The human identity protocol for the agentic age.

The internet's identity assumptions have collapsed.

For thirty years, every major identity primitive — from DNS to OAuth to W3C Verifiable Credentials — assumed that the entity behind a session was, in the overwhelming majority of cases, a single accountable human. That assumption is now false in the strict numerical sense, and the systems built on top of it are failing in ways that will not be patched by another version bump.

The shift happened in the span of eighteen months. In late 2024, OpenAI shipped the first practical autonomous agent loops; by mid-2025, the major frameworks (LangChain, AutoGen, CrewAI, Claude SDK) had all consolidated around a model in which an agent acts on behalf of a human across hundreds or thousands of independent sessions per day. By Q1 2026, internal traffic studies at major SaaS vendors and cloud providers suggested that machine-driven sessions outnumbered human-driven sessions by ratios approaching 100:1. The agents are real, they take consequential actions, and there is no protocol that reliably answers the most basic question their existence raises: which human, if any, is accountable for what this agent just did?

The four immediate failure modes

The absence of a human-anchored identity layer manifests as four concrete, well-documented crises, each of which the Manav Protocol is designed to address directly.

1. Hiring fraud. Deepfake video interviews, AI-written résumés, and synthetic credentials have already produced enough confirmed incidents in 2025–2026 that several Fortune 500 companies now require live in-person verification for senior roles. The cost is friction; the deeper cost is that the labour market's primary trust signal — the résumé — has been functionally compromised.
2. Agent authorisation gaps. When an autonomous agent executes a $50,000 vendor contract, regulators (and counterparties) increasingly want to know not just which API key signed the transaction, but which human delegated that authority, under what scope, and can the human revoke it. No widely-deployed protocol answers all three.
3. Regulatory non-compliance. Article 14 of the EU AI Act mandates "effective human oversight" of high-risk AI systems. eIDAS 2.0, NIST AI-RMF, and several national digital identity frameworks impose similar requirements. Compliance today is largely performative — affidavits, screenshots, written attestations — because no machine-verifiable primitive exists.
4. Uninsurable agent liability. The insurance industry cannot price what it cannot audit. Several major carriers have already declined to underwrite autonomous-agent-driven workflows in 2026 specifically because the chain of human accountability is not cryptographically reconstructable.

Why a new protocol, not a new product

It is tempting to address each failure mode with a point solution: a better KYC vendor for hiring, a better OAuth profile for agents, a better audit log for compliance. The history of internet protocols suggests this approach loses. DNS won not because it was the best of several name resolution services but because it was the only protocol in a market full of services. The same dynamic applies here. A point solution can patch one failure mode at a time; only a protocol can give every party in the system — humans, agents, applications, regulators, insurers, marketplaces — a single primitive to build against.

Manav is therefore specified as a protocol, not as a product. The reference implementation lives at manav.id, but the specification is intended to be implemented by anyone, governed in the open, and submitted for standardisation to the IETF and W3C in Year 2 of the roadmap (§10).

A five-layer stack, each layer composable on the one below.

The Manav Protocol is structured as five composable layers. Each layer has a well-defined input, a well-defined output, and a single responsibility. Layers may be implemented independently and composed in arbitrary configurations; in practice, most deployments will use Layers 1–3 from day one and add Layers 4–5 as the protocol matures.

2.1 Layer 1 — Core identity

Layer 1 binds a persistent cryptographic identity to a specific human via three orthogonal signals: biometric (face + voice + behavioural patterns under liveness conditions), device (hardware-backed key in a TPM or Secure Enclave), and behavioural (long-tail signals — typing cadence, gait, location pattern — collected with explicit consent). No single signal is sufficient for issuance; a quorum of two-of-three is required, and the system continuously re-verifies through ambient signals to detect compromise.

The output of Layer 1 is a manav.id handle — a globally unique identifier of the form {username}.manav.id — and a corresponding cryptographic key pair. The handle is human-readable, the key pair is machine-verifiable, and the binding between them is anchored on chain.

2.2 Layer 2 — Agent chain

Layer 2 establishes the cryptographic delegation chain from a human to one or more AI agents. Each agent is registered, gets its own certificate signed by the human's manav.id key, and operates under a delegation token that specifies scope (which actions are permitted), limits (spending caps, rate limits, time windows), and a revocation hook (the human can kill any agent's authority in real time, propagated through the chain in seconds).

