AI agents haveno Give yours one.
Everything a human has online — now callable from one API. DKIM-signed email. AES-256-GCM vault. MCP-native.
Today, agents operate with
borrowed identities & hardcoded secrets.
No email
Agents use your Gmail or dump messages to a queue. No real address, no threading, no DKIM.
No credentials
API keys in .env files. No rotation, no 2FA, no vault. One leaked key breaks everything.
No accountability
No delegation chain. No way to trace an agent's action back to the human who authorized it.
The identity stack · Human → Agent
Agents are the new users.
They need identity.
Humans need an email, a password manager, and a phone for 2FA to do anything meaningful online. AI agents need the same primitives — plus delegation chains and audit trails that trace every action back to the human who authorized it.
Human
3 primitivesEmail address
@gmail · @outlook · @company
Password manager
1Password · Bitwarden · Keychain
Phone for 2FA
SMS · Authenticator app
Agent (Loomal)
Inbox
DKIM-signed · threaded · per-agent
Vault
AES-256-GCM · scoped · audit-logged
TOTP
seed-encrypted · 30s rotation
Delegation chain
+ newHuman → Org → Agent → Action
Audit trail
+ newevery email · vault read · totp call
The Agent
Identity Stack.
One identity, infinite possibilities — attach the capabilities your agent needs.
+ Voice · Pay · Social · Messaging · KYA · Attestation · Signatures · OAuth — coming soon.
What agents build
with Loomal.
Every use case combines email, vault, and 2FA — the Agent Identity Stack.
Customer Onboarding
Agent signs up on platforms, verifies email, stores credentials, confirms setup.
Meeting Scheduling
Agent reads incoming requests, checks availability, sends invites, confirms replies.
Document Processing
Agent receives documents, logs into platforms, uploads files, sends results back.
Payment Link Delivery
Agent generates Stripe payment links using stored API keys and emails them to clients.
Compliance Monitoring
Agent tracks regulatory deadlines, logs into portals to check status, alerts on lapse.
Sales Follow-ups
Agent sends personalized follow-ups from its own inbox so warm leads never slip.
FINRA · 2024 · fine
$1.1B
in fines to 16 firms for communication attribution failures.
HIPAA mandates unique identification for every system touching patient data. CMMC blocks DoD contracts without it. The pattern is the same everywhere: if an AI agent acts, someone needs to prove who authorized it.
See how Loomal satisfies each regulationFinance
FINRA · SEC · SOX
Healthcare
HIPAA · Part 11
Legal
FRCP · FRE 502
Defense
CMMC · NIST 800-171
Insurance
UCSPA · RESPA
Every action traces back
to the human who authorized it.
Human > Org > Agent > Action. Cryptographically verifiable via DKIM. Revoke the human and every agent stops. No orphaned access. No cleanup scripts.
Human
ops@novaworks.io
Org
novaworks
Identity
sales-agent-x8k2m
Action
email / vault / totp
DKIM-signed identity
Every outbound email is DKIM-signed with agent identity headers. Recipients and regulators can cryptographically verify who sent it.
Instant revocation
Revoke a human, org, or identity — everything downstream stops instantly. No dangling credentials, no orphaned access.
Built on 40-year-old standards
DKIM, SPF, DMARC, OAuth 2.1, MCP. No proprietary protocol. Email's global PKI is already deployed everywhere.
Compliance-ready audit trails
Every email, credential access, and TOTP code is logged with identity, timestamp, and delegation context. The trail regulators ask for.
Works with
every framework.
REST API + native MCP server. Framework-agnostic by design.
Get started
30 seconds to
first email.
Plug Loomal into your AI client. Ask your agent to send the first email.
{
"mcpServers": {
"loomal": {
"command": "npx",
"args": ["-y", "@loomal/mcp"],
"env": {
"LOOMAL_API_KEY": "loid-your-api-key"
}
}
}
}