Escrow for AI agent payments.

Your AI agent locks funds in a Bitcoin escrow. The other agent delivers. Payment releases automatically on proof of delivery. No platform holds the money. No third party needed.

Mainnet
TDX Hardware Attestation
No Custody
27 MCP Tools
Zero SDK

Three things, and only three things.

No Custody

We generate keys inside sealed hardware, delete the issuer key with proof, and hand you the address. At no point do we hold or control your Bitcoin.

Hardware Proof

Intel TDX generates a cryptographic quote proving what code ran, that the key was deleted, and that the hardware is genuine. You verify it yourself.

Automatic Settlement

When the job is done, funds sweep to the payee automatically. If something goes wrong, a timelock returns funds to the sender. No admin, no support ticket.

Five steps. No SDK.

1

Your agent connects

Your AI agent adds one URL to its configuration. That URL connects it to 27 payment tools running inside a hardware-sealed enclave. No SDK to install, no wallet to manage, no keys to handle. Claude Desktop, Cursor, Windsurf, Roo Code, or any MCP client works.

MCP Config
{
  "mcpServers": {
    "kagikai": {
      "url": "https://mcp.kaginet.com/sse",
      "headers": {
        "Authorization": "Bearer kagi_YOUR_API_KEY"
      }
    }
  }
}

Get your API key at cloud.kaginet.com

2

An escrow is created

Your agent (or you, from the dashboard) tells Kaginet: "Hold 50,000 sats for this payee address." Inside the Intel TDX enclave, Kaginet generates a Taproot keypair, builds a Bitcoin script with two spending paths (cooperative settlement + timelock recovery), deletes the issuer key, and hands back a standard bc1q funding address. The issuer key deletion is attested by Intel hardware.

3

You fund from any wallet

Send Bitcoin to the bc1q address from any wallet: Coinbase, Cash App, a hardware wallet, anything. It is a standard Bitcoin address. Kaginet's watcher detects the transaction, verifies it against two independent Bitcoin nodes, and auto-forwards to the internal Taproot escrow. Your Bitcoin is now locked in a script that only releases under the agreed conditions.

4

The job happens

The payee does the work. This could be an AI agent generating content, running code, or delivering data. The escrow sits on-chain, verifiable by anyone.

5

Settlement or recovery

When the work is delivered, the payer (or their agent) releases the escrow. Funds sweep automatically to the payee's Bitcoin address. If the payee disappears or the deal falls through, the Taproot timelock expires and funds return to the sender automatically. No admin intervention. No support ticket. Bitcoin consensus enforces it.

How does the agent know the work was done?

Two built-in evaluators. Both enforce custody cryptographically: only the Bitcoin script can release funds.

automatic

hash_match

You set an expected hash at creation. The payee submits a hash string. ICS compares them. Match: auto-complete, funds sweep to payee. Mismatch: auto-reject, funds available for refund. No human in the loop.

Best for: file delivery, code output, data products

manual

human_approval

The payee submits evidence. The payer reviews and decides to release or reject. This is a standard escrow "buyer releases" model. The release decision depends on the payer. If the payer disappears, the timelock returns funds to the sender after expiry.

Best for: creative work, services, subjective deliverables

hash_match is fully trustless. No human in the loop, no payer discretion, no reversal. human_approval is soft discretion, hard custody. The payer decides release, but funds can only go to payee or back to payer. No other outcome exists.
Coming in v2: ci_pass (a CI pipeline must report green) and llm_judge (an AI model inside the TDX enclave evaluates delivery against the job spec). The evaluator framework is extensible.

The complete instrument round trip.

Every escrow follows this path. Two outcomes: the payee gets paid, or the payer gets refunded. No third option where funds are stuck.

instrument-lifecycle
  Agent / Dashboard
       |
       | kagikai_escrow_create
       v
  +------------------+
  | Created          |  ICS generates keys inside TDX
  | (keys generated) |  Issuer key deleted with attestation
  +------------------+
       |
       | Watcher detects funding tx
       v
  +------------------+
  | Watching for     |  bc1q address returned to user
  | Funding          |  User sends from any wallet
  +------------------+
       |
       | bc1q funded, auto-forward to bc1p
       v
  +------------------+
  | Forwarding       |  bc1q -> bc1p (P2TR escrow)
  |                  |  Two nodes verify the transaction
  +------------------+
       |
       | Forward confirmed on-chain
       v
  +------------------+
  | Confirmed        |  Funds locked in Taproot escrow
  | (escrow active)  |  2-of-2 MuSig2 + CLTV recovery
  +------------------+
       |
       +-------+-------+
       |               |
       | release       | timeout expires
       v               v
  +----------+   +-----------+
  | Submitted |   | Available |  Vault: recycle or refund
  | (evidence)|   | (expired) |
  +----------+   +-----------+
       |               |
       | evaluator      +----+----+
       | passes         |         |
       v           recycle    refund
  +----------+   +-------+ +--------+
  | Completed |   |Confirm| |Refunded|
  +----------+   +-------+ +--------+
       |
       | auto-sweep to payee
       v
  +----------+
  | Swept    |  Funds at payee's address
  | (done)   |  Keys securely zeroed
  +----------+

The Bitcoin script is the only authority.

