DEVELOPER SDK
Add cryptographic human provenance to any application
OAuth lets users delegate authority to apps without sharing passwords. VAC lets humans delegate authority to AI agents without losing accountability. Every agent action traces through a cryptographic chain back to a verified human. The chain is signed (Ed25519), the constraints are mathematical (scope can only narrow, never expand), and the audit trail is permanent.
The provenance_ref is a single identifier that follows a workflow from root human through every agent and sub-agent. One query reconstructs everything — who authorised the chain, what each agent did, and what happened. Over time, these records form an execution graph: the infrastructure for agent reputation, anomaly detection, and trust-aware routing.
THREE ENGINES, ONE API
Verification Engine
Multi-modal biometric verification. Pluggable — use our built-in engine or integrate iProov, Veriff, Sumsub, or your own provider. VAC handles the delegation chain regardless of who does the verification.
VAT Engine
Mint Verifiable Authority Tokens with scope, budget, and time constraints. Create delegation chains from human to agent to sub-agent. Monotonic narrowing enforced at every level.
Trust Graph
Build vouch networks where verification gets cheaper over time. Query trust scores, check vouch relationships, and let the graph drive your verification economics.
THE SIMPLE PATH — ONE LINE OF CODE
Already have an agent? Add recordAction after each action. That's it. Your agent is now in the execution graph with a complete audit trail back to the human who authorised it.
// Your existing agent code — unchanged
const result = await agent.readCalendar();

// Add one line — action is now in the execution graph
await fetch('https://vac-system-production.up.railway.app/v1/vat/record/action', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    vat_jti: token.jti,        // from issue/l1
    action: 'read',          // what the agent did
    resource: 'calendar:events', // what it accessed
    result: 'success'         // what happened
  })
}); // → { recorded: true, aar_id: "aar_...", provenance_ref: "prov_..." }
FULL CONTROL — AUTHORIZE → ACT → COMPLETE → FEEDBACK
For production: check permission before acting, record the outcome after, and let the human rate the result. This is the complete trust loop.
// 1. Issue an authority token (L1 = API key level, instant)
const root = await fetch('https://vac-system-production.up.railway.app/v1/vat/issue/l1', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    agent_id: 'my-agent',
    developer_email: 'you@company.com',
    resources: ['email:read', 'calendar:read'],
    actions: ['read', 'summarise'],
    constraints: { max_spend_usd: 10 }
  })
});

// 2. Check permission BEFORE the agent acts
const auth = await fetch('...​/v1/vat/authorize', {
  method: 'POST',
  body: JSON.stringify({ vat_jti: root.jti, action: 'read', resource: 'email:read' })
}); // → { authorized: true, aar_id: "aar_...", trust_score: 0.4 }

// 3. Agent does the thing, then records the outcome
await fetch(`...​/v1/vat/aar/${auth.aar_id}/complete`, {
  method: 'POST', body: JSON.stringify({ result: 'success', result_hash: 'sha256:...' })
});

// 4. Human reviews the result (closes the trust loop)
await fetch(`...​/v1/vat/aar/${auth.aar_id}/feedback`, {
  method: 'POST',
  body: JSON.stringify({ rating: 'approved', note: 'Result was exactly right' })
}); // → reputation improves → routing gets smarter

// 5. Query the reputation (what's this agent's track record?)
const rep = await fetch(`...​/v1/vat/reputation/my-agent`);
// → { execution_score: 1.0, feedback_score: 1.0, combined_reputation: 1.0 }
MULTI-LEVEL ASSURANCE
L1 — API Key
Instant onboarding. POST /v1/vat/issue/l1. Base trust 0.4. For development, testing, low-risk automation. Zero friction — get a token in one API call.
L2 — OIDC / SSO
Enterprise integration. POST /v1/vat/issue/l2. Base trust 0.7. Binds to your existing SSO provider (Okta, Azure AD, Auth0). No biometrics required.
L3 — Biometric
Highest trust. POST /v1/vat/auth/capture. Base trust 0.95. Six-modality biometric verification: face liveness, deepfake detection, voice, gesture, geolocation, behavioural.
FRAMEWORK INTEGRATION
Node.js / Express
const { vacMiddleware } = require('./vac-middleware');

app.post('/api/calendar',
  vacMiddleware('calendar.write'),
  handler
);
Python / FastAPI
from vac_decorator import vac_protected

@app.post("/api/calendar")
@vac_protected(action="calendar.write")
async def create_event(request): ...
DROP-IN WIDGET
<!-- Add to any page — biometric verification in 3 lines -->
<script src="https://vacprotocol.org/vac-verify.js"></script>
<script>
  VACVerify.init({ apiKey: 'vac_...', onVerified: (r) => console.log(r) });
  VACVerify.open(); // opens modal with camera + challenge
</script>
KEY API ENDPOINTS
View full API documentation (68+ endpoints) →
PLUGGABLE VERIFICATION
VAC Protocol is the authority layer — not a verification provider. Use our built-in biometric engine for demos, or plug in your existing identity provider for production. The delegation chain and trust graph work regardless of who does the verification.
iProov
Veriff
Sumsub
FaceTec
Incode
Custom Provider
INTELLECTUAL PROPERTY
558 patent claims filed across 12 filings covering biometric identity binding, adaptive verification modalities, delegation chains, multi-agent authority, trust graph networks, governance protocols, feedback acceleration, and bidirectional trust systems. The protocol is open for integration — the claims protect the architecture.
Explore the API →
vacprotocol.org/api · Full OpenAPI documentation
vacprotocol.org · Violet Shores Pty Ltd · Patent Pending · 558 Claims across 12 Filings