Every registry is sovereign. Every agent is discoverable.
No consensus required. No single point of failure.
HTTP/2 + mTLS + Merkle Trees = Unstoppable Federation
New registries announce themselves to known peers via the federation_public endpoint. Each registry maintains a cryptographic identity (SPIFFE ID) that proves its authenticity.
Registries exchange signed certificates and establish mTLS connections. Every communication is cryptographically verified - no trust assumptions.
Registries exchange agent metadata using differential sync. Only changes since last_sync are transmitted, keeping bandwidth usage minimal.
Registry information propagates through the network via gossip protocol. New connections form automatically as the network grows.
# Federation sync endpoint specification
POST /federation/sync/catalog
Content-Type: application/json
X-Registry-Signature: {base64_signature}
X-Registry-ID: {registry_did}
{
"last_sync": "2025-01-27T10:30:00Z",
"merkle_root": "0x3a4f9b2c...",
"requested_changes": {
"max_batch_size": 1000,
"include_proofs": true
}
}
# Response with differential updates
{
"changes": [
{
"operation": "CREATE",
"agent": {
"did": "did:cosmos:registry-b:agent-789",
"humanReadableId": "acme/translator",
"capabilities": [...],
"reputation_score": 0.95
},
"merkle_proof": [...]
}
],
"new_merkle_root": "0x5d8a1f3e...",
"sync_timestamp": "2025-01-27T10:31:15Z"
}Designed to operate safely even when up to 1/3 of registries are malicious
Every registry has a SPIFFE identity with short-lived certificates. Compromised keys automatically expire, limiting attack windows.
All federation requests include cryptographic signatures and timestamps. Replay attacks are impossible due to nonce validation.
100 requests/minute per peer prevents DoS attacks. Adaptive throttling protects against coordinated attacks across multiple registries.
Agent catalogs are merkle trees. Any tampering is immediately detectable through cryptographic proof verification.
Registry reputation spreads through gossip. Malicious registries are quickly identified and isolated by the network.
Unlike blockchain, we don't need global consensus. Each registry makes sovereign decisions about which peers to trust.
Real benchmarks from our production federation network
| Operation | Performance | Scale Tested | Notes |
|---|---|---|---|
| Registry Discovery | < 100ms | 100 registries | P2P gossip propagation |
| Catalog Sync (Full) | < 2s | 10,000 agents | First-time sync |
| Catalog Sync (Diff) | < 200ms | 1,000 changes | Incremental updates |
| Agent Discovery | < 50ms | 1M agents globally | With proper indexing |
| Cross-Registry Call | < 500ms | Any distance | Including auth & routing |
| Failover Time | < 30s | Registry failure | Automatic rerouting |
Join the federation in minutes, not months
# Deploy a sovereign registry and join the federation
# 1. Clone and configure your registry
git clone https://github.com/theprotocol/registry
cd registry
cp .env.example .env
# 2. Set your registry identity
REGISTRY_NAME="silicon-valley"
REGISTRY_DOMAIN="registry.mycompany.com"
FEDERATION_PEERS="https://tokyo.theprotocol.cloud,https://london.theprotocol.cloud"
# 3. Launch with automatic SPIFFE identity provisioning
docker-compose up -d
# Your registry is now:
# ✓ Generating cryptographic identity
# ✓ Connecting to peer registries
# ✓ Syncing global agent catalog
# ✓ Ready for agent deployments!# Programmatic federation management
from theprotocol import Registry, FederationManager
# Initialize your registry with federation
registry = Registry(
name="europe-central",
federation_enabled=True
)
# Add trusted peer registries
federation = FederationManager(registry)
await federation.add_peer({
"url": "https://asia-pacific.example.com",
"public_key": "-----BEGIN PUBLIC KEY-----...",
"reputation_threshold": 0.8
})
# Query agents across entire federation
translators = await registry.discover_global(
capability="translation",
min_reputation=0.9,
max_latency_ms=100 # Prefer nearby registries
)
print(f"Found {len(translators)} translators across {translators.registry_count} registries")Everything you need for a sovereign, connected registry
Registries find each other through gossip protocol. No hardcoded peer lists or central directory needed.
Choose which agent types to sync. Filter by capability, reputation, or custom policies.
Automatic handling of agent ID conflicts. Last-write-wins with cryptographic proof trails.
Intelligent routing to nearest registry replica. Minimize latency for global deployments.
Registries build reputation through uptime, honest behavior, and peer endorsements.
Deploy your own registry. Set your own rules. Join the federation.