID   │  │
               │  └──────┬───────┘  └──────┬───────┘  └──────┬───────┘  │
               │         │                 │                  │         │
               │         └────────┬────────┘──────────────────┘         │
               │                  │                                     │
               │         ┌────────▼────────┐                            │
               │         │  PASETO Token   │                            │
               │         │  Signing        │                            │
               │         └────────┬────────┘                            │
               │                  │                                     │
               │         ┌────────▼────────┐                            │
               │         │  Audit Logger   │                            │
               │         │  (append-only)  │                            │
               │         └─────────────────┘                            │
               └────────────────────────────────────────────────────────┘

hashtag
TEE Enclave (Trusted Execution Environment)

The core logic of the Gateway runs inside a hardware-secured Trusted Execution Environment (e.g., Intel SGX or AMD SEV). This provides three critical guarantees:

Guarantee
What It Means

Confidentiality

Data processed inside the enclave (decrypted credentials, user policies, session keys) cannot be read by the host operating system, the infrastructure provider, or even zkMe itself.

Integrity

The code running inside the enclave cannot be modified without detection. Any tampering attempt invalidates the enclave’s attestation.

Remote Attestation

The Gateway can cryptographically prove to external parties (users, agents, and verifiers) that it is running the correct, unmodified zkMe Gateway code inside a genuine TEE. This proof is verifiable by anyone.

The TEE enclave is the reason the Gateway can handle sensitive operations (credential decryption, policy evaluation, token signing) without requiring users to trust the gateway operator. The hardware itself enforces the security guarantees.

hashtag
Policy Engine

The Policy Engine evaluates incoming agent requests against the authorization policies set by the human user (the Agent Principal). Policies are defined at delegation time and stored encrypted in the zkVault.

Policies can be defined across multiple dimensions:

Dimension
Example Rules

Time / Frequency

  • “Agent can only trade between 9 AM and 5 PM UTC.”

  • “Maximum 5 requests per hour.”

  • “Delegation expires after 24 hours.”

Value / Risk

  • “Maximum transaction value of $1,000 per action.”

  • “Maximum cumulative spend of $10,000 per day.”

  • “Block any action flagged as high-risk by KYT.”

Target Constraints

  • “Agent can only interact with Uniswap V3 contracts on Ethereum mainnet.”

  • “Agent can only access the /api/portfolio endpoint.”

  • “Agent cannot interact with any contract not on the whitelist.”

Credential Scope

  • “Agent can prove user is over 18, but cannot prove user’s exact age.”

  • “Agent can prove KYC status, but cannot prove nationality.”

If a request violates any policy constraint, the Gateway rejects the request immediately and logs the rejection. The agent receives a structured error response indicating which constraint was violated, without revealing the policy details.

hashtag
Credential Verifier

This module interfaces with the zkMe Credential System. When an agent presents an Agent-Ready Credential, the Verifier performs the following checks:

  1. Cryptographic signature validation. Verifies the credential was issued by a trusted zkMe Issuer and has not been tampered with.

  2. Non-revocation check. Queries the on-chain State Contract to confirm the credential has not been revoked by the Issuer.

  3. Expiration check. Confirms the credential and the delegation have not expired.

  4. Merkle root verification. Validates the credential’s claims against the current on-chain Merkle root to ensure state consistency.

  5. Delegation chain validation. Verifies the cryptographic binding between the agent’s credential and the human user’s underlying identity credential.

hashtag
Protocol Adapters

To ensure seamless integration into the existing AI and Web3 ecosystem, the Gateway includes native adapters for standard protocols. Each adapter translates protocol-specific requests into the Gateway’s internal evaluation format and returns protocol-compliant responses.

For detailed documentation on each supported protocol, see Supported Protocols.

Protocol
Use Case

MCP (Model Context Protocol)

AI agent communication. Agents connect as MCP Clients; the Gateway acts as an MCP Server exposing tools via JSON-RPC.

APF / x402

Agent payment facilitation. Handles HTTP 402 payment challenges by verifying agent payment credentials and facilitating transactions.

W3C VC / DID

Foundational data models. The Gateway natively parses and validates W3C Verifiable Credentials and resolves DIDs.

ERC-8004

On-chain agent reputation. Indexes agent reputation tokens and includes them in policy evaluation.