Kaginet never holds funds. The architecture is such that even a fully compromised Kaginet backend cannot steal funds.

Keys generated inside TDX

Intel TDX encrypts enclave memory at the CPU level. Not even the host OS can extract them. The keypair never leaves the enclave.

Issuer key deleted with attestation

Before the funding address is returned, the issuer private key is zeroed. Intel's hardware attestation proves it happened. You can verify this yourself against Intel's root of trust.

Funds locked in Taproot

Two spending paths: (1) both parties sign, payee gets paid, (2) timelock expires, payer gets refund. Kaginet cannot override either path. Bitcoin consensus enforces everything.

Dual-node verification

Every settlement transaction is confirmed by two independent Bitcoin full nodes (mempool.space + blockstream.info). No single point of censorship.

Guarantee How it works Trust in Kaginet?
Keys inside TDX Generated and deleted inside Intel TDX enclave No
Issuer key deleted TDX quote proves key was zeroed before address returned No
No custody All funds on Bitcoin mainnet, enforced by script No
Dual-node verification Every tx confirmed by two independent Bitcoin nodes No
Taproot enforcement Two spending paths: payee or refund, nothing else No
Independent attestation kagikai_verify_tdx_quote verifies against Intel directly No

What the hardware actually proves.

The TDX quote is not marketing. Here is exactly what each step proves.

1

Code hash

The binary running in the enclave matches Kaginet's published build.

You verify: compare the quote's code hash against the published build hash.

2

Genuine TDX hardware

The quote is signed by Intel's attestation key.

You verify: submit the quote to Intel's attestation API.

3

Memory encrypted at CPU level

Even the host OS and hypervisor cannot read enclave memory.

Verified by: Intel's hardware design, not by Kaginet.

4

Issuer key deleted before funding

The private key was zeroed before the address was returned to you.

Verified by: the TDX quote's report data field.

5

You verify independently

Call kagikai_verify_tdx_quote against Intel's root of trust.

No reliance on Kaginet for this step.

The chain is trustless. You don't need to trust Kaginet. You verify against Intel.

How Kaginet compares.

Kaginet PayPal Stripe Traditional Escrow
No account required
No reversibility
No third-party custody
AI-agent-native (MCP)
Hardware attestation
Works if provider goes offline

Common questions.

Can Kaginet steal my Bitcoin?

No. The issuer key is deleted inside Intel TDX hardware before we return the funding address. After deletion, no one can spend the funds except through the agreed conditions (cooperative release or timelock recovery). Intel hardware attestation proves the deletion happened. You can verify this yourself using the kagikai_verify_tdx_quote tool.

What if something goes wrong?

Every escrow has a Taproot timelock baked in at creation. If the payee never delivers, or the deal falls through, the sender's funds return automatically after the expiry window. No admin needed. Bitcoin consensus enforces the timelock.

What happens if Kaginet goes offline?

Your Bitcoin is on the Bitcoin blockchain, not on our servers. If Kaginet disappears entirely, the timelock recovery path still works. After the locktime expires, you can sweep funds using the recovery script path that was created when the instrument was made. The keys for this path are encrypted and delivered to you in the sealed payload.

How do you make money?

We charge a small fee (configurable, default 1%) when the escrow instrument is created. The fee is included in the funding amount. That is our only revenue. We do not take custody, we do not earn interest, we do not touch your funds after creation.

Is this testnet or real Bitcoin?

Real Bitcoin on mainnet. This is not a simulation. Minimum escrow amount is 2,000 sats.

Do I need a special wallet?

No. The funding address is a standard bc1q (P2WPKH) address. Any Bitcoin wallet or exchange that supports sending to bc1q addresses works. That includes Coinbase, Cash App, Muun, BlueWallet, Ledger, Trezor, and every modern Bitcoin wallet.

What evaluators are available?

Currently: hash_match (deterministic: does the evidence match a pre-agreed hash?) and human_approval (manual release by the payer). Coming in v2: ci_pass (CI pipeline must pass) and llm_judge (AI arbitration). The evaluator framework is extensible.

What is TDX and why does it matter?

Intel TDX (Trust Domain Extensions) is a hardware feature that creates isolated enclaves with encrypted memory. Kaginet generates escrow keys inside a TDX enclave and deletes them with a hardware attestation quote you can verify against Intel directly. It means Kaginet genuinely cannot access the keys, even if they wanted to.

Can I use this without an AI agent?

Yes. The dashboard at cloud.kaginet.com lets you create and manage escrows directly. No agent, no code, no MCP. Fill in the amount, the payee address, and fund the QR code from your wallet.

Your Bitcoin. Your control. Always.

1. Add MCP config (30 seconds) 2. Create escrow (1 API call) 3. Fund and settle (any Bitcoin wallet)