// Manav delegation token v1 — RFC-style sketch
{
  "iss": "vishal.manav.id",        // issuer (human)
  "sub": "agent-7f3a.manav.id",     // subject (agent)
  "scope": ["procurement:vendor-contracts", "finance:read"],
  "limits": { "spend_usd_max": 10000, "rate_per_hour": 5 },
  "exp": 1748736000,             // expiry, unix
  "rev_url": "https://manav.id/.revoke/v1",
  "sig": "ed25519:0x9a7c..."          // human's manav.id key
}

2.3 Layer 3 — Work proof

Layer 3 provides cryptographic attestation of human involvement in a specific piece of digital work. Three attestation types are defined in v1 of the spec: authored (the work was created by a human), supervised (the work was reviewed and approved by a human), and delegated (the work was delegated by a named human to a named agent under a named scope). Each attestation is a signed object that can be embedded in source files, document metadata, git commits, or any payload format that supports key-value sidecars.

2.4 Layer 4 — Trust score

Layer 4 derives a domain-specific reputation score from the volume and quality of Layer 3 attestations, weighted by peer attestations and the trust scores of attesting parties. Crucially, the trust score is privacy-preserving: a holder can prove a score is above a threshold to a counterparty without revealing the underlying work history. Implementation uses zero-knowledge range proofs over a Merkle accumulator of the holder's attestation set.

2.5 Layer 5 — Marketplace

Layer 5 is a marketplace where verified humans (with proven work histories and well-managed agent fleets) can be hired, contracted, or partnered with. Smart contracts settle in $MANAV and release payment only upon Layer 3 attestation of the deliverable. Layer 5 is intentionally specified last because it is the layer most likely to face competition from incumbents; its existence depends on the prior four layers being widely adopted, and is therefore Phase 3 of the roadmap.

Selective disclosure by default. Liveness anchored on chain.

Manav uses a deliberately conservative cryptographic stack. Every primitive in v1 of the protocol is either a published standard (W3C, IETF, NIST) or a peer-reviewed construction with at least three independent implementations. We avoid novel cryptography wherever possible; the novelty in Manav is in the composition, not the primitives.

3.1 Identifier format

Manav handles are W3C DIDs of the form did:manav:{handle}, resolvable via the public manav.id resolver. The DID document binds the handle to one or more public keys (Ed25519 + secp256k1 supported in v1) and a list of revocation endpoints. Handle squatting is prevented by a one-shot reservation gated by Layer 1 issuance, and handle uniqueness is anchored on a public-permissioned chain operated by a quorum of independent foundation members.

3.2 Verifiable credentials

Layer 3 attestations are W3C Verifiable Credentials (VC Data Model 2.0) with a Manav-defined credential type. Selective disclosure is implemented via BBS+ signatures, allowing a holder to disclose any subset of claims in a credential without revealing the others. This is critical for the trust score use case: a recruiter learns that a candidate's "engineering trust score" exceeds 80 without learning their employer, salary, or specific project history.

3.3 Liveness binding

The binding between a biometric template and a manav.id key is established at issuance and re-verified continuously through ambient signals. The biometric template itself never leaves the user's device; only a homomorphic commitment to it is published. Re-verification under attack conditions (e.g. an apparent device theft) requires a fresh liveness check and produces a new attestation that other parties can use to invalidate cached assumptions.

3.4 Zero-knowledge proofs

Three ZK constructions are used in v1:

• BBS+ selective disclosure for VC subset reveals (Layer 3 → Layer 4).
• Bulletproofs for trust score range proofs (Layer 4 → external verifier).
• Plonk-based circuits for batch attestation aggregation (Layer 5 marketplace settlement).

All three are implementation-mature in 2026 and have multiple audit-grade libraries available. The protocol does not depend on any post-quantum primitive in v1, but a clean migration path to Dilithium + Falcon is specified in Annex C (forthcoming).

Consensus by verified human contribution.

Proof of Human Work (PoHW) is the consensus mechanism that mints $MANAV. It is not a Sybil-resistance mechanism in the traditional sense — Manav inherits Sybil-resistance directly from Layer 1 — but rather an emission mechanism: a function that determines how many tokens a given human earns in a given period, weighted by the volume and provenance of their work attestations.

4.1 Emission function

Token emission for a human h over an epoch is defined as:

where B(t) is a global base rate adjusted to maintain the emission schedule, W(h, t) is the weighted sum of the human's verified work attestations in epoch t, T(h) is the trust multiplier (a function of the human's Layer 4 score, bounded to [1.0, 3.0]), and S(t) is the global scarcity curve (a halving every two years, modelled on Bitcoin but indexed to attestation volume rather than block height).

