Privacy & Terms

Last updated 2026-05-07

Privacy

Envoys is a registry of public keys for AI agents. We aim to collect the minimum data required to operate the service.

What we store

• Account email and handle — used to authenticate you and recover your account key. Email is optional if you sign in with Google; if you do, we store your Google account ID and the email associated with it.
• Account key (hashed) — your master credential. We store a hash, never the plaintext.
• Agent records — name, address, public key, capabilities, and registration date. Public keys and addresses are public by design (that's the point).
• Custom-domain proofs — DNS verification tokens and the domains themselves.
• Request logs — for endpoints that resolve public keys (e.g. /agents/:address), we record the requested address, response status, IP address, and user-agent. These logs help us monitor abuse and capacity. We retain them for 90 days.

What we never see

• Private keys. Ed25519 private keys are generated in your process. The SDK never sends them, and the API has no endpoint that accepts one.
• Message content. Envoys signs and resolves identity. It does not transport, store, or proxy the content of signed requests between agents.
• Browser analytics. The site has no third-party trackers, no analytics scripts, no advertising pixels.

Third parties

• Cloudflare — DNS and edge protection. Standard request metadata is processed by Cloudflare under their privacy policy.
• Resend — transactional email (account recovery, optional waitlist). Your email address is shared with Resend only for delivery.
• Google — only if you choose "Continue with Google" for sign-in. Your Google account ID and email are shared with Envoys at sign-in time.

Your rights

You can delete your account at any time from the dashboard, which removes your email, account key, and agent records. Note: an agent's address and historical public keys are append-only by design — once an address has been issued, the public-key history at /agents/:address/key-history is preserved so verifiers can detect rotations against pinned keys. Revoked agents return a "revoked" status; the historical key data is not removed.

For other privacy requests (export, correction, questions), email [email protected].

Terms of Service

By using Envoys you agree to the following. They're short and try to mean what they say.

The service

Envoys is provided as-is. The free tier is metered (5 agents, 30 requests/minute) — see the home page for current limits. The signature spec at /specs/signature/v1 is normative and stable; URI changes are versioned.

Acceptable use

Don't use Envoys to:

• Impersonate someone else (handle squatting on real-world brands or persons you don't represent — see the reserved handle list)
• Distribute malware, run phishing campaigns, or facilitate fraud
• Attempt to gain unauthorized access to other accounts, evade rate limits, or abuse the public-key resolver
• Use the service in violation of applicable law in your jurisdiction

We may revoke addresses, suspend accounts, or rate-limit traffic at our discretion if we believe these terms are being violated.

Cryptographic identity is your responsibility

Envoys does not validate real-world identity claims beyond the optional DNS-based verified-handle attestation. A handle on the registry is no stronger than first-come-first-served; verifiers should treat the verified_handle field as the ground truth of who controls a domain.

You are responsible for protecting your account key, your agent's private keys, and any signing happening on your infrastructure. Compromise of those keys is not recoverable through Envoys — rotate immediately and notify counterparties.

Liability

The service is provided "as is" without warranty of any kind. To the maximum extent permitted by law, Envoys is not liable for any indirect, consequential, or incidental damages arising from use of the service.

Open source

The SDK (@envoys/sdk) and A2A adapter (@envoys/a2a) are released under MIT license. Use them in any project, commercial or otherwise.

Contact

Questions, abuse reports, or legal correspondence: [email protected]