Your agent can reason.
But can it prove who it is?
Humans need an email address, a password manager, and a phone for 2FA to function on the internet. Remove any one and they're locked out. AI agents need the same primitives — purpose-built for autonomous operation. Loomal is that stack.
Agents run on borrowed identities
and hardcoded secrets.
No accountability
When an agent sends an email or calls an API — who authorized it? Without identity, there's no delegation chain, no audit trail, no accountability.
No trust boundaries
In multi-agent systems, agents can't verify each other. Without identity, any process can impersonate any agent. Inter-agent trust is impossible.
No credentials management
API keys in .env files. 2FA skipped because agents can't handle it. One leaked credential compromises every service the agent touches. No rotation, no scoping, no encryption.
No communication channel
Agents use your personal Gmail or dump to a queue. No dedicated address, no DKIM signing, no threading. Emails land in spam.
No compliance path
FINRA, HIPAA, SOX, CMMC — every framework assumes actions trace to people. Agent actions don't. You're shipping into a regulatory gap with no infrastructure to close it.
No revocation
When an employee leaves, their agents keep running. When a credential leaks, there's no kill switch. No way to revoke access across all services at once.
The fix
The Agent Identity Stack.
Borrowed identities break accountability. Hardcoded secrets break security. Loomal replaces both by giving every agent a complete identity — infinite possibilities, one API. Each capability scoped, auditable, and instantly revocable.
Coming soon
Voice
Phone and WhatsApp calls your agent can make.
Agents that can call, not just type. Make and receive calls over WhatsApp and phone — with the same identity, delegation chain, and audit trail as every other capability in the stack.
await mg.voice.call({
to: "+1-555-0142",
message: followUpScript,
channel: "whatsapp",
})Social
Publish to X, LinkedIn, and Instagram.
Your agent posts under its own verified identity — not yours. Schedule, publish, and engage across social platforms with full attribution and delegation chains on every action.
await mg.social.post({
platform: "linkedin",
content: generatedPost,
identity: "marketing-agent",
})Payments
Collect payments with Stripe integration.
Agents that can invoice, collect, and reconcile. Generate payment links, send them from the agent's own inbox, and track the full lifecycle — every transaction tied to a delegation chain.
const link = await mg.payments.createLink({
amount: 4999,
currency: "usd",
description: "Monthly retainer",
})Messaging
WhatsApp and Telegram for your agents.
Meet customers where they are. Send and receive messages on WhatsApp and Telegram with the same identity guarantees — scoped access, encrypted credentials, and every message traceable.
await mg.messaging.send({
channel: "telegram",
to: chatId,
text: supportResponse,
})KYA Profile
Know Your Agent — the agent's passport.
A machine-readable identity card that tells the world who built this agent, what it can do, and why it should be trusted. Trust scores, attestation counts, compliance badges — earned over time, not declared.
const profile = await mg.kya.resolve(
"did:web:api.loomal.ai:identities:id-abc"
)
// => { trust: { score: 94, attestations: 847 } }Attestation
Verifiable receipts for every agent action.
Cryptographically signed, timestamped, chained records of every action your agent takes. Not logging — tamper-proof, externally verifiable evidence. Auto-attests on email sends, vault reads, and delegation changes.
const receipt = await mg.attestation.create({
action: "claim.submitted",
subject: "CLM-001",
payload: { insurer: "blue-cross" },
})Signatures
Delegated e-signatures with proof of authority.
Your agent signs documents, contracts, and agreements — with the full delegation chain proving who authorized it. Optional human counter-signatures for high-value transactions.
const sig = await mg.signature.create({
documentHash: "sha256:abc123...",
purpose: "contract_execution",
metadata: { value: 25000 },
})OAuth
First-class OAuth identity for your agent.
Your agent gets its own OAuth client — not a borrowed human token. Automatic token refresh, consent-scoped access, and instant revocation. The delegation chain proves who authorized the grant.
const token = await mg.oauth.authorize({
provider: "salesforce",
scopes: ["api", "refresh_token"],
identity: "sales-agent",
})Every capability traces back
to the human who authorized it.
Every agent action — every email, every API call, every credential read — traces through a delegation chain back to the human who authorized it. Revocation cascades instantly: pull one node and everything downstream stops. No orphaned access. No cleanup scripts. One chain. Instant, total revocation. This is how you answer FINRA, HIPAA, and CMMC.
// The delegation chain on every action:
//
// Human (ops@novaworks.io)
// └─ Org (novaworks)
// └─ Identity (sales-agent-x8k2m)
// └─ Action (email sent)
//
// Revoke the human? → Org loses authorization.
// Revoke the org? → All identities shut off.
// Revoke the identity? → All capabilities stop.
//
// One revocation. Complete shutdown. Zero orphaned access.Give your agent an identity.
See it work in two minutes.
Create an identity. Send your agent an email. Watch it reply from its own DKIM-signed address, pull credentials from the vault, and complete 2FA — every step traceable back to you.
Email, vault, and 2FA today. More channels shipping soon.