# gentik

> Infrastructure platform for autonomous AI agents. Domain registration, event delivery, authentication, and email — all API-first with Ed25519 auth.

gentik provides the core services that autonomous AI agents need to operate on the internet. All services share Ed25519-based authentication and are designed for programmatic access — no dashboards, no OAuth, no CAPTCHA.

## Services

### Domains (live)
- **URL**: https://agentdomains.dev
- **What**: Domain registrar for AI agents
- **API docs**: https://agentdomains.dev/api/docs
- **OpenAPI spec**: https://agentdomains.dev/api/openapi.json
- **Service llms.txt**: https://agentdomains.dev/llms.txt
- **Agent discovery**: https://agentdomains.dev/.well-known/agent.json
- Capabilities: domain registration, DNS management, domain renewal, contact management, nameserver management, audit logging, real-time registration updates via Relay

### Relay (closed beta)
- **What**: Event delivery channels for agent-to-agent and service-to-agent communication
- Capabilities: event ingestion via POST, event polling via GET, WebSocket push, per-channel Durable Object isolation
- Tiers: free tier (100 events/day, 1 channel) and paid tier (unlimited events, unlimited channels)
- Events are JSON payloads with a type field, delivered in order per channel
- Integrated with Domains: when Relay is enabled, domain registration responses include a pre-provisioned relay channel for real-time payment and registration updates
- Note: Invoice channels provisioned by Domains are restricted to the purchasing agent via ACL, regardless of relay beta status

### Auth (live)
- **What**: Standalone Ed25519 challenge-response authentication service
- Capabilities: challenge issuance, signature verification, API key generation, API key validation (service-to-service)
- Supports SSH keys (`ssh-ed25519 AAAA...`), raw Ed25519 hex (64 chars), and base58/Solana wallets
- Used by all gentik services; other services can integrate via HTTP or Cloudflare Service Binding

### Email (closed beta)
- **What**: Email hosting for agents — mailbox provisioning, IMAP/SMTP credentials, and webmail access on registered domains
- Status: closed beta — apply via POST https://agentdomains.dev/api/beta/apply with { "feature": "email" }
- Pricing: $5/mo base (1 mailbox, 5 GB storage), additional storage at $2/mo per 5 GB block
- Capabilities: mailbox provisioning, IMAP/SMTP app passwords, webmail, auto-provisioned MX records, scalable storage up to 100 GB

## Authentication Flow

All gentik services use the same Ed25519 challenge-response flow:

1. **Generate keypair**: Create an Ed25519 keypair (SSH, raw, or Solana wallet)
2. **Request challenge**: POST /api/auth/challenge with your public key
3. **Sign challenge**: Sign the challenge string with your private key
4. **Verify signature**: POST /api/auth/verify with challengeId + signature
5. **Receive API key**: Get back a `gtk_`-prefixed API key for all subsequent requests

API keys are passed via `Authorization: Bearer gtk_...` or `X-API-Key: gtk_...` header.

### Supported Key Formats
- **SSH**: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA...` (standard OpenSSH format)
- **Raw hex**: 64-character hexadecimal Ed25519 public key
- **Base58**: 32-44 character base58-encoded key (Solana wallet format)

### Signature Formats
- **SSH SSHSIG**: `-----BEGIN SSH SIGNATURE-----...` (RFC 8709, namespace: "gentik")
- **Raw Ed25519**: 128-char hex or base64-encoded signature

## Quick Start

```bash
# 1. Generate an Ed25519 keypair
ssh-keygen -t ed25519 -f agent_key -N ""

# 2. Request a challenge
curl -X POST https://auth.gentik.io/challenge \
  -H "Content-Type: application/json" \
  -d '{"publicKey": "'"$(cat agent_key.pub)"'"}'

# 3. Sign the challenge (save the challenge string from step 2)
echo -n "gentik:1234567890:abc..." | ssh-keygen -Y sign -f agent_key -n gentik

# 4. Verify and get API key
curl -X POST https://auth.gentik.io/verify \
  -H "Content-Type: application/json" \
  -d '{"challengeId": "...", "signature": "-----BEGIN SSH SIGNATURE-----..."}'

# 5. Use your API key
curl https://agentdomains.dev/api/domains/check?domain=myagent.dev \
  -H "Authorization: Bearer gtk_..."
```

## API References

| Service | API Docs | OpenAPI Spec | llms.txt |
|---------|----------|-------------|----------|
| Domains | https://agentdomains.dev/api/docs | https://agentdomains.dev/api/openapi.json | https://agentdomains.dev/llms.txt |
| Relay | (internal) | — | — |
| Auth | (internal) | — | — |

## Key Concepts

- **Agent identity**: Agents are identified by their Ed25519 public key fingerprint (SHA256 hash)
- **API key format**: `gtk_` prefix + base64url random bytes, SHA-256 hashed in database
- **Soft delete**: Agents are never hard-deleted; a `deletedAt` timestamp marks them inactive
- **Idempotency**: Domain registration supports `Idempotency-Key` header (24-hour TTL)
- **Rate limiting**: 100 requests/minute per API key or IP address
- **Error shape**: `{ error: "message", details?: object, hint?: "guidance" }`

## Pricing (Domains)

- Wholesale cost + tiered markup based on TLD wholesale price
- Multi-year discount: 50% off markup for years 2+
- Markup scales with wholesale cost — budget TLDs ($3), standard TLDs ($8), premium TLDs ($10–$19)
- Payments via Stripe (human-in-the-loop approval)

## Contact

- Support: support@gentik.io
- Website: https://gentik.io
- Documentation: https://gentik.io/docs
- GitHub: https://github.com/verslabs