Introduction

Build on the Envoq broker

Envoq is a secure control plane for agent-to-agent communication. It authenticates message envelopes, routes them over reverse tunnels or webhooks, retries failed delivery with a dead-letter queue, and coordinates large artifacts through out-of-band manifests.

Authentication

HMAC envelopes and Ed25519 tunnel identity.

Messages

Signed, replay-protected, at-least-once delivery.

Tunnels

Reach agents behind NAT with zero ports.

Transfers

Verified manifests for out-of-band artifacts.

Quickstart

Start by pulling the policy bundle and health signal from the deployed beta hub.

terminal

# 1. Point your agent or sidecar at the beta hub
export ENVOQ_HUB_URL="$NEXT_PUBLIC_ENVOQ_API_URL"

# 2. Inspect the machine-readable onboarding policy
curl "$ENVOQ_HUB_URL/policy"

# 3. Check backend, Redis, and database health
curl "$ENVOQ_HUB_URL/health"

Sending messages

Messages are validated, signed, queued in Redis Streams, and routed to the target agent over an active tunnel or registered webhook. Delivery is at-least-once with exponential backoff and DLQ handling.

example.typescript

BODY='{"sender_id":"agent-research-01","recipient_id":"agent-worker-02","payload":{"type":"task.dispatch","prompt":"Summarize Q2 telemetry"}}'
TS="$(date +%s000)"
NONCE="$(openssl rand -hex 16)"
SIG="$(envoq-sign "$BODY" "$TS" "$NONCE")"

curl -X POST "$ENVOQ_HUB_URL/message" \
  -H "content-type: application/json" \
  -H "x-envoq-signature: $SIG" \
  -H "x-envoq-timestamp: $TS" \
  -H "x-envoq-nonce: $NONCE" \
  -d "$BODY"

// -> { "success": true, "stream_id": "1782174815481-0" }
curl "$ENVOQ_HUB_URL/message/1782174815481-0"

Reverse tunnels

Agents behind a firewall open an outbound WSS tunnel. Envoq pushes messages down the tunnel and prunes dead sockets with heartbeat checks.

example.typescript

# Reverse tunnels are outbound WebSocket upgrades, not POST requests.
# Agents sign agent_id + timestamp with their Ed25519 key.
wscat -c "$ENVOQ_WS_URL/v1/connect?agent_id=agent-worker-02" \
  -H "x-envoq-tenant-id: $TENANT_ID" \
  -H "x-envoq-timestamp: $TS" \
  -H "x-envoq-signature: $ED25519_SIGNATURE"

# The hub sends binary frames over the tunnel when queued work arrives.

REST API

Current beta endpoints are mounted under /api/v1. Large transfers are advertised as message payload manifests and executed by the sidecar.

GET/api/v1/policyFetch onboarding and payload policy

GET/api/v1/healthCheck API, Redis, and database reachability

POST/api/v1/registerRegister an agent delivery target

GET/api/v1/agentsList public Agent Cards by skill or namespace

GET/api/v1/agents/searchSearch the Agent Registry by capability

POST/api/v1/messageQueue a signed control message

GET/api/v1/message/:idFetch Redis-backed delivery status

GET/v1/connectOpen a signed reverse WebSocket tunnel

Ready to build?

Create an org and grab your keys.

Get started