Token Holder The Ecosystem

A data-sovereignty layer
for AI agents.

Every agent today gets access the same way: you hand it your API key and hope. Token Holder replaces that with a protocol — grant-gated, per-agent-signed, and cryptographically audited end-to-end.

Little Snitch for AI file access. See every file your AI just touched. Revoke an individual agent in one command. Prove what happened to a compliance auditor — or to yourself, next month.

See the protocol Private alpha

The gap

Agents need data access.
You need a policy, a signature, and a ledger.

There's no good way today to say "this agent may read my vault under Projects/BTO, but not Projects/MLC." No record of what it actually did. No way to revoke a single agent session without revoking the whole app it runs inside.

Token Holder sits between agents and the things they want to touch — API keys, vault files, usage data — and enforces three things: who is asking, are they allowed, and did it happen.

Who it's for

Three kinds of people show up here.

Same wallet. Different surface. Tap a card for the full pitch.

The three-level identity model

Consumer · Agent · Request.

Stripe's analog: merchant account, API key, signed HTTP request. Each layer verifiable and revocable independently.

Level 1 · outermost

Consumer

Which app is talking? A per-app bearer token, scope-bounded.

bearer token · scope ceiling
Level 2 · per-instance

Agent

Which instance of that app? Ed25519-keyed. Revoke one without revoking the app.

Option A claim · Option B signed ✓
Level 3 · per-call

Request

Is this exact request authentic? Signed over canonical form, within replay window.

SHA-256 chained · ±60s window

The differentiator

Every access lands in a tamper-evident chain.

Most RBAC layers stop at allow/deny. Token Holder's usage log is a SHA-256 hash chain. Each row's hash depends on the previous row's. Tampering breaks the chain and /usage/verify reports exactly where.

Row 1 grants.check.allow a3b1c097…
Row 2 vault.read 5f8e2d44…
Row 3 grants.check.deny 087ec617…
Row 4 vault.write …pending

row_hash = SHA-256( prev_hash || canonical(row) ) · GENESIS-rooted · ordered by insert

Each consumer can pull their own audit trail through /my/usage/* without admin scope — the customer sees what the vendor's agents actually did against their data.

Where we fit in the AI stack

Hardware all the way up to your files.
We're the pinch point just before your data.

Eight layers make modern AI work — physical silicon at the bottom, you at the top. Every layer below the dotted line is someone else's problem: NVIDIA, OpenAI, Anthropic, Meta, Claude Code, Cursor. The moment that stack reaches for your data, it talks to us.

You · your apps · your files Obsidian · source trees · API keys · databases · local model weights · everything an AI might want to touch
The part of the stack that actually matters to you. Everything below this exists to produce something useful here — and everything below this also wants to reach into it.
↑ every request up · every outcome logged down ↑
Token Holder policy · identity · audit · this is us
The security / identity / data-access layer. Who's asking? (consumer + signed agent id.) Are they allowed? (grants + path globs.) Did it happen? (SHA-256 chained audit log.) Every layer above has to pass through here to touch a file, a key, or a row.
↓ agents & apps reach down · TH gates the way back up ↓
Agent harness & application layer Claude Code · Cursor · Windsurf · Claude Desktop · ChatGPT app · Clawnoly · your ChatGPT tab
The UI you actually touch and the harness that drives the agent loop. Sends tool calls down, receives text and diffs back up.
Agent framework & tool protocol MCP · LangChain · OpenAI tool-use · LlamaIndex · custom orchestrators
How the agent declares what it can do and calls out to the world. MCP is the current winner for tool-calling standardization; this is where our mcp-filesystem server plugs in.
Inference runtime & serving Anthropic API · OpenAI API · vLLM · llama.cpp · Ollama · LM Studio · TensorRT-LLM
Turns "here's a prompt" into "here's a token stream." Hosted in someone else's datacenter (Anthropic, OpenAI) or local on your machine (Ollama, llama.cpp).
Foundation & fine-tuned models Claude · GPT-4 · Gemini · Llama · Mistral · DeepSeek · your LoRA-tuned variant
The weights. The actual learned representation of language, vision, code. Trained by labs with nine-figure GPU budgets; rented or downloaded by everyone else.
ML systems software PyTorch · JAX · ONNX · Triton · MLIR · quantization + kernel libraries
The frameworks and compilers that turn a model architecture into something that can actually run on the hardware below.
GPU software stack CUDA · cuDNN · NCCL · ROCm · Metal Performance Shaders · driver ABIs
The thin but immovable layer NVIDIA (and Apple, and AMD) owns that makes matrix multiplies actually fast.
Hardware NVIDIA H100 / B200 · Apple Silicon Neural Engine · TPU · consumer GPUs · your laptop
The silicon. Everything else is software running on one of these.

The entire AI stack exists to help an agent do something useful. The minute that agent wants to touch your stuff, there's a narrow band where access has to be authorized, attributed, and recorded. That narrow band is everyone's blind spot — and it's the only layer we work on.

Hover any layer for detail.

How you plug in

Five minutes. One dependency.

The SDK is headless. Works in Node, Bun, Deno, edge runtimes, and browsers (with a provided token). Signs requests automatically when given an Ed25519 key or the TH_AGENT_PRIVATE_KEY env var. 

import { createClient } from "@token-holder/client-sdk";

const th = createClient({
  consumerId: "my-app",
  agentId: crypto.randomUUID(),
  agentName: "research-bot-v1",
});

// every call gated, signed, audited, agent-attributed
const check = await th.checkGrant({
  dataType:   "obsidian_vault",
  permission: "read",
  path:       "Projects/BTO/readme.md",
});
if (check.allowed) {
  const file = await th.vault.read("Projects/BTO/readme.md");
}

// caller's OWN audit trail, no admin needed
const mine = await th.my.usage.summary();

Private alpha today — distribution via signed tarball. Reach out for access.

