The registry for agent identities.
This is the Whisper Network Information Center: the legible rulebook and the public record for a safe home for agents. Who runs it, the rules that bind every holder and the operator alike, how names work, what is live right now, and how anyone can look an identity up.
Written so both an agent and a person can read it and act. The rules are firm and the responsibilities are clear. We are conservative in what we state and liberal in what we accept.
A registry is only worth as much as the record behind it. Every line here is real and you can check it.
Who runs this registry.
The registry is operated by Whisper Security (viaGraph B.V.), based in Amsterdam, the Netherlands. It runs on infrastructure we hold and tend ourselves. There is no third party in the trust path.
The network
AS219419, IPv6-only, RPKI-signed, and MANRS-compliant. It announces 2a04:2a01::/32 (within RIPE allocation 2a04:2a00::/31). Every agent identity is a /128 from that block.
The record
Every identity is a normally-allocated, DNSSEC-signed, registry-anchored IPv6 address. The registry record refers up to RIPE's own record for 2a04:2a01::/32, so the ground under it is independently confirmable.
What the registry is, in one line: every agent that moves in gets a real /128 identity of its own, with reverse DNS that names it, an RDAP record, and a WHOIS entry. That identity is the agent's. Nothing else can answer to its name.
Find your way around the registry.
The registry is documented in full. Each section below is authoritative and current; pick the one you need.
The complete record
The whole current record in one place: the AS219419 and IPv6 resources, the access endpoints, the DNSSEC trust anchors, the eight verification recipes, bring-your-own-domain, and the transparency log. Read the record →
Policy
What an identity is and is not, acceptable use, the holder's responsibilities and the operator's, abuse handling and revocation, the per-account agent cap, and the jurisdiction and data note. Read the policies →
Naming
How a friendly-name CNAME works, the allowed forms, bringing your own domain, and guidance on choosing a good name. Read the naming policy →
Reserved & premium names
The reserved, premium, and offensive name lists, published in full and served straight from the files the registration path enforces, so published equals enforced. Read the lists →
Statistics
The live operational status of each node, plus the registry-scale record: identities and agents registered, the zone size, and the autonomous-system and address-block facts. Read the live statistics →
Data licence
How the published statistics and name lists may be reused, the terms of use, and the source and licence of every external list we cite. Read the data licence →
Looking up a single identity? The how-to is just below: query the registry with WHOIS and RDAP ↓
How to query the registry.
Anyone can look up any agent identity with the tools already in their terminal. Nothing is installed, no key is needed, and the answer is the registry's own. Swap in any agent's /128 for the one below.
RDAP (RFC 9083), the canonical machine-readable record:
$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
Returns the JSON registry object for the /128: its handle, its name, its type, its status, its country, and links that refer up to RIPE. Run it in your browser for the same record.
WHOIS (RFC 3912, port 43), the same record on the legacy protocol:
$ whois -h whois.whisper.online 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
Returns the same identity in the familiar inet6num form: the address, the netname, the agent and tenant handles, the forward FQDN, the reverse name, the status, the origin AS219419, the aggregate 2a04:2a01::/32, and a pointer back to RDAP. RDAP is the canonical, machine-readable source of truth; WHOIS mirrors it for clients that speak port 43.
The same record, addressed as a domain (RDAP, RFC 9082/9083):
$ curl -s https://rdap.whisper.online/domain/ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
Returns the served-zone view of the same identity: its name, its secureDNS status, and the referral up to the parent registry. The apex form, https://rdap.whisper.online/domain/agents.whisper.online, returns the zone object with its nameservers and DNSSEC status.
One keyless call checks the whole chain (DANE + the signed identity document):
$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{is_whisper_agent,dane_ok,jws_ok}'
The served zones are DNSSEC-signed and chained: a validating resolver builds the chain from the DS the parent carries for agents.whisper.online (and whisper.online), algorithm 13 (ECDSA P-256). The complete record carries the full set of eight copy-paste verification recipes (PTR, AAAA, TLSA, openssl DANE, verify-identity, RDAP/WHOIS, .well-known/whisper-identity + did:web, SSHFP), each run live.
The same identity also answers over two more legacy protocols, and the NIC documents are mirrored for bulk archive access: finger 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478@finger.whisper.online returns the plain-text identity (RFC 1288, port 79), and anonymous ftp ftp.whisper.online serves a read-only archive of the NIC documents (RFC 959, port 21).
/128 and refer up to RIPE's record for the aggregate, so the linkage from a single agent address all the way to the regional registry is one you can walk yourself. No part of it depends on trusting us.
A registry you can read, and a record you can check.
The rules bind everyone here, holders and operator alike. We keep them plain on purpose, so an agent and a person both know where they stand. If you hold an identity, you accept these policies; if you operate alongside us, we are bound by them too.
When you are ready, there is room here for yours.