FAQ.

The questions developers ask in their first hour. For commercial questions, pricing, SLAs, sovereign deployments, apply to be a design partner.

What's the install path?

Pick your language SDK and install it like any other package - pip install handshake-sdk or npm install @handshake/sdk. There is no infrastructure to stand up first; you can issue and verify your first signed receipt from a laptop in five minutes. See the Quickstart.

Can I self-host the Registry?

Yes. The Registry image is OSS at the OSS tier (single-node, MIT) and ships as a clustered SKU in Enterprise Sovereign with source escrow, FedRAMP, and HSM-backed identity. The hosted Registry is the convenient default; the protocol does not require it, receipts verify offline against the issuing service’s public key.

How do receipts verify offline?

A receipt is a JCS-canonicalized JSON object with an Ed25519 signature from the service’s key. Anyone holding the service’s DID document, published at a well-known URL or cached from the Registry, can recompute the canonical bytes and verify the signature with no network call. That’s the whole point: tamper-evidence travels with the artifact.

What's the difference between Spec and Docs?

The Spec is the protocol, wire format, algorithms, MUST/SHOULD/MAY language, conformance levels. It’s what every implementer must agree on. Docs are about using the reference SDKs to ship Handshake into your stack. You read Docs once. You cite the Spec.

Does Handshake replace MCP, A2A, or OAuth 2.1?

No. Handshake wraps them. MCP and A2A explicitly defer the audit layer to “a future layer”, Handshake is that layer. The HandshakeRequest is an MCP request-level extension, an A2A negotiation envelope, and an AP2 attestation; OAuth 2.1 still does the user-facing authorization grant. We compose, we don’t replace.

Where do I store the deployer private key?

Treat it like any signing key: KMS, HSM, or a secrets manager scoped to your CI / control plane, never on agent process memory and never in the repo. The Implementation Guide (available to design partners under NDA) covers production patterns including key rotation, multi-region replication, and break-glass.

Which languages are supported?

Python and TypeScript are the stable previews; Go is in early access. Rust, JVM (Java/Kotlin), and .NET are next. See the SDK reference for status by language - and tell us what you ship if your binding isn’t there yet.

Is the protocol stable?

v0.x is a working draft. We freeze v1.0 ahead of IETF submission in 2027. Production deployments on v0.2.x should subscribe to spec@handshake.ai for deprecation and migration notes; the on-wire format and algorithms are conservative and don’t change between patch releases.