SOON A full docs site is in flight — MCP configs, CLI wrappers, framework integrations, compliance export formats. Alpha participants get direct access to the reference integrator (Clawnoly) while it's still private.

The verticals we're shipping

One protocol. Many surfaces.

Each piece is a separate package or product, but they all speak the same underlying Token Holder protocol. Pick the ones that match your integration — or run the whole stack and watch every agent on your machine at once.

Same engine. Different cockpits.

One protocol, four bands of surfaces. Pick the one that matches how the agent touches your data — the rest share the same signed chain underneath.

01

Core protocol

Wallet + signed chain + identity. The engine.

Foundation — everyone runs this.
02

Integrations

SDKs, CLIs, MCP servers. Speak the protocol.

Developers shipping an AI feature.
03

Filesystem monitor

Wrap tools that don't know TH exists.

Power users watching local agents.
04

Roadmap

Kernel-class monitor, interactive approval.

Where this is going.

Not sure where to start? Developer → SDK. Local AI user → MCP filesystem or th-wrap. Security ops → wallet + audit chain.

shipped
Desktop app

THE Wallet

Owner UI + protocol engine. Unlock, configure vault paths, manage consumers + grants, see the signed audit chain visually. Tauri app, Rust + axum backend on 127.0.0.1:9473.

macOS · Windows · Linux — localhost-only today
shipped
Audit chain

Signed tamper-evident log

Every access — allow, deny, signature invalid — becomes a SHA-256-chained row. /usage/verify walks and proves integrity; /usage/export emits a compliance-grade bundle.

rowid-ordered · GENESIS-rooted · exportable
shipped
Agent identity

Three-level ID protocol

Consumer token · per-instance agent id · per-request Ed25519 signature. Option A (claim) and Option B (signed) both shipped. Revoke a single agent without revoking the app it runs inside.

canonical form · ±60s replay window · middleware-verified
shipped
Integration SDK

@token-holder/client-sdk

Headless TypeScript. Zero native deps. Signs every request when a key is present. Works in Node, Bun, Deno, browsers, edge runtimes. Five minutes from pnpm add to audited access.

@noble/ed25519 · private registry · ~14 KB
shipped
CLI

th

Every wallet op from a shell. th consumers register · grants create · agents register --generate · audit verify · my usage history. Scripts hit the same surface as humans.

zero-config auth via token files · --json for machines
shipped
MCP — admin

@token-holder/mcp-server

Stdio adapter exposing admin + grant + audit operations to Claude Code, Cursor, Windsurf. Agents manage the wallet itself via MCP tool calls — the conversational configuration story.

drops into any MCP config in one line
shipped · new
MCP — filesystem

@token-holder/mcp-filesystem

Drop-in replacement for the reference MCP filesystem server. Every read / write / list / edit through your AI tool lands in the audit chain, scoped by grants. Same tool names, zero code changes on the agent side.

Phase 1 of the filesystem monitor
shipped · new
Universal wrapper

th-wrap

CLI shim for anything that's not MCP-aware. th-wrap -- codex add-retry-logic launches the tool under a libc interposer; every open / write / unlink gets logged. Works for Codex, aider, Python scripts, local LLM agents — anything.

Phase 2 · macOS + Linux · observation mode
shipped
Reference integrator

Clawnoly

Terminal harness. Every spawn auto-provisions a fresh Ed25519 identity registered with TH; tools inside the terminal sign transparently via the SDK. Option B by default, Option A fallback if the wallet is down.

the "zero-config signed identity" pattern
roadmap
Kernel-class monitor

Raven

macOS Endpoint Security agent. Watches filesystem events system-wide, attributes them to processes, routes into TH. Separate signed binary from the wallet — a UI vulnerability can't escalate into system omniscience. Apple entitlement review; gated on pilot revenue.

Phase 4 — months out
roadmap
Interactive approval

Per-request prompt

"Claude wants to write ~/.ssh/known_hosts — allow once / allow session / deny / deny + revoke." The moat: turns the audit layer into a real-time access broker. Needs Phase 4's kernel interception to intervene in-flight.

Phase 5 · post-Phase-4
roadmap
Behavioral layer

Predictive scoping

Once identity + monitor are both in place, per-agent access baselines become possible. "Claude historically reads ./src/**; it's about to open ~/.aws/credentials — legit?" Trust graduates; anomalies flag themselves.

layers on top of everything above

Agent identity roadmap

From claim, to signature, to handshake.

✓ Shipped · Option A

Stateless passthrough

X-Agent-ID / X-Agent-Name headers. Claim-only; populates agent_id on every chain row.

✓ Shipped · Option B

Ed25519 signed requests

Every request signed over canonical form. Middleware verifies, stamps agent_verified=true. Compromising a token no longer rewrites history.

Later · Option C

Authenticated handshake

PAKE-style (Dragonfly / OPAQUE) session key per agent. Deferred until Token Holder is exposed over the network.

The mascot

Why a Raven.

Ravens are pattern-watchers. They remember faces. They hold grudges against specific bad actors without painting the whole flock with one brush. That's exactly the job of the security layer — distinguish the agent that behaved from the one that didn't, keep receipts, and do it without getting in the way of the ones doing honest work.

The Raven is also the name of Token Holder's reference monitoring agent — an optional preset that watches the audit chain and flags anomalies. Mascot and implementation carry the same motif.