nomad — Permission Passports for AI Agents

Inspiration

Autonomous AI agents are arriving by the millions, but there's still no dependable way to know whether any given agent should be trusted to act. More and more of the internet is being navigated not by people but by software working on their behalf, and the trust infrastructure to keep that safe simply doesn't exist yet.

The heart of the problem is authority. If you hand an agent open-ended access to your money or accounts, you've created a single point of catastrophic failure. But if you make a human approve every small decision, you've thrown away the autonomy that made the agent worth having. There has to be something in between: a way to grant specific, limited, revocable power.

So whenever an agent is about to do something consequential, the service on the other side needs to resolve three things:

Identity: which agent is this, provably?

Permission: what has it actually been authorized to do?

Integrity: can this particular request be trusted right now?

nomad answers all three by giving each agent a verifiable identity and an explicit permission passport recorded on Solana. Instead of blanket trust, the owner declares exactly what the agent may do, and everything else is refused by default.

The decision to build on Solana is the foundation of the entire project. Trusting an agent is a public question — any service in the world should be able to check an agent without asking us, without an account, and without trusting our company. That is only possible on a shared, neutral, globally readable ledger. Solana is where nomad's trust actually lives.

What It Does

nomad is a trust layer that sits between an agent and the actions it wants to take, with Solana as the source of truth for what every agent is allowed to do.

Capability	What it means
Verifiable identity	Every agent has its own unforgeable cryptographic identity
Passport on Solana blockchain	Each agent's permissions are published to Solana and owned by the user
Agent permission control	Permissions can be granted, narrowed, or revoked at any moment
Accountable actions	Every action the agent takes is signed and attributable
Independent verification	Any service can confirm an agent straight from the chain
Least-privilege by default	Agents get the minimum permissions needed, nothing more
Safe by default	Anything unclear, expired, or unauthorized is rejected

The principle underneath all of it:

An agent's power to act is permanently separated from any power to expand what it's allowed to do.

The passport on Solana is the single source of truth, and only the owner can change it. Because it lives on a public chain rather than inside nomad, every service the agent interacts with can verify that passport for themselves, in real time, with no middleman.

Why Solana

Solana isn't a storage detail in this project. It is the thing that makes the whole idea work. An agent-trust system is only as credible as the ledger its permissions live on, and Solana gives us exactly the properties that matter:

A neutral, shared source of truth. Every passport lives on the same public ledger that anyone can read. There is no private database to trust, no company to ask, and no gatekeeper standing between a service and the answer it needs.
Verification without permission. An agent's passport can be located and read by anyone, anywhere, derived directly from the agent's identity. Trust becomes something the whole network can check, not a favor nomad grants.
Authority that can't be forged. On Solana, only the rightful owner can change a passport, and the rules are enforced by the chain itself. Permissions can't be quietly faked, escalated, or rewritten behind the scenes.
Fast and inexpensive at scale. Checking an agent has to feel instant and cost next to nothing if it's going to happen on every action. Solana's speed and low fees make per-action trust economically realistic.
Instant, global revocation. The moment an owner pulls a permission, the entire world sees it on the next read. There's nothing to expire and no stale copy to worry about — the chain is always current.

In short, Solana turns "trust this agent" from a private promise into a public, verifiable fact.

How We Built It

At the center of nomad is an on-chain program on Solana, written in Rust with Anchor. This program is the only thing in the entire system that can create or change a passport, and it enforces the most important rule we have: an agent can never modify its own permissions, only the owner can.

Around that Solana blockchain core, we built a set of components that all speak the same passport language:

A browser extension that holds agent identities and signs their actions
A software development kit that handles identity and passport logic
A verifier that any service can run to check an agent independently
Backend services that keep sensitive AI keys out of the browser

When an agent acts, it cryptographically signs the request. A verifier then confirms that signature is valid, that the request is fresh and not a replay, and most importantly, reads the agent's passport from Solana to confirm the action is actually permitted.

The design does exactly one read from Solana and handles the rest locally, so verification stays fast and reliable while still reflecting the live, authoritative permissions on the chain.

To keep agents narrowly scoped from the start, we use AI to translate a user's natural-language intent into a minimal set of permissions, and to recognize when someone is asking to create an agent in the first place. Those AI calls run on our backend so credentials never reach the browser — but the permissions they suggest are always anchored, verified, and enforced on Solana.

Challenges We Ran Into

Separating identity from authority. An agent has to be able to sign its own actions, yet must never be able to give itself more power. Getting that separation exactly right and provably enforced on-chain, was the most delicate part of the build.
Always failing safe. Missing passports, stale or replayed requests, bad signatures, network hiccups, out-of-scope actions, every one of these has to end in a clear "no." We designed the system so that the default outcome is always denial.
Modeling trust on blockchain Representing flexible, human-meaningful permissions while respecting how a public ledger stores data took real care to get both expressive and correct.
Keeping everything in agreement. The same notion of a passport had to mean exactly the same thing across the chain, the extension, the verifier, and every other piece, one shared definition of trust, end to end.

Accomplishments We're Proud Of

Built a working on-chain permission passport for AI agents on Solana
Made permissions owner-controlled and enforced by the chain itself
Kept an agent's identity cleanly separated from its authority
Enabled permissionless, real-time verification that anyone can perform
Translated natural-language intent into safe, constrained permissions
Brought blockchain, AI, cryptography, and a real user interface together into one coherent system

What We Learned

Trust has to be separable. The ability to act should never imply the ability to grant yourself more power, and that separation only becomes truly trustworthy once it's enforced on a public chain.
A public ledger changes what's possible. Putting permissions on Solana is what turns agent trust from a private claim into something the whole world can independently verify.
Reading the chain once is enough. A single on-chain lookup combined with local checks gives the best of both worlds: current, authoritative state with speed and reliability.
AI proposes, the chain decides. Models are great at suggesting permissions from intent, but the final word on what an agent can do has to be deterministic and on-chain.