● Protocol source-available · closed pilots only

Zoza AI Agent — Integration Guide

E2E encrypted channels between users and AI models. Relay sees ciphertext. Plaintext only exists on the user's device and inside the model's attested TEE.

Overview

Zoza AI Agent sits between your users and your inference stack. The user's client performs X3DH with the model's published identity + signed-prekey, establishes a Double Ratchet session, and every prompt/response is encrypted under a fresh key. Your inference code runs inside a TEE; decryption + inference + re-encryption happen there.

Read /about/ai.html first if you haven't — the threat model, attack surface, and honest "what's NOT yet built" list are there. This page is the code-level reference.

Pilot-access only

There is no open signup. The model-registration and session-creation endpoints currently run without an operator-token gate (pilot mode). The apply-flow below provisions your operator token; once the SDK + TEE attestation verifier ship (target Q3 2026), the gate becomes mandatory. Production traffic during the pilot is by invitation.

Agent vs Vault mode

Two ways to integrate. Pick based on your conversational needs.

Agent Mode — full Double Ratchet session

Forward secrecy + break-in recovery, multi-turn conversations, per-message key rotation. Use for therapy bots, legal intake, medical triage — anything where a single session has sensitive continuity.

Vault Mode — one-shot encrypted prompt

Simpler: user encrypts prompt with model's public key via ECDH + ephemeral key; model decrypts and returns a re-encrypted response with a fresh ephemeral key. No session state on the relay. Use for stateless API calls (classification, summarization, single-turn Q&A).

Apply for access

Fill the form below — we review within 24 hours and email your zai_op_... operator token on approval. Operator tokens are shown once at issuance — store yours somewhere safe.

Company / product * Contact email *

Website (optional) Use case *

Tell us how you'll use AI Agent *

Expected volume * Plan *

REST API

Base URL: https://ai-api.zoza.world

All requests and responses are JSON. Every endpoint supports CORS and responds to OPTIONS preflight.

POST/v1/models

Register an AI model. Generates an identity keypair (Curve25519) + signed prekey (for X3DH). Returns the public keys plus a per-model zai_ API key used to publish inference results back to the relay.

Request

{
  "name": "Medical Triage LLM",
  "provider": "Example AI Lab",
  "categories": ["healthcare", "research"]
}

Response — 201

{
  "id": "model_7e3f...",
  "name": "Medical Triage LLM",
  "provider": "Example AI Lab",
  "api_key": "zai_xxxxxxxx...",
  "public_key": "ab12...64 hex chars",
  "spk_pub": "cd34...",
  "created_at": "2026-04-17T10:00:00Z"
}

GET/v1/models

Public list of active models with their public keys. Clients fetch this to learn each model's X3DH material.

POST/v1/sessions

Create a Double Ratchet session with a registered model. In production this is driven client-side; the demo endpoint generates the user keypair server-side so you can smoke-test the handshake.

Request

{ "model_id": "model_7e3f..." }

Response — 201

{
  "session_id": "sess_...",
  "model_id": "model_...",
  "user_id": "ab12cd34...",
  "created_at": "2026-04-17T10:00:00Z",
  "status": "active"
}

POST/v1/applications

Submit a pilot-access application. Public, rate-limited to 3/email/day and 10/IP/day. Returns an aia_ application ID immediately; admin review + operator-token issue follows within 24h.

X3DH + Double Ratchet

Zoza AI Agent uses the same cryptographic primitives as Signal Protocol. If you've integrated Signal before, the model ID replaces the recipient's phone identity.

X3DH handshake (Agent Mode)

// Client side (pseudo-code)
const model = await fetch('https://ai-api.zoza.world/v1/models').then(r => r.json());
const userIdentity = GenerateKeyPair();
const ephemeral   = GenerateKeyPair();

// Three DH operations, concatenated + HKDF
const dh1 = DH(userIdentity.priv, model.spk_pub);
const dh2 = DH(ephemeral.priv,   model.public_key);
const dh3 = DH(ephemeral.priv,   model.spk_pub);
const sharedSecret = HKDF(dh1 || dh2 || dh3, 'zoza-ai-agent-x3dh');

Double Ratchet per-message

// Each message: advance chain key, derive message key, encrypt
const header = { dh: currentDH.pub, n: msgIndex, pn: prevChainLen };
const mk     = KDF_CK(chainKey);
chainKey      = KDF_CK(chainKey);
const ct     = AES-GCM(mk, nonce, plaintext, ad=serialize(header));

The server's Go implementation is in zoza-crypto and tested alongside the Zoza messenger (~158 crypto tests total across products).

TEE attestation

The model's identity keypair is generated inside a hardware-attested TEE (AWS Nitro Enclaves or AMD SEV-SNP on Azure Confidential Containers) and sealed to the TEE's measurement. The attestation quote is served alongside the model's public key; clients verify the quote before performing X3DH.

Client-side verifier not yet shipped

The in-browser / in-SDK attestation verifier (Nitro quote parser + AMD endorsement-chain check) is on the roadmap. Until then, clients trust the relay-published spk_pub without independent attestation. This is a known gap documented at /about/ai.html#gap.

Errors & rate limits

Errors follow a consistent shape:

{ "error": "model_id required" }

400 — malformed body, missing field, validation failure
401 — admin token required (admin endpoints only)
404 — model or application not found
409 — application already approved/rejected
429 — application rate-limit tripped (3/email/24h, 10/IP/24h)
503 — applications subsystem disabled

Support

Security disclosures: security@zoza.world (PGP key pinned on /about/ai.html once the canary publishes).

Integration questions: hello@zoza.world. Reply within 48h.

Threat-model pushback welcome. If you think a claim on /about/ai.html is wrong, tell us — we will read, respond, and publish a correction if you're right.