Chio
v0.1  ·  Protocol specification
New ·  Agent Passports

Chio.

The trust network for autonomous commerce.

A shared proof system for agents, swarms, and autonomous organizations. Every agent-to-agent action carries signed authority, recursive delegation, lineage, selective disclosure, and settlement context across trust boundaries.

Read the spec →
HTTPgRPCMCPACPA2AMiddlewareOrchestratorsSix languages
Chio · live mediation
capability
guards
budget
receipt
capabilityvalid, scoped0.04ms
·guardsentering pipeline…1.6ms
budget$12.40 / $50.000.1ms
receiptsigned, committed0.2ms
Receipt0x8a4f…c2b1ed25519 ✓
Chio secures every surface your agents touch
47integrations · growing
ProtocolsMCP · A2A · ACP · OpenAI · HTTP
SDKsRust · TypeScript · Python · Go
FrameworksLangChain · LlamaIndex · CrewAI · AutoGen · Vercel AI
Web / APIFastAPI · Django · Express · Axum · Gin · Spring Boot
OrchestrationTemporal · LangGraph · Airflow · Prefect · Ray
StreamsKafka · NATS · Pulsar · EventBridge · Pub/Sub · Redis Streams
RuntimeKubernetes · Envoy · Lambda · WASM · SPIFFE
Web3x402 · Agentic Commerce · USDC · Base · Solana · Chainlink
EvidenceSplunk · Elastic · OCSF · NIST AI RMF · SOC 2
01The Gap

Four questions go unanswered
every time an agent acts in the world.

Agents are becoming economic actors. The infrastructure still assumes they're chatbots. Tap any card to fix it with Chio.

Question 01unanswered

Who is this agent?

No standard for verifiable agent identity across organizational boundaries. No portable credentials.

identityunverified
tap to fix →
Question 02unanswered

What can it do?

Permissions scattered across configurations, not cryptographically verifiable or safely delegatable.

authorizationimplicit
tap to fix →
Question 03unanswered

What did it cost?

No spending limits, no settlement, no budget enforcement fused into the execution path itself.

economicsunbounded
tap to fix →
Question 04unanswered

What happened?

No machine-verifiable proof of what was authorized, denied, or completed. Just logs and hope.

accountabilitylogs only
tap to fix →
02The Economy

From implicit trust
to a settled machine economy.

Four stages. The infrastructure your agents need in order to act, get paid, and be held accountable.

01 · Today

Actions fire
into the void.

Agents call tools without identity, budgets, or proof. Every invocation is an implicit promise the infrastructure cannot keep.

03The Kernel

Four stages. Eighteen guards.
One fail-closed pipeline.

Every tool invocation flows through four deterministic stages: token validation, the guard pipeline, an economic check, and a signed receipt. Stage two is itself a pipeline of 18 composable guards. Switch visualizations to explore the kernel shape that fits how you think.

invocation · deploy_service · cap_7f3a…e91d
01
Tokensignature · expiry · scope · revocation
02
Guards18 composable guards · fail-closed · conjunctive
03
Economybudget · underwriting · metering
04
Receipted25519 · Merkle-committed · append-only
·idlewaiting for invocation…ready

Stages compose declaratively in a manifest file. Each is fail-closed. If any stage fails for any reason, the invocation is denied and a signed deny-receipt is still produced.

04The Proof

Every decision
produces evidence.

Signed, append-only, Merkle-committed. One artifact that serves as audit trail, billing ledger, and compliance record. No separate systems to reconcile.

Chio Receiptsigned
Decision
allow
tool · deploy_service
capabilitycap_e857…dd99
guards7/7 passed
cost$12.40 / $50.00
merkle root0x98cd…b880
timestamp2026-04-17T12:00:07Z
ed25519:493357…09a366verify

Audit trail

Every allow, deny, cancel, and incomplete decision is recorded with full context. Query by agent, tool, capability, or time range.