4.2 Work weighting

Not all work is weighted equally. The protocol defines four weight tiers, calibrated to economic value-add and difficulty of fraud:

4.3 Anti-Sybil and anti-fraud

Three independent mechanisms harden PoHW against gaming:

1. Layer 1 unicity — one human, one handle, enforced by biometric template uniqueness with a small statistical false-rejection rate. Sybils require physical impersonation, which we model as cost-prohibitive.
2. Bilateral attestation — high-weight work types require a counterparty signature. Self-signed claims contribute zero weight. Collusion rings are detectable via graph anomaly analysis on the attestation graph.
3. Slashing — fraudulent attestations (proven post-hoc) result in slashing of the attestor's staked $MANAV and a permanent penalty on the trust multiplier T(h).

10B fixed. 40% to humans who work.

$MANAV is the native utility token of the Manav Protocol. It serves four economic functions: gas for protocol operations, stake for trust amplification, governance over protocol parameters, and settlement for the Layer 5 marketplace. Its supply schedule and allocation are designed to put the largest share of the float in the hands of the humans actually doing the work that backs its value.

5.1 Allocation

Two design choices distinguish this allocation from typical L1 / utility token launches. First, the team + investor combined allocation (27%) sits below the median of comparable launches, deliberately to reduce supply overhang and to signal that the protocol is built for the humans earning the token, not the people raising on it. Second, the work-mining bucket (40%) is the single largest line, and it is the only line that cannot be accelerated, gamed, or front-loaded.

5.2 Halving schedule

The PoHW base rate B(t) halves every two years, modelled directly on Bitcoin's emission curve but indexed to attestation epochs rather than block heights. Approximately 95% of the work-mining bucket emits in the first ten years; the residual 5% tails out over decades to provide a long-term incentive floor for late participants.

Burn. Lock. Compound.

Token velocity is the standard objection to utility tokens, and it is a fair one: a token that is only spent (and never held) accrues no value to its holders. Manav's design addresses this directly by ensuring that every productive use of the token either burns supply, locks supply, or both. The result is a structurally deflationary asset whose float decreases as protocol usage grows.

6.1 The five utilities

1. Gas for human-agent transactions. Every Layer 2 delegation token issuance, Layer 3 attestation, and Layer 4 trust query consumes a small amount of $MANAV as gas. The gas is burned, not paid to validators. At protocol scale (modelled at 100M agents × 10 actions/day = 1B+ daily transactions), gas burn is the primary deflationary force.
2. Trust amplification staking. Holders may stake $MANAV against their handle to amplify their Layer 4 trust score. Stake is locked for the duration of the amplification, and slashable on proven attestation fraud.
3. Governance. Protocol parameter changes (emission schedule, weight tiers, slashing rates) are decided by quadratic-style voting where 1 human = 1 vote and stake amplifies — but does not dominate — voting power.
4. Marketplace settlement. Layer 5 marketplace contracts settle in $MANAV. Smart contracts release payment only upon Layer 3 attestation of the deliverable, eliminating the standard escrow trust assumption.
5. Identity passport. A handle's $MANAV balance + trust score + attestation history together form a portable career credential. Aggregation services may require a minimum stake to query the passport, locking additional supply.

6.2 Demand drivers and supply constraints

The asymmetry is deliberate. As the protocol grows, demand drivers scale with usage; supply constraints either remain fixed or tighten. The result is the same flywheel that drove Bitcoin's monetary premium — but anchored to verified human economic output rather than electricity expended.

One human, one vote — amplified by stake.

Governance is the most underspecified problem in token design. Pure plutocracy (1 token = 1 vote) leads to whale capture; pure democracy (1 wallet = 1 vote) is trivially Sybil-attacked. Manav's Layer 1 unicity guarantee is what makes a third option possible: 1 human = 1 vote, with stake as a continuous multiplier bounded above.

The voting weight for a human h on a given proposal is:

where stake(h) is the $MANAV staked by h on the proposal and T(h) is the trust multiplier. The logarithmic term ensures large stakes do not produce proportional voting power: a 1,000,000 $MANAV stake yields roughly six units of additional voting weight, not one million. The trust multiplier rewards holders with proven contribution, not just capital.

7.1 What governance can and cannot change

Governance can adjust: PoHW base rate B(t), work weight tiers, slashing parameters, treasury allocations, marketplace fee structures, and approved agent framework certifications. Governance cannot, without supermajority + cooldown: change the 10B supply cap, weaken Layer 1 verification requirements, or remove core protocol invariants. These hard constraints are encoded as immutable on-chain parameters in v1.

What we defend. What we accept. What we delegate.

An honest threat model is the single most useful artefact a protocol can publish. We enumerate adversaries, attack vectors, and mitigations explicitly, and we are explicit about residual risks we do not fully eliminate.

