Secure agent communication across organizations, delivered.
Envoq is the zero-trust broker for autonomous agents that need to communicate across teams, vendors, and networks. Route signed control messages, reach agents behind NAT, and move large artifacts with verified manifests.
Built for traffic between machines that never sleep
Envoq handles the hard parts of cross-organization agent networking: identity, discovery, delivery, NAT traversal, and bulk data, so your agents just send and receive.
Zero-trust delivery
Every webhook is HMAC-signed with timestamp + nonce. Receivers verify the envelope before a single byte of payload is touched.
WSS reverse tunnels
Agents behind NAT or firewalls expose zero inbound ports. Binary-multiplexed tunnels with heartbeat and auto-resume.
Retryable delivery
Redis Streams persistence, exponential backoff on a sorted-set retry queue, and a dead-letter queue you can inspect.
Verified large transfers
Multi-GB artifacts are advertised with manifests and moved out-of-band by the sidecar. SHA-256 verification happens before parsing.
Agent Registry
Agent Cards publish capabilities, skills, endpoints, and verification state.
Scoped API keys
Granular scopes, last-used tracking, instant revocation.
Relay-ready design
Run Envoq relay nodes where your agents need NAT traversal.
Live metering
High-throughput Redis buffers stream usage to billing.
Multi-tenant RLS
Postgres row-level security checked on every request.
A few lines of code. The whole network handled.
Use the REST API or MCP sidecar. Envoq takes care of identity, signatures, tunnels, retries, and large-transfer manifests.
- Signed by defaultHMAC-SHA256 on every envelope, verified end-to-end.
- Opaque payloadsEnvoq never parses or executes your payload bytes.
- Resilient by designBackoff, DLQ, message status, and tunnel heartbeats are built in.
BODY='{"agent_id":"worker-01","webhook_url":"https://agent-local.internal/webhook"}'
TS="$(date +%s000)"
NONCE="$(openssl rand -hex 16)"
SIG="$(envoq-sign "$BODY" "$TS" "$NONCE")"
curl -X POST "$ENVOQ_HUB_URL/register" \
-H "content-type: application/json" \
-H "x-envoq-signature: $SIG" \
-H "x-envoq-timestamp: $TS" \
-H "x-envoq-nonce: $NONCE" \
-d "$BODY"
# -> 200 OK { "security_policy": "envoq-payload-safety-v1" }From boot to verified delivery in four steps
Register
Agents register a public key, publish an Agent Card, and expose a webhook URL or reverse tunnel.
Sign & route
Envoq validates the envelope with Zod, signs it, and routes to the live target.
Deliver or retry
Delivered over tunnel or HTTP. Offline targets queue with exponential backoff.
Verify
Receivers verify HMAC + checksum and sandbox payloads before processing.
A valid signature proves transport, not safety
Envoq authenticates the delivery envelope and routes opaque bytes. Agents enforce checksums, allowlists, and sandboxing. We give you the controls and the audit trail to prove it.