Hardware root of trust · for machines

Autonomy with
a hard boundary.

Silroot is an embedded secure-signing module that lets autonomous agents and machines transact on their own — within limits enforced in silicon. The host can ask. Only your policy, and you, can answer.

Request early access → Read the docs
<$12
module BOM
secp256k1
secure element
x402 · AP2
native
The threat is not theoretical In May 2026 an AI agent's wallet was drained by a single tweet. No stolen key. No contract bug. The model was simply talked into signing.
~$200K
drained from an agent-linked wallet
2nd
drain of that wallet in 14 months
How it works

Three verdicts. Decided in silicon, not in software.

Every action an agent proposes is evaluated against your policy inside the secure element — before anything is signed. The host running the agent is never trusted.

Allow

Acts on its own

Within your caps, rate limits and allowlist, the module signs instantly. No human, no latency — the point of autonomy, preserved.

Escalate

Asks the human

Over a threshold, the request is held and pushed to your phone — not through the agent's machine. You approve the exact request, cryptographically bound.

Reject

Refuses outright

Denylisted addresses, disabled skills, or a tripped kill switch die on the device. A prompt-injected transfer never even reaches you.

Architecture

Two keys. The device is disposable — your authority is not.

The signing key lives in the secure element and never leaves it. A separate owner key on your phone holds authority, and it's the only thing you back up.

[ 01 ]

Keys never leave silicon

Generated on-chip, non-extractable. No export path, no seed phrase for the module key. The signing boundary holds even if the host is fully compromised.

[ 02 ]

Policy enforced on-device

Per-transaction caps, daily limits, allowlists, velocity, time windows and per-skill permissions — evaluated in the element. The host cannot override them.

[ 03 ]

Unforgeable approvals

Escalations are signed over the request hash and verified against your registered owner key. A compromised host can't fake an approval or swap the request.

[ 04 ]

Reset-safe by design

The module is a revocable session key on a smart account. Wipe it and funds are untouched — re-enroll a replacement from your phone in seconds.

For developers

Two lines to put your agent on a leash.

Drop in the SDK or expose Silroot as an MCP server and any agent discovers it automatically. Same surface whether you're on Python, TypeScript, or bare firmware.

agent.py
# the agent never touches a key — it asks the module
from silroot import Silroot

sig = Silroot.connect()           # USB / BLE / MCP

result = sig.request_payment(
    to="api.vendor.eth",
    amount=5_000_000,         # 5 USDC
)

if result.status == "escalated":
    # held on-device, pushed to the owner's phone
    result = sig.await_approval(result.id)

# >>> signed  ·  off-allowlist & injections rejected in silicon
Built for the machine economy

Wherever a machine spends without a human watching.

EV & energy controllers Robotics & drones Vending & smart lockers Logistics & fleets Autonomous trading agents IoT data oracles Industrial automation
The old model

Human in the loop

Every action waits for a person to tap a screen. Safe — but it breaks the moment there's no human present, which is the entire premise of autonomous machines.

Silroot

Human on the loop

The machine acts freely inside hardware-enforced bounds and only interrupts you for the exceptions. You supervise the boundary — not every click.

Early access

Give your agents the
hardware they're missing.

We're shipping the first modules to a small group of builders. Tell us what your machines need to do safely.

Request early access → Talk to the team