00:01.248fetch_urlallow
00:01.401query_dballow
00:01.612deploy_serviceallow
00:01.814read_secretdeny
00:02.039send_emailallow
00:02.221deploy_serviceallow
00:02.433shell_execdeny

Billing ledger

Receipts carry cost data. Settlement between organizations reduces to receipt reconciliation. No separate billing system to run.

Compliance record

Non-repudiable proof that policies were enforced. Export to SIEM systems via built-in Splunk HEC and Elasticsearch adapters.

05Get Started

Install once.
Command the whole stack.

Chio is a Rust runtime, SDKs in four languages, and a CLI that reaches every corner of the governance lifecycle: scaffold a project, wrap an MCP server, protect an HTTP API, issue passports, run the HA trust control plane.

# Install the Chio runtime, no Rust required
$ curl -fsSL https://www.chio.world/install.sh | sh

# Scaffold a runnable project with deny-by-default
$ chio init my-project

# Wrap any MCP server, unchanged
$ chio mcp serve \
    --preset code-agent \
    --policy policy.yaml my-mcp-server
Rustchio
TypeScript@chio-protocol/sdk
Pythonchio-py
Gochio-go
01

Scaffold

chio init drops in a runnable workspace with a deny-by-default policy, a sample server, and a smoke client.

02

Mediate

chio mcp serve or chio api protect wraps your tools. No code changes. Deny-closed with preset guards.

03

Audit

Receipts stream to your SIEM. chio receipt list queries them by agent, tool, budget, or time.

The toolbeltA dozen commands. The governance lifecycle, end to end.
chio initScaffold a runnable workspace with deny-by-default policy
chio checkValidate a policy call offline, with structured verdicts
chio guard testRun WASM-guard fixtures with fuel-metered evaluation
chio mcp serveWrap any MCP server with signed receipts, unchanged
chio api protectReverse-proxy sidecar for any HTTP API, policy-gated
chio trust serveRun the HA trust control plane with durable replication
chio receipt listQuery receipts by agent, tool, budget, or time range
chio evidence exportSign an offline-verifiable evidence bundle for auditors
chio cert verifyVerify a compliance certificate in quick or full mode
chio passport issueIssue an Agent Passport as a W3C verifiable credential
chio reputation compareCompare live subject state against a portable passport
chio certify publishPublish a signed conformance artifact to the registry
Showcase

Internet of agents.
Incident response across org boundaries.

Meridian Labs has a sev-1 outage caused by a bad edge rule at their CDN provider, Stratos Networks. A commander agent orchestrates triage, then delegates a bounded fix to the provider. Six hops across two organizations, every tool call mediated, every capability attenuable, every decision signed.

Happy pathAttenuation denyMidchain revokeApproval gateTTL expiryOffline review
View on GitHub
Meridian Labs Stratos Networks
01Commandercap_root
02Broker (ACP)cap_triage
03Coordinatorcap_rollback
04Executorcap_exec · 10m ttl
05Toolapply fix, once
Signed evidence bundle0x8a4f…c2b1
06FAQ

Short answers, honest ones.

MCP defines how agents discover and invoke tools. Chio wraps MCP servers without modification, adding authorization, economic enforcement, and non-repudiable receipts. Think of MCP as the calling convention and Chio as the trust layer.
No. Chio sits between your agent and your MCP servers as a mediating proxy. Your existing tool implementations work unchanged. Chio intercepts, validates, and receipts each invocation transparently.
Guard evaluation runs in microseconds. The kernel adds single-digit millisecond latency per invocation, negligible compared to typical LLM inference and tool execution times.
The core runtime and SDKs are Apache 2.0. The protocol specification is published and freely available. The hosted trust control plane is a commercial offering.
A signed deny-receipt is still produced and committed to the ledger. Fail-closed by default means every attempted action, whether it ran or not, leaves an auditable trace.
Chio · Universal security kernel for the agent economy