OIDC4VP

Web2 bridge. Handles OpenID Connect flows for Verifiable Presentations, enabling integration with traditional OAuth/OIDC services.

PASETO

Token issuance. Issues short-lived, scoped authorization tokens using PASETO v4 (stronger security guarantees than JWT).

hashtag
The Trust Flow

When an agent attempts to access a protected resource via the Gateway, the high-level flow is as follows:

1

hashtag
Request

The agent sends an action request (e.g., “Buy 1 ETH on Uniswap”) to the Gateway, attaching its Agent-Ready Credential. The request arrives via one of the supported protocol adapters (e.g., as an MCP tool call).

2

hashtag
TEE Ingress

The request enters the TEE enclave. From this point forward, all processing occurs inside the hardware-secured environment.

3

hashtag
Credential Verification

The Credential Verifier validates the agent’s credential (signature, revocation, expiration, Merkle root, delegation chain).

4

hashtag
Policy Evaluation

The Policy Engine evaluates the request against the user’s stored policies (time, value, target, scope constraints).

5

hashtag
Human-in-the-Loop (Optional)

If the policy dictates that the action is high-risk (e.g., exceeds a value threshold), the Gateway pauses execution and sends a push notification to the user’s SSI Wallet for explicit approval. The user can approve, reject, or modify the request.

6

hashtag
Context Provisioning / Token Issuance

If approved, the Gateway either:

  • Proxies the request directly to the target resource with the necessary authorization, or

  • Issues a short-lived, scoped PASETO token to the agent, which the agent presents to the target resource independently.

7

hashtag
Audit Logging

The Gateway records a cryptographic hash of the transaction (action type, timestamp, result, policy evaluation outcome) to an append-only audit ledger. The log does not contain the payload itself, preserving privacy while enabling accountability.

For the complete 8-step technical specification, see Agent Session Flow.

hashtag
Why the Gateway is Essential

hashtag
For Users (Agent Principals)

The Gateway provides a single control panel to monitor, authorize, and instantly revoke access for all AI agents. Users define granular policies that constrain agent behavior, and they can require human approval for high-risk actions. Their digital identity and assets are never exposed to the agents directly; the agent only ever receives scoped, time-limited authorization tokens.

hashtag
For Agent Developers

The Gateway removes the liability of handling user PII. Agent developers do not need to implement complex cryptography, credential verification, or compliance checks. They integrate with the Gateway via standard protocols (MCP, OIDC4VP) and receive structured authorization responses. This enables the creation of more powerful, autonomous workflows without the security burden.

hashtag
For Verifiers (dApps, APIs, Smart Contracts)

The Gateway offloads the complex burden of verifying agent identity, user authorization, and credential validity. The Verifier only needs to trust the Gateway’s output (a PASETO token or a verified proof). This is backed by the TEE’s remote attestation, which cryptographically proves the Gateway is running unmodified code in a genuine hardware enclave.

hashtag
Available as Independent Services

The Agent Trust Gateway technology stack is available for licensing and deployment by external organizations. Customers can acquire any capability independently or license the full stack to build and operate their own agent authorization infrastructure using zkMe's TEE execution environment, policy engine, and protocol adapter suite.

Capability
Acquisition Model

TEE-Enclaved Execution

License the enclave runtime (Intel SGX / AMD SEV integration, remote attestation, secure key management)

Policy Engine

License the policy evaluation engine (multi-dimensional rule sets, encrypted policy storage, per-session evaluation)

Credential Verifier

License the real-time credential validation module (signature, revocation, expiration, Merkle root, delegation chain checks)

Protocol Adapters

License individual adapters (MCP, x402/APF, ERC-8004, OIDC4VP, W3C VC/DID, PASETO v4) or the full adapter suite

Session Management

License the 8-step session lifecycle pipeline (OAuth2/PKCE authentication through audit logging)

Audit Logging

License the append-only cryptographic logging system with decentralized ledger anchoring

Human-in-the-Loop

License the configurable approval workflow engine with push notification integration

circle-check

All modules support flexible engagement models including technology licensing for self-hosted deployment, managed service with pay-as-you-go or committed-use pricing, and full white-label solutions. Contact the zkMe team at [email protected]envelope.

PreviousAgent-Ready CredentialsNextAgent Session Flow

Last updated