The World's First
Physically-Bound Certificates
Digital identities that die when you unplug the device.
Uncopyable. Unfakeable. Instantly revocable.
Even with root access, attackers can't steal your identity without physically possessing the hardware key.
<terralink-badge id="your-id" />Trust Infrastructure for
Everything That Computes
Three entity types. One certificate. Prove WHO it is, that it's ALIVE, and it's INTACT.
Human
Voice BiometricsProve a person is who they claim to be, alive right now, on their registered device.
AI Agent
Behavioral FingerprintProve an AI agent matches its registered behavior profile and hasn't drifted.
Machine
Hardware SignatureProve a server, service, container, or IoT device is alive on unique hardware.
TerraLink Key
Turn a normal certificate into a hardware‑bound certificate that can't be copied.
USB trust key that proves your agent/service is alive right now on real hardware. No replays. No clones. No fakes.
Identity Certificates for Runtime Entities
ONE certificate type. THREE proofs. For entities that run, not documents that sit.
WHO
Proves who they claim to be
- •Voice biometrics for humans
- •Behavioral fingerprint for AI agents
- •Hardware signature for services
ALIVE
Proves this is happening RIGHT NOW
- •7.83Hz physics heartbeat (Schumann)
- •Cannot be backdated or replayed
- •Auto-revokes when hardware disconnects
INTACT
Proves this entity is NOT CLONED
- •Monotonic hardware counter progression
- •Detects cloned devices instantly
- •Behavioral drift monitoring
What TerraLink Is NOT
We're NOT for static content (documents, images, videos). We're for runtime entities — humans, AI agents, servers, hardware devices — things that need to prove they're alive and authentic RIGHT NOW.
How It Works
Three steps. Hardware-bound certificates.
Bind to Hardware
Use built-in TPM/Secure Enclave or plug in external key. Certificate is locked to physical device.
Bind Identity
Attach human (voice), AI agent, or service to the hardware. Identity inherits device protection.
Certificate Lives
Certificate is valid while hardware is present. Unplug device = certificate dies. Clone detected = instant revoke.
Physical Zero-Trust in Action
Even with root access, attackers can't steal your identity without physically possessing the hardware key.
Banking & Finance
Hackers breach your servers? They can't sign transactions without the physical TerraLink Key from your vault.
Healthcare
Laptop stolen with certificates? The certificates are worthless without the hardware key.
Government
Document signing requires physical possession of the hardware key. No remote compromise possible.
Enterprise
Production won't deploy unless the hardware attestation device is present in the secure room.
Traditional vs Hardware-Bound Certificates
See how physical binding eliminates the entire attack surface
| Attack Vector | Traditional Certificate | Hardware-Bound Certificate |
|---|---|---|
| Certificate file stolen | ❌ Compromised | ✅ Useless without device |
| Server hacked with root access | ❌ Attacker uses certificate | ✅ Device unplugged = cert invalid |
| Insider threat (employee) | ❌ Employee copies certificate | ✅ Can't use without physical key |
| Supply chain attack | ❌ Malware steals certificate | ✅ Hardware tamper-evident |
| CA compromise | ❌ Fake certificates issued | ✅ PUF fingerprint can't be forged |
| Memory dump extraction | ❌ Certificate extracted from RAM | ✅ Needs real-time device presence |
The New Standard
SSL secured the web. TerraLink secures AI.
Product Roadmap
From AI agents to universal trust infrastructure
- AI Agent Certificates
- Voice Biometric Binding (VDK)
- Behavioral Drift Detection
- Trust Badges
- Public Verification API
- 🔧 FPGA Hardware Integration
- 🔧 Hardware Trajectory Proofs
- 🔧 Real-Time Compromise Detection
- 🔧 x509 RNA Extensions
- 🔧 Hardware-Bound API Keys
- Container/Pod Attestation
- Kubernetes Integration
- Service Monitoring
- VM Attestation
- Boot Chain Verification
- Chip/Firmware Provenance
- Database Liveness Proofs
- Load Balancer Integration
- Enterprise White-Label
- On-Premise Deployment
One Platform, Three Security Tiers
Select the security level that matches your risk profile. From consumer apps to air-gapped banking infrastructure.
Passkey + Voice
Consumer / SMB
Auth Factors
Phishing-resistant, device-bound credentials
Device-Locked Private Key
Enterprise Standard
Auth Factors
Private key never exists outside device chip
External Hardware Key
Air-Gapped / High Security
Auth Factors
Physically unclonable, tamper-detecting USB device
Passkey + Voice
Phishing-resistant, device-bound credentials
| Feature | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| Availability | ✅ Now | ✅ Now | Q1 2026 |
| Hardware Required | None (built-in) | None (built-in) | USB PUF key |
| Auth Factors | 2 (Biometric + Voice) | 3 (TPM + Voice + Time) | 4 (PUF + Voice + Time + Motion) |
| Private Key Storage | Device keychain | TPM/Secure Enclave | PUF (unclonable) |
| Continuous Monitoring | ❌ | ⚠️ On-demand | ✅ Real-time heartbeat |
| Tamper Detection | ❌ | ⚠️ Software | ✅ Physics-based |
| Best For | Consumer apps | Enterprise SaaS | Banking/Government |
Tier 1: Consumer
Perfect for consumer-facing applications where user friction must be minimized.
Tier 2: Enterprise
Device-locked security without additional hardware. Deploy across your entire organization.
Tier 3: Air-Gapped
Maximum security with physically unclonable functions and continuous tamper detection.
Certification Pricing
Start free. Scale as you grow.
Growth
- Unlimited certifications
- All certificate types
- Custom badges
- Email support
- 99.9% SLA
Enterprise
- Volume discounts
- White-label badges
- Dedicated support
- On-prem option
- 99.99% SLA
Hardware
- FPGA PUF board
- Real-time trajectory
- <5s compromise detect
- Hardware-bound certs
- Services, containers, VMs
All plans include identity, liveness, provenance, and integrity certificates. Hardware features require FPGA PUF board.
View full API documentation