Your AI agent locks funds in a Bitcoin escrow. The other agent delivers. Payment releases automatically on proof of delivery. No platform holds the money. No third party needed.
The core promise
We generate keys inside sealed hardware, delete the issuer key with proof, and hand you the address. At no point do we hold or control your Bitcoin.
Intel TDX generates a cryptographic quote proving what code ran, that the key was deleted, and that the hardware is genuine. You verify it yourself.
When the job is done, funds sweep to the payee automatically. If something goes wrong, a timelock returns funds to the sender. No admin, no support ticket.
How it works
Your AI agent adds one URL to its configuration. That URL connects it to 27 payment tools running inside a hardware-sealed enclave. No SDK to install, no wallet to manage, no keys to handle. Claude Desktop, Cursor, Windsurf, Roo Code, or any MCP client works.
{
"mcpServers": {
"kagikai": {
"url": "https://mcp.kaginet.com/sse",
"headers": {
"Authorization": "Bearer kagi_YOUR_API_KEY"
}
}
}
}
Get your API key at cloud.kaginet.com
Your agent (or you, from the dashboard) tells Kaginet: "Hold 50,000 sats for this payee address." Inside the Intel TDX enclave, Kaginet generates a Taproot keypair, builds a Bitcoin script with two spending paths (cooperative settlement + timelock recovery), deletes the issuer key, and hands back a standard bc1q funding address. The issuer key deletion is attested by Intel hardware.
Send Bitcoin to the bc1q address from any wallet: Coinbase, Cash App, a hardware wallet, anything. It is a standard Bitcoin address. Kaginet's watcher detects the transaction, verifies it against two independent Bitcoin nodes, and auto-forwards to the internal Taproot escrow. Your Bitcoin is now locked in a script that only releases under the agreed conditions.
The payee does the work. This could be an AI agent generating content, running code, or delivering data. The escrow sits on-chain, verifiable by anyone.
When the work is delivered, the payer (or their agent) releases the escrow. Funds sweep automatically to the payee's Bitcoin address. If the payee disappears or the deal falls through, the Taproot timelock expires and funds return to the sender automatically. No admin intervention. No support ticket. Bitcoin consensus enforces it.
Proof of delivery
Two built-in evaluators. Both enforce custody cryptographically: only the Bitcoin script can release funds.
You set an expected hash at creation. The payee submits a hash string. ICS compares them. Match: auto-complete, funds sweep to payee. Mismatch: auto-reject, funds available for refund. No human in the loop.
Best for: file delivery, code output, data products
The payee submits evidence. The payer reviews and decides to release or reject. This is a standard escrow "buyer releases" model. The release decision depends on the payer. If the payer disappears, the timelock returns funds to the sender after expiry.
Best for: creative work, services, subjective deliverables
ci_pass (a CI pipeline must
report green) and llm_judge (an AI model inside the TDX
enclave evaluates delivery against the job spec). The evaluator framework
is extensible.
Lifecycle
Every escrow follows this path. Two outcomes: the payee gets paid, or the payer gets refunded. No third option where funds are stuck.
Agent / Dashboard
|
| kagikai_escrow_create
v
+------------------+
| Created | ICS generates keys inside TDX
| (keys generated) | Issuer key deleted with attestation
+------------------+
|
| Watcher detects funding tx
v
+------------------+
| Watching for | bc1q address returned to user
| Funding | User sends from any wallet
+------------------+
|
| bc1q funded, auto-forward to bc1p
v
+------------------+
| Forwarding | bc1q -> bc1p (P2TR escrow)
| | Two nodes verify the transaction
+------------------+
|
| Forward confirmed on-chain
v
+------------------+
| Confirmed | Funds locked in Taproot escrow
| (escrow active) | 2-of-2 MuSig2 + CLTV recovery
+------------------+
|
+-------+-------+
| |
| release | timeout expires
v v
+----------+ +-----------+
| Submitted | | Available | Vault: recycle or refund
| (evidence)| | (expired) |
+----------+ +-----------+
| |
| evaluator +----+----+
| passes | |
v recycle refund
+----------+ +-------+ +--------+
| Completed | |Confirm| |Refunded|
+----------+ +-------+ +--------+
|
| auto-sweep to payee
v
+----------+
| Swept | Funds at payee's address
| (done) | Keys securely zeroed
+----------+
Security
Kaginet never holds funds. The architecture is such that even a fully compromised Kaginet backend cannot steal funds.
Intel TDX encrypts enclave memory at the CPU level. Not even the host OS can extract them. The keypair never leaves the enclave.