8.1 In-scope adversaries

• Sybil attackers attempting to issue multiple manav.id handles to a single human.
• Deepfake adversaries attempting to pass Layer 1 liveness with synthetic biometrics.
• Collusion rings attempting to inflate trust scores via mutual attestation.
• Compromised devices exfiltrating signing keys.
• Hostile relayers attempting to censor or reorder attestations.

8.2 Mitigations (in order of robustness)

1. Multi-signal Layer 1. No single biometric channel can issue a handle alone. Liveness requires a quorum of two-of-three signals under conditions adversarially-resistant to passive replay (challenge-response prompts with sub-second timing).
2. Hardware-backed keys. Signing keys live in TPMs / Secure Enclaves with attestation; lost or compromised devices are remotely revocable.
3. Bilateral attestation requirement. Self-signed claims contribute zero weight to PoHW; meaningful work requires a counterparty signature, which makes collusion the dominant attack — and collusion is detectable graph-theoretically.
4. Slashing + reputation penalty. Proven fraud results in $MANAV stake forfeit and a permanent T(h) penalty.
5. Open relayers. The attestation gossip layer is permissionless; a single censoring relayer cannot suppress an attestation if any honest relayer carries it.

8.3 Accepted residual risks

We explicitly do not defend against:

• State-level coercion of an individual to issue or transfer their handle. This is a problem for every identity system and we make no claim to solve it.
• Long-horizon biometric drift. Re-enrolment is required at intervals (default 24 months) and may require additional liveness factors as the underlying biometrics age.
• Quantum-capable adversaries in v1. The migration path to post-quantum signatures is documented but not deployed by default.

Designed for the regulators that already exist.

The Manav Protocol is designed to be evidence-generating for the regulatory frameworks already in force or imminent in 2026, not to anticipate hypothetical future rules. Five frameworks dominate the landscape:

9.1 $MANAV token classification

$MANAV is designed as a utility token with concrete, non-speculative use cases (gas, governance, settlement, work reward). Under the SEC's Howey factors, a token earned predominantly through productive activity rather than purchased as an investment, and whose value derives from the holder's own work rather than the efforts of a centralised promoter, sits well outside the canonical security definition. Under the EU MiCA framework, $MANAV is a utility token (not an asset-referenced or e-money token) and the corresponding white paper requirements are fulfilled by this document and its annexes.

This whitepaper is not legal advice and does not attempt to provide a definitive classification under any specific jurisdiction. Token issuance jurisdictions and offering structures will be finalised with regulated counsel ahead of the Genesis emission.

Eighteen months to standard.

The roadmap below is structured in three phases of six months each. Each phase has clear technical milestones, distribution milestones, and a single dominant strategic question that the phase is designed to answer.

Phase 1 — Genesis (months 1–6)

The dominant question: can we ship a primitive that works?

• Layer 1 reference implementation (multi-modal biometric + device).
• Layer 2 delegation token v1 + integrations with three major agent frameworks (LangChain, AutoGen, CrewAI).
• Open-source the core protocol specification.
• Ten enterprise design partners under closed beta.
• Genesis airdrop to first cohort of verified humans.

Phase 2 — Proof (months 7–12)

The dominant question: can we make it the default in the developer ecosystem?

• Layer 3 Work Proof v1.
• "Sign in with Manav" OAuth provider, public.
• Browser extension for one-click attestation.
• First compliance partnership (EU AI Act audit firm).
• 100K registered manav.id handles, 50 enterprise customers.
• Series A close.

Phase 3 — Standard (months 13–18)

The dominant question: can we become infrastructure?

• Layer 4 Trust Score launch.
• Layer 5 Marketplace beta.
• Specification submitted to IETF and W3C.
• 1M+ registered handles, 500 enterprise customers, 100M+ monthly verifications.
• First government identity partnership.

A short reference dictionary.

Glossary

References

1. W3C Decentralized Identifiers (DIDs) v1.0 — w3.org/TR/did-core
2. W3C Verifiable Credentials Data Model 2.0 — w3.org/TR/vc-data-model-2.0
3. BBS+ Signature Scheme — RFC draft, IETF CFRG, 2024
4. Bulletproofs — Bünz et al., IEEE S&P 2018
5. EU Artificial Intelligence Act, Regulation 2024/1689
6. eIDAS 2.0 — Regulation (EU) 2024/1183
7. NIST AI Risk Management Framework — NIST AI-100-1, January 2023
8. EU Markets in Crypto-Assets Regulation (MiCA) — Regulation (EU) 2023/1114

This whitepaper is a living document. Public comment is open through Q3 2026 via the protocol's open governance forum. Errata and clarifications will be published as v1.0.x releases.