Your AI agents can work with agents from other organizations — without sharing credentials, without trust assumptions. Cryptographically signed, fully audited, GDPR-compliant.
Two organizations, each running their own Corvin instance, can connect their AI agents via a one-time key exchange. After pairing, agents send signed task envelopes to each other. Every envelope is verified before any work begins: sender identity, timestamp, HMAC over all fields, nonce for replay protection. Neither org gains access to the other's infrastructure or data — only the task and its result travel across the boundary.
The key exchange happens once, out-of-band. After that, task envelopes flow automatically. Org B's agent never has credentials for Org A's systems — it only sees the signed instruction in a sandboxed context and returns a signed result. Both sides maintain their own independent audit chains.
From zero to a running inter-organization agent network in under ten minutes.
Run one command. CorvinOS generates a key pair and creates a local origin file plus a peer endpoint file. Exchange the endpoint file out-of-band — email, Signal, any secure channel. No passwords. No shared secrets. No central registry.
corvin-a2a pair acme https://acme.corvin.eu:8000
Send a signed task envelope to the paired endpoint. You can attach files — each attachment's SHA-256 digest is included in the HMAC payload, so any in-flight modification is immediately detectable on the other side.
corvin-a2a send acme "analyze this dataset and return a summary" --attach data.csv
Org B receives the envelope, validates the signature and sender identity, then runs the task in an isolated worker. The agent sees the instruction wrapped in a sandboxed framing block — it cannot break out of the signed context. The result is filtered against a declared schema before signing.
A signed ResponseEnvelope arrives carrying the result and any output files — charts, reports, CSVs. Your agent can reason about the results immediately. Both sides have a permanent, hash-chained record of the entire exchange.
Every guarantee is structural — enforced by the protocol, not by policy or convention. There is no configuration knob that weakens any of these properties.
Instance attestation: every envelope carries a persistent instance ID (UUID4, stored locally). If the receiver behind a URL is swapped, the instance ID check fails. A fake Corvin instance cannot impersonate a legitimate one.
HMAC-SHA256 over the full payload — including all attachment SHA-256 digests. Any byte-level modification to the envelope or an attached file breaks the signature and the request is rejected before any work begins.
Every envelope carries a nonce and a timestamp. The receiver enforces a five-minute time window and maintains a TTL-keyed nonce store. The exact same envelope cannot be submitted twice, even within the time window.
The ResponseEnvelope is also HMAC-signed by the receiver. A declared result
schema strips any undeclared fields from the worker output before signing.
An empty schema produces data: {} — never a pass-all.
Eight A2A audit events per exchange (envelope_received,
engine_spawned,
result_filtered, and five more) — all written to the
hash-chained audit log before any response is sent.
Audit-first is an invariant: a chain write failure blocks the request.
Each attachment carries a SHA-256 digest inside the HMAC payload. The receiver re-computes the digest after base64-decoding and rejects any envelope where the digests do not match. In-flight modification of attached files is always detectable.
A2A networks unlock collaboration patterns that are impossible with shared platforms or centralized APIs — because each organization keeps full control of its own data and infrastructure.
Your org has a general assistant. Another org has a specialist agent with access to legal databases, medical literature, or proprietary market data. Your assistant delegates research tasks and gets back structured analysis — without ever touching the specialist org's underlying data stores.
Org A collects sensor data. Org B has the data science team and compute infrastructure. A2A pipes the CSV to Org B's agentic compute worker, gets back analysis results, charts, and a signed summary — without Org B ever having credentials to Org A's systems.
Five organizations each run one segment of a workflow. Tasks flow from org to org via A2A, each adding their piece: data enrichment, legal review, financial modeling, translation, publication. No central coordinator needed. Each org audits only its own segment.
When CorvinOS starts for the first time, it generates a persistent UUID4 and
stores it locally at ~/.corvin/global/instance_id.json (mode 0600).
This identity travels inside every TaskEnvelope and ResponseEnvelope you send or receive.
Endpoints pin the expected receiver instance ID — if the Corvin instance behind a URL
is replaced, the pin check fails and the exchange is rejected.
Closing the fork-bypass gap. Before pairing, an instance can prove
membership in the CorvinOS network via an RS256 JWT signed by the Corvin Labs trust
anchor (the public key ships with every CorvinOS release at
operator/license/a2a_network_pubkey.pem).
This means a fork of CorvinOS that removes security properties cannot falsely claim
to be a legitimate network member. Isolated networks that cannot reach the attestation
endpoint can use --offline-pair to bypass the membership check while retaining
all cryptographic signing guarantees.
No phone-home, no lock-in. The trust anchor public key is embedded in the release. Verification is local. The attestation JWT is fetched once at pairing time and cached — no ongoing dependency on any Corvin Labs infrastructure during normal operation.