The Trust Layer
for AI.

Four cryptographic capabilities — origin, AI decisions, agent authority, regulatory attributes — bound into one trust layer. Decisions you can prove. Data you never hold.

See use cases → Try Seal →
Compatible standards
MCP
Model Context Protocol
A2A
Agent2Agent · Google
x402
HTTP 402 · Coinbase
C2PA
Content Provenance
W3C VC
Verifiable Credentials

Products

One foundation,
three doors in.

Seal
For developers

Send proofs, not keys.

A ZK sign-in SDK that drops into any app or AI agent stack.

/seal →
Trust402
For agent developers

Run AI without holding keys.

Keyless auth. Per-call authority delegation. Works with x402 / MCP.

/trust402 →
Industries
For enterprises

Civic · Critical · Compliance.

Three product lines tuned for public infrastructure, manufacturing, and regulated finance.

/pricing →

How it works

Data stays in place.
Only proofs travel.

The source mints a proof, only the necessary parts are selectively disclosed, and a verifier checks them with a public key. Through all three phases, raw data never moves.

Phase 01 · Issue

Mint the proof at the source

Embed the Lemma SDK at the source. Issue attribute proofs for data, models, and authority. Raw data never leaves.

BBS+ Signature
Poseidon Hash
DID / VC (W3C)
Phase 02 · Prove

Reveal just enough

Selectively disclose only the facts a verifier needs — authority, attribute, integrity. Raw data is never touched.

Groth16 / BN254
Circom 2.x Circuit
Selective Disclosure
Phase 03 · Verify

Anyone can confirm

Anyone, anytime, verifies authenticity with a public key. Optionally anchor as on-chain audit attestations.

Public verify (no trust)
EIP-712 attestation
on-chain optional
ZK Groth16 / BN254
Signing BBS+ / EdDSA
Hash Poseidon / Keccak
Identifier W3C DID/VC
On-chain EIP-712 / x402
Read the technical spec →

The 4 trust layers

4 trust layers,
your schema.

Trust infrastructure has four axes — verifiable origin, verifiable AI, agent authority proof, regulatory attribute proof. Schemas aren't dictated by Lemma; define them to fit your domain and issue/verify them via the SDK. The examples below are framed as your.*.v1.

{
  "schema": "your.provenance.v1",
  "subject": "did:lemma:utility-meter-001",
  "issuer": "did:lemma:org-acme-utility",
  "sourceHash": "0x9f3a...c4e8",
  "lineageChain": ["sensor", "scada", "oracle"],
  "recordedAt": "2026-06-02T14:30:00Z",
  "integrity": "poseidon-merkle",
  "proof": {
    "type": "BBS+Signature2020",
    "value": "0x4a2b...e1d3"
  }
}

P1 · Verifiable Origin

Provenance schema

Record the multi-tier provenance of data as it propagates sensor → SCADA → Oracle, in tamper-evident form. The body never leaks; a hash chain + BBS+ signature proves "this is the same thing."

SigningBBS+
HashPoseidon-Merkle
IdentifierW3C DID
{
  "schema": "your.model.v1",
  "agent": "did:lemma:agent-fin-bot-007",
  "modelId": "claude-3.7-sonnet",
  "policyHash": "0x71c5...8b9a",
  "inputCommitment": "0xb4e2...3f10",
  "outputCommitment": "0xc8f1...a2d5",
  "satisfiesPolicy": true,
  "proof": {
    "type": "Groth16",
    "circuit": "lemma/model-attest@1.0",
    "value": "0x9d7e...c4f2"
  }
}

P2 · Verifiable AI

Model schema

Record the model ID, applied-policy hash, and commitments over inputs and outputs. The actual I/O is never revealed; only policy satisfaction is proven via Groth16. Closes the LLM audit blind spot.

ProofGroth16 / BN254
CircuitCircom 2.x
CommitPedersen / Poseidon
BridgesMCP / Anthropic
{
  "schema": "your.agent.v1",
  "agent": "did:lemma:agent-treasury-042",
  "delegatedBy": "did:lemma:org-acme-fin",
  "role": "treasury_agent",
  "spendLimitUSDC": 500,
  "scope": "x402://api.partner.jp/*",
  "validUntil": "2026-06-30T23:59:59Z",
  "proof": {
    "type": "Groth16+EIP3009",
    "x402PaymentId": "0xa1f3...7d8e",
    "value": "0x6b2c...e4a9"
  }
}

P3 · Agent Authority

Agent schema

delegatedBy says who delegated; role / spendLimit / scope say what and how far. Attached per x402 payment via Trust402, proving an autonomous agent's actions with authority bound.

ProofGroth16 + EIP-3009
PaymentUSDC / x402
DelegationDID-based VC
ProductTrust402
{
  "schema": "your.attribute.v1",
  "holder": "did:lemma:org-fsa-licensed",
  "issuer": "did:lemma:authority-jp-fsa",
  "jurisdiction": "JP-FSA",
  "licenseType": "type-1-financial",
  "disclosed": ["isLicensed", "validUntilYear"],
  "hidden": ["licenseNo", "address", "executives"],
  "proof": {
    "type": "BBS+SelectiveDisclosure",
    "value": "0x3c8d...f7a2"
  }
}

P4 · Regulatory Attribute

Attribute schema

Attribute credentials issued by authorities. disclosed / hidden control what is shown and what stays hidden, via BBS+ selective disclosure. Eliminates the need to centralize KYC / license raw data.

ProofBBS+ Selective
IdentifierW3C DID / VC
StandardeIDAS / DID-Auth
ProductLemma Compliance

Adopting the trust layer

In operation.
In incidents.

Two lenses on Lemma's trust infrastructure — how it lands in real work, and where it was needed when things went wrong.

See use cases of the trust layer P4 · Regulatory Attribute Proof

Counterparty Screening — Pass the Result, Not the Reasons

Pass only the credit/sanctions decision — reasons and scores stay private.

Read →
Read the Critical Brief

Featured Brief · 2026-05-31

McKinsey Lilli's Writable System Prompts — The Layer Governing the AI's Behavior Had No Integrity or Provenance

2026 年 2 月、レッドチーム企業 CodeWall の自律オフェンシブ AI エージェントが、McKinsey の社内向け生成 AI プラットフォーム「Lilli」を、認証情報も内部知識もない状態から 2 時間足らずで本番データベースへの完全な read/write アクセスに到達させた。露呈した最も重大な gap は、Lilli の挙動を統治する 9…

Read →
Want to go deeper? Download the whitepaper.

Trust infrastructure
for the agent era.

Talk to us → Whitepaper →