Launching today
AI agents are making real decisions — executing trades, accessing patient data, filing documents. But there's no way to prove what an agent is, what it's allowed to do, or what it actually did. Kakunin fixes that. It issues X.509 certificates to AI agents, monitors their behavior in real time, and auto-revokes access when risk crosses a threshold. Regulator-ready audit reports in one click. Works with LangChain, CrewAI, AutoGen, CAMEL, Mastra, Vercel AI SDK. Python and TypeScript SDKs.
Interactive
Free Options
Launch Team / Built With
Which specific MiCA articles does Kakunin satisfy? Will a regulator actually accept this?
@kushwaha_8521 Specific articles Kakunin addresses evidence for:
MiCA (Regulation EU 2023/1114)
Art. 70 — Operational resilience: cryptographic agent identity + kill switch + incident audit trail
Art. 72 — Record keeping: immutable append-only audit log (WORM-backed), revocation reasons structured per spec, 5-year retention
Art. 75 — Outsourcing/third-party AI: provable chain of who authorised each agent and when
EU AI Act
Art. 9 — Risk management system: continuous behavioral risk scoring with documented thresholds
Art. 12 — Record keeping for high-risk AI: tamper-evident decision chain logs
Art. 14 — Human oversight: revocation API + kill switch with signed halt receipt
Will a regulator accept it?
Honest answer: Kakunin produces the evidence — signed certs, immutable logs, structured compliance reports. Whether a specific regulator accepts that evidence depends on their interpretation and your overall compliance posture. We don't claim to be a certification body.
What we do claim: if a regulator asks 'prove this AI agent was authorised to operate, what it did, and that you could stop it' — Kakunin answers all three with cryptographic proof.
How is the X.509 cert different from just using an API key or JWT?
@manish_mehta6 1. Cryptographic identity, not shared secret 2. Regulator-recognisable format 3. Lifecycle with legal weight - answered in more detail in another comment with similar query.
@palash_bagchi How do you handle high-frequency agents? (trading bots firing 1000s of events/min)
@maurya_abhiranjan Built for it. Event ingestion is async/non-blocking — fire and forget, queued via QStash, processed in background. No per-event latency. Risk scoring runs on sliding windows, not triggered per-event. Rate limits configurable per tenant — reach out for high-volume trading workloads.
@palash_bagchi Can I self-host this, or is it cloud-only?
@suyash_kr Self hosting may be possible, but only in the Enterprise plan.
How is the X.509 cert different from just using an API key or JWT?
@vishalmehta8340 Great question — three key differences:
1. Cryptographic identity, not shared secret
API keys and JWTs are strings you pass around — if leaked, anyone can impersonate your agent. An X.509 cert is bound to a private key that never leaves AWS KMS. The agent proves identity by signing a challenge. No key = no impersonation, even if the cert is stolen.
2. Regulator-recognisable format
MiCA and EU AI Act compliance officers know what an X.509 cert is — it's the same format used in TLS, banking (PSD2), and eIDAS. Showing a regulator an API key and saying "this proves our AI agent's identity" won't fly. A signed X.509 cert with a verifiable chain of trust will.
3. Lifecycle with legal weight
Certs have explicit validity windows, revocation (CRL/OCSP-style), and an audit trail. An API key has no concept of expiry enforcement, no revocation record, no compliance audit log. When a regulator asks 'prove this agent was authorised to operate between these dates' — the cert + audit log answers that. An API key can't.
What happens if an agent's cert is compromised — how fast is revocation?
@kumar_ritesh21 Revocation is instant. One API call to POST /v1/certificates/{id}/revoke and:
Cert status → revoked in DB immediately
Agent → suspended in the same DB transaction
certificate.revoked webhook fires to your systems within seconds
CRL (Certificate Revocation List, RFC 5280) regenerated immediately via background job — not on a 24h schedule
For auto-revocation: if an agent's risk score hits 0.85+ (our high-risk threshold), revocation triggers automatically — no human needed.
Verifiers checking the CRL see the revoked cert within seconds of the job completing. The CRL is KMS-signed so it can't be tampered with in transit.