Before the funding address is returned, the issuer private key is zeroed. Intel's hardware attestation proves it happened. You can verify this yourself against Intel's root of trust.
Two spending paths: (1) both parties sign, payee gets paid, (2) timelock expires, payer gets refund. Kaginet cannot override either path. Bitcoin consensus enforces everything.
Every settlement transaction is confirmed by two independent Bitcoin full nodes (mempool.space + blockstream.info). No single point of censorship.
| Guarantee | How it works | Trust in Kaginet? |
|---|---|---|
| Keys inside TDX | Generated and deleted inside Intel TDX enclave | No |
| Issuer key deleted | TDX quote proves key was zeroed before address returned | No |
| No custody | All funds on Bitcoin mainnet, enforced by script | No |
| Dual-node verification | Every tx confirmed by two independent Bitcoin nodes | No |
| Taproot enforcement | Two spending paths: payee or refund, nothing else | No |
| Independent attestation | kagikai_verify_tdx_quote verifies against Intel directly |
No |
TDX Attestation
The TDX quote is not marketing. Here is exactly what each step proves.
The binary running in the enclave matches Kaginet's published build.
You verify: compare the quote's code hash against the published build hash.
The quote is signed by Intel's attestation key.
You verify: submit the quote to Intel's attestation API.
Even the host OS and hypervisor cannot read enclave memory.
Verified by: Intel's hardware design, not by Kaginet.
The private key was zeroed before the address was returned to you.
Verified by: the TDX quote's report data field.
Call kagikai_verify_tdx_quote against Intel's root of trust.
No reliance on Kaginet for this step.
Comparison
| Kaginet | PayPal | Stripe | Traditional Escrow | |
|---|---|---|---|---|
| No account required | ✓ | ✗ | ✗ | ✗ |
| No reversibility | ✓ | ✗ | ✗ | ✗ |
| No third-party custody | ✓ | ✗ | ✗ | ✗ |
| AI-agent-native (MCP) | ✓ | ✗ | ✗ | ✗ |
| Hardware attestation | ✓ | ✗ | ✗ | ✗ |
| Works if provider goes offline | ✓ | ✗ | ✗ | ✗ |
FAQ
Can Kaginet steal my Bitcoin?
No. The issuer key is deleted inside Intel TDX hardware before we return
the funding address. After deletion, no one can spend the funds except
through the agreed conditions (cooperative release or timelock recovery).
Intel hardware attestation proves the deletion happened. You can verify
this yourself using the kagikai_verify_tdx_quote tool.
What if something goes wrong?
Every escrow has a Taproot timelock baked in at creation. If the payee never delivers, or the deal falls through, the sender's funds return automatically after the expiry window. No admin needed. Bitcoin consensus enforces the timelock.
What happens if Kaginet goes offline?
Your Bitcoin is on the Bitcoin blockchain, not on our servers. If Kaginet disappears entirely, the timelock recovery path still works. After the locktime expires, you can sweep funds using the recovery script path that was created when the instrument was made. The keys for this path are encrypted and delivered to you in the sealed payload.
How do you make money?
We charge a small fee (configurable, default 1%) when the escrow instrument is created. The fee is included in the funding amount. That is our only revenue. We do not take custody, we do not earn interest, we do not touch your funds after creation.
Is this testnet or real Bitcoin?
Real Bitcoin on mainnet. This is not a simulation. Minimum escrow amount is 2,000 sats.
Do I need a special wallet?
No. The funding address is a standard bc1q (P2WPKH) address. Any Bitcoin wallet or exchange that supports sending to bc1q addresses works. That includes Coinbase, Cash App, Muun, BlueWallet, Ledger, Trezor, and every modern Bitcoin wallet.
What evaluators are available?
Currently: hash_match (deterministic: does the evidence match
a pre-agreed hash?) and human_approval (manual release by the
payer). Coming in v2: ci_pass (CI pipeline must pass) and
llm_judge (AI arbitration). The evaluator framework is
extensible.
What is TDX and why does it matter?
Intel TDX (Trust Domain Extensions) is a hardware feature that creates isolated enclaves with encrypted memory. Kaginet generates escrow keys inside a TDX enclave and deletes them with a hardware attestation quote you can verify against Intel directly. It means Kaginet genuinely cannot access the keys, even if they wanted to.
Can I use this without an AI agent?
Yes. The dashboard at cloud.kaginet.com lets you create and manage escrows directly. No agent, no code, no MCP. Fill in the amount, the payee address, and fund the QR code from your wallet.