The trust layer for the agent economy

Verifiable trust
for AI agents.

Membrane binds an agent's intent, policy, payment, response, and memory into a single tamper-evident proof — anchored on-chain, verifiable offline, and open across every rail: x402, AP2, ACP, MCP, A2A.

Start building For compliance teams
Open sourceMulti-chainAvalanche by home
membrane.attestation — bundle.json verified offline
Intent
ap2:intent-mandate · 0x9f3c…a17
Policy
spend ≤ $20/day · category C
Identity
erc-8004 · kite passport · did:agent
Payment receipt
x402 · USDC · 0x4e1d…b02
Response hash
keccak256 · 0xc7a9…3f1
Memory entry
commitment · 0xe520…9ac
Chain anchor
avalanche · merkle root · block #
Bundle commitment
one signed, portable proof
Why now

The agent economy is being built
faster than it can be trusted.

Payments, identity, and memory for AI agents are all shipping at once. The connective tissue that proves an action actually happened — under whose authority, against what budget, producing what result — is the layer no one owns yet.

$1.5–8T
Projected agentic commerce volume by 2030 across major analyst forecasts.
JUNIPER · MCKINSEY · ARK
Aug 2.
EU AI Act high-risk obligations bind in 2026 — traceability, event logging, retention.
EU AI ACT · ART. 12 & 26
+32%
Rise in malicious prompt-injection payloads in web content, Nov 2025–Feb 2026.
GOOGLE THREAT RESEARCH
Zero
Major agent memory frameworks that emit a tamper-evident, verifiable audit trail today.
MEM0 · ZEP · LETTA
The primitive

One proof bundle.
Every layer of an agent action.

Membrane isn't a chain, a wallet, or a memory store — it's the attestation that binds them. Each consequential agent action produces one signed, portable bundle, and any party can verify it offline, with no trust in Membrane required.

01 Intent
02 Policy
03 Identity
04 Payment receipt
05 Response hash
06 Memory entry
07 Chain anchor

Mem0, Zep and Letta give your agent a memory.
Membrane gives that memory a receipt.

How it works

From agent action to anchored
proof — in one call.

Membrane sits in the path of the agent's existing tools. It doesn't replace your stack — it observes, captures, commits, and anchors.

01

Agent acts

The agent signs an intent mandate; a spending policy is active. The authorization is captured before anything moves.

02

Membrane captures

Tool-call envelope, payment receipt, response hash, and the memory entry written — each hashed with its provenance.

03

Bundle is committed

The layers are bound into one attestation and folded into a Merkle root with other actions in the batch.

04

Anchored & verifiable

The root is anchored on-chain. Anyone runs kwi-verify offline and gets a clean yes / no.

Multi-chain by design

Avalanche by home.
Portable across the EVM.

A canonical registry lives on Avalanche. A byte-identical anchor contract deploys to the same address on every EVM chain. Proofs anchor where the agent actually works — and verification never depends on a bridge.

Hub-and-spoke topology

The canonical index is on Avalanche C-Chain. Every spoke anchor back-references it — one place to look up any Membrane proof, on any chain.

  • Avalanche C-Chain holds the canonical registry — the single source of truth across all chains.
  • One address everywhere. 0xMembrane… is the same on Base, Ethereum, Optimism, Arbitrum — via CREATE2.
  • Bridges are never in the trust path. The verifier reads each anchor on its own home chain, directly.
  • Avalanche ICM is the native cross-chain glue for Membrane's own multi-L1 future.
Explore the full architecture
Basespoke Ethereumspoke Optimismspoke Arbitrumspoke AVALANCHE C-Chain canonical registry
For builders

Drop in the verifier.
Get proofs out.

An SDK in TypeScript and Python, a local verifier, and an MCP server — so any MCP-aware agent gets Membrane attestation by adding one server. Receipt-format pluralist: x402, AP2, ACP, Stripe and Circle receipts all flow into the same bundle.

kwi-verify — bundle verification
# install — TypeScript or Python
$ npm install @kwi/membrane
$ pip install kwi-membrane
# verify a proof bundle — offline, no trust in Membrane
$ kwi-verify bundle.json
✓ intent mandate signature
✓ spending policy — not violated
✓ payment receipt — matches policy
✓ response hash — matches output
✓ memory entry — commitment matches
✓ anchor — avalanche-fuji · block 41,208,917
bundle verified — 6/6 checks passed

SDK — TypeScript & Python

Wrap a tool call, emit an attestation. One import, sane defaults.

Local verifier

Chain-config-driven. Reads the anchor on its own home chain, checks the Merkle proof, done.

Membrane MCP server

Exposes attest_call, verify_bundle, query_memory_proof — to every MCP-aware agent.

Receipt-format pluralist

x402, AP2 mandates, ACP SPTs, Stripe & Circle webhooks — equivalent inputs into one attestation.

Apache-2.0 solc 0.8.24 38/38 contract tests passing
Read the developer docs
For compliance & risk

An audit trail your regulator
can actually verify.

When an agent touches money, data, or a consequential decision, "we logged it" isn't enough. Membrane turns every agent action into a signed, tamper-evident record — readable by an auditor, verifiable by anyone.

The deadline is on the calendar
Aug 2, 2026
EU AI Act high-risk obligations become binding — traceability, event logging, six-month retention, human oversight.
Non-compliance penalties run to €15M or 3% of global revenue, whichever is higher.
  • Verifiable per-action logs
    Every tool call, payment, and memory write — captured with its authorizing intent and policy.
  • Tamper-evident by construction
    Merkle-committed and chain-anchored. A log entry cannot be altered after the fact without detection.
  • Offline, independent verification
    Your auditor doesn't have to trust Membrane — or you. They run the verifier themselves.
  • Cross-rail, cross-chain
    One audit standard whether the agent paid via x402, AP2, ACP, or a card network — on any chain.
See it work

An agent buys an API key.
Membrane proves all of it.

The wedge demo: a real agent, real USDC, a real x402 endpoint on Avalanche Fuji — and one composite proof at the end that a user, or a compliance officer, can verify.

STEP 01

Intent, signed

"Buy a 30-day API key from Provider X if it's under $20." Signed as an intent mandate.

STEP 02

x402 call

The agent hits the provider's x402 endpoint and receives a payment-required challenge.

STEP 03

USDC on Fuji

The agent signs and broadcasts a USDC payment — within the active spending policy.

STEP 04

Receipt + key

An x402 receipt and the API key come back. The response is content-hashed.

STEP 05

Memory written

"Purchased API key for Provider X, expires <date>" — written with full provenance.

STEP 06

Bundle emitted

Intent, policy, receipt, response hash, memory entry — bound and anchored to Fuji.

kwi-verify bundle.json  →  six green checks. The product just became real.
Roadmap

Staged, in public, shipping now.

0–2 WKS
CI, SDK hardening, local verifier, known-vector tests
2–6 WKS
Verifiable memory MVP, Fuji anchor, encrypted payload mode
6–12 WKS
x402 / AP2 receipt binding, mandates, spending policies
3–5 MO
Membrane MCP server, SDK integrations
5–9 MO
Agent identity, scoped capabilities, A2A proof bundles
9–15 MO
Hosted Membrane network, dashboard, pilots
12–24 MO
KWI privacy, mainnet anchors, shielded commitments, formal audit
The window is open

The trust layer gets
chosen this year.

Membrane is open source and being built in public. Integrate the SDK, run the verifier, or talk to us about a pilot before the August deadline.

Start building Explore the architecture