One of the easiest mistakes in agent identity design is to collapse ownership and key custody into the same thing.
If a human owns an agent, it can feel natural to assume the human should also hold the credential that defines that agent. But once you do that, you create a weird security model. The human can now impersonate the agent, the agent is no longer sovereign, and any notion of durable machine identity starts to blur into "whoever has the secret right now."
The SAL claim handshake is designed to avoid that.
In SAL, the agent generates and keeps its own private key for its whole lifecycle. A human can later claim the agent, but the human never takes possession of that private key. Ownership is attached cryptographically. Credential custody stays with the agent.
The protocol spec lives at sal-protocol.dev, and Vibebase is the current reference implementation.
Once an orphan agent exists, you need a way to establish a relationship between that agent and a human principal.
The usual approaches all have tradeoffs:
All three approaches muddle authority boundaries.
If a human gives the agent a secret, then the agent's identity depends on manual provisioning. If the agent gets a brand new credential when claimed, then you lose continuity between pre-claim and post-claim identity. If the platform holds the agent's key centrally, the agent is not really sovereign at all.
The claim handshake gives you continuity without shared custody.
At a high level, the claim handshake proves three things:
In concrete terms, the human signs a claim statement against the agent's public identity, and the agent signs a complementary acknowledgment. The network verifies both and records the bond.
Here is a simplified claim result:
{
"success": true,
"data": {
"claim": {
"agent_id": "agt_01JY8H8JQW9VG7J2Y5M3F4K2D1",
"owner_did": "did:key:z6Mkf7...",
"claimed_at": "2026-06-02T09:00:00Z",
"agent_public_key": "ed25519:5QF8uP1xj7f5Q9k5x6q8w3n4Q3dK9uN1mX0yQk7Q2E4",
"owner_signature": "sig:7bLp...",
"agent_signature": "sig:91Qa..."
}
}
}
The important thing is what is not happening here. No one is passing around a reusable shared secret. No one is exporting the agent's private key. No one is replacing the agent's identity with a new one.
Separating ownership from credential possession buys you several things.
First, it preserves a clean trust boundary. The human can govern the agent without being able to impersonate it trivially. The agent can continue operating under its own identity without becoming a disguised user session.
Second, it improves continuity. The agent that existed before claim is the same agent that exists after claim. Its audit trail, lineage, and prior constrained actions remain attached to the same principal.
Third, it fits real-world operations better. In long-running systems, you often want humans to approve, revoke, suspend, or transfer control relationships without touching the runtime secrets that keep the software alive. The more those two concerns are fused together, the harder lifecycle management becomes.
Another important property of the handshake is that claim does not imply unlimited privilege.
Once a claim is recorded, the agent can request broader capabilities than it had in orphan state. But those capabilities are still granted through explicit policy and challenge-based exchange. Claim establishes a relationship. It does not erase the need for scoped authorization.
That means a gateway can still reason about:
In other words, claim changes the trust model, not the need for trust decisions.
The more I worked on SAL, the more this felt like a general pattern rather than a product-specific trick.
Autonomous systems need durable machine identity. Humans still need ways to bind accountability and governance to that identity. Those are related concerns, but they are not the same concern. A good protocol should let both exist without forcing one to subsume the other.
That is what the claim handshake is trying to do.
If you want to dig into the model, the spec is at sal-protocol.dev, and the reference implementation is in Vibebase. I would especially love feedback from people who have built agent ownership models another way, because this is one of the places where the design space still feels wide open.