The Missing Authority Layer
of the Internet

UniKey is the distributed authorization layer the internet was always missing. It is a device-bound cryptographic network that verifies authority before a digital action is executed — across payments, APIs, autonomous agents, and any system that today relies on credentials, tokens, or sessions to decide whether something should happen.

The framing that travels: “They verify the agent. UniKey verifies the action.”

Identity systems prove who is acting. UniKey proves the specific action was authorized. That distinction is the entire category.

The internet was built to move information. It was never built to prove authority.

Every credential, password, token, and session ever issued is a patch on that original omission. Possession of a credential is treated as equivalent to permission — but in remote environments, that assumption breaks down. Credentials are stolen. Sessions are hijacked. Tokens are replayed. Once compromised, they can be reused at scale.

This is why fraud scales. It is also why the agentic internet has stalled: AI agents cannot be trusted to act autonomously across domains, because no infrastructure exists to verify that any specific action was actually authorized.

UniKey closes the gap by requiring cryptographically verifiable authority before execution. A stolen credential cannot produce a Trust Packet. A replayed token cannot produce a Trust Packet. The compromise boundary shifts from remote credential theft — which scales — to physical device or key compromise, which does not.

UniKey is not a competitor to identity systems, fraud detection products, or settlement networks. It operates at a layer those products do not address.

• Identity systems (Visa Trusted Agent Protocol, Cloudflare Web Bot Auth, OAuth, PKI) verify who is acting. UniKey composes with them — it asks the next question: was this specific action authorized?
• Fraud detection systems analyze transactions after they execute and assign risk scores. UniKey prevents unauthorized actions from executing in the first place. Fraud is not detected; it ceases to be possible at scale.
• Settlement systems (Visa, Stripe, blockchain, real-time payment rails) move value once an action is approved. UniKey strengthens the authorization signal those systems receive. It does not replace them. It is rail-neutral and execution-agnostic.

The most useful analogy: blockchain decentralized settlement by distributing ledger state. UniKey decentralizes authority. Same structural ambition, different layer of the trust stack.

Yes. The foundation is in place:

• Six published RFC-style specifications defining the protocol — RFC-1000 (Master Index), RFC-2001 (Trust Packet Format), RFC-3001 (DNS Hardening Algorithm), RFC-1300 (Device & OS Integration), RFC-5003 (Authorization Flow & Verification Architecture), RFC-1200 (Delegation Profile). All publicly available on GitHub.
• 100+ patents granted and pending across multiple jurisdictions, covering distributed cryptographic authorization, replay-resistance mechanisms, DNS-based key validation, the Trust Packet architecture, and cross-domain authority verification.
• Reference libraries that construct, sign, verify, and chain Trust Packets — running over the global DKIM and DNS infrastructure that has been deployed and operationally hardened for over fifteen years.
• NIST NCCoE submission in progress, positioning UniKey as a recommended solution within the AI Agent Identity and Authorization framework.
• Independent threat-model review completed by Black Duck Software, with findings incorporated into the architecture.

The HTTPS-native implementation of the protocol — for high-throughput synchronous use cases — is the next major engineering milestone, and is the natural focus of the partner or acquirer who scales the architecture.

UniKey is structured as an open standard with a licensed verification ecosystem — the ARM model applied to authorization infrastructure. Sending Trust Packets is free. Verification is where value is exchanged.

Active conversations span five categories:

• AI agent platforms — the infrastructure that lets agents act autonomously across domains
• Payment networks (Visa, Mastercard, Amex, Discover) — where network-level adoption propagates the fraud-elimination benefit to ~80M merchants without merchant-side integration
• Telecommunications carriers — natural verification operators given existing trust relationships with billions of devices
• Device manufacturers (Apple, Samsung, Google) — where every device becomes a magic wand: the cryptographic origin point for authorized actions across every connected service. The biggest leap in what a phone can do for the user since the App Store.
• Enterprise security platforms — Cisco, Cloudflare, and others operating verification at scale across global edge or cloud infrastructure

Each category is a different commercial path with a different business model. The asset is structured to license to all of them.

UniKey inherits its security from the most widely deployed cryptographic infrastructure on the internet: DKIM signing and DNS-distributed public keys — the same primitives that secure legitimate email at scale. The protocol does not introduce new cryptography. It applies battle-tested primitives to a new architectural problem.

Three failure surfaces, each with bounded blast radius:

• DNS attacks (poisoning, spoofing, path-based interception). UniKey RFC-3001 defines a hardened DNS validation algorithm that treats DNS as probabilistic, not authoritative. Verifiers must query at least three independent DNS resolvers across different network paths and require bitwise-identical key payloads from all of them. Any inconsistency triggers immediate rejection. TTL anomalies (sudden drops from 3600 to 60, for example) are treated as poisoning indicators. DNSSEC validation is additive but not substitutive. The system fails closed on every ambiguity. A single compromised resolver cannot produce a trusted key.
• Cached-key divergence. Verifiers maintain a cache of validated keys bound to specific (domain, selector) pairs. When a freshly fetched key differs from the cached key for the same pair, the verifier triggers a divergence-handling routine — re-validating across multiple resolver paths, evaluating TTL anomalies, and flushing the cache when signature failures cluster within a short window. The cached key is never trusted in preference to fresh verification; divergence triggers heightened scrutiny rather than silent acceptance.
• Verifier compromise. Verifiers do not hold any signing keys. A compromised verifier can lie about validation results but cannot forge Trust Packets that other verifiers would accept. Recovery is to revoke the compromised verifier from the trust hierarchy.
• Device-resident credential extraction. The cryptographic credential lives in the device’s Secure Enclave (Apple, Samsung, Qualcomm hardware roots of trust). Extraction is prohibitively expensive even with physical possession. If a Secure Enclave is compromised, the issuer revokes the device’s authority anchor — bounded blast radius of one user, not the network.

Keys carry explicit validity periods (90 days maximum for high-assurance deployments) with no-gap rotation. Successor keys must be published in DNS before predecessors expire.

The residual risk is the same risk every cryptographic system on the internet carries: the underlying primitives are believed secure but not provably so. That risk is shared by TLS, SSH, certificate transparency, and every modern trust system. UniKey operates inside that broader ecosystem, not separately from it.

The business model is patterned directly on Visa.

Visa does not move money. Visa verifies transactions and licenses the network. UniKey does not authorize actions. UniKey licenses the protocol to those who do.

Three revenue streams:

• Verification fees. Every Trust Packet verified by a network operator generates a micro-fee. At agentic-commerce scale — billions of agent actions daily — this is metered infrastructure revenue with no natural ceiling.
• Licensing fees. Payment networks, telecoms, device manufacturers, and enterprise platforms license the protocol to operate their own verification endpoints. ARM-style: open standard, licensed ecosystem.
• Authorization intelligence. Every transaction produces an Authorization Certificate. Aggregated across billions of transactions, the resulting Authorization Ledger becomes a real-time map of what was authorized and by whom — sold as fraud detection, compliance reporting, threat intelligence, and risk-scoring services. Generated as a byproduct of normal operation, not as a separate data collection exercise.

Sending is free. Verification is where value is exchanged.

UniKey is structured as an ARM-style asset — specification, patent foundation, and reference libraries — that an acquirer or licensee operationalizes against their existing infrastructure.

For an acquirer, the natural path is to acquire the IP foundation, the protocol specifications, and the reference libraries, then operate verification at scale using existing infrastructure (CA systems, edge networks, payment rails). The acquirer becomes both the operator of the verification network and the licensor of the protocol to other parties.

For a payment network licensee, the network adopts UniKey at the network layer. Adoption propagates through existing PSP relationships to the merchant base without merchant-side integration. License terms are flat-fee annual at scale, comparable to architectural licensing in other infrastructure categories.

For a device manufacturer licensee, the model is per-device royalty, comparable to ARM’s IP licensing rates ($0.30–$1.00 per device historically), with credential provisioning integrated into existing Secure Enclave workflows.

For a founding partner in any category, preferential terms are available on the commercial layer in exchange for early commitment to the standard.

For acquisition, licensing, founding-partner discussions, or partnership inquiries: [email protected]

For technical specifications and the full RFC series: github.com/Swoop-Now/unikey-spec

For the white paper, patent portfolio, and additional resources: unikeyid.com

UniKey is operated by Swoop In Technologies LLC.