Programmatic Signup (for Agents)
Two HTTP calls to a working Whisper API key. Built for AI agents and automated runtimes — no browser, no CAPTCHA, no human-in-the-loop. Email verification only.
Programmatic Signup (for Agents) Documentation
Whisper is designed for AI agents to discover, sign up for, and start using without a human in the loop. This page walks through the programmatic signup endpoint — two HTTP calls, email verification only, and you get a working API key against the full internet-infrastructure graph and the Whisper MCP server.
If you're a human looking for the regular signup form, head to console.whisper.security/sign-up instead.
What you get
Every signup — programmatic or browser-based — provisions:
- An API key (
whisper-…) valid againstgraph.whisper.securityandmcp.whisper.security. - A free Trial plan with no time limit. You can later upgrade to Starter, Professional, Business, or Enterprise from the console billing page.
- A console dashboard at
console.whisper.securitywhere the human owner of the email can see usage, manage keys, and upgrade.
Whisper is intentionally permissive at signup. No CAPTCHA, no domain blocklist, no per-IP rate limiting. We'll add abuse mitigations only if we see actual abuse hurting us.
The two-call flow
1. Start the signup
curl -s -X POST https://console.whisper.security/api/signup \
-H "Content-Type: application/json" \
-d '{
"email": "your-agent@example.com",
"attribution": {
"agent_name": "your-agent-name",
"agent_runtime": "claude-desktop | cursor | langchain | openai-assistants | custom",
"agent_version": "1.2.3",
"source": "smithery | mcp-directory | self | blog-post"
}
}'
Response:
{ "signup_id": "...", "expires_at": "2026-05-16T18:00:00Z" }
Whisper emails a 6-digit verification code to the address you provided. The code expires in 15 minutes; you have 5 verification attempts before the signup is invalidated.
The attribution block is optional and never gating. We use it only for product telemetry — to know which agent runtimes are picking up Whisper so we can prioritize improvements that target your runtime. Set whatever values make sense; nothing is rejected.
2. Verify the code
curl -s -X POST https://console.whisper.security/api/signup/verify \
-H "Content-Type: application/json" \
-d '{ "signup_id": "<from step 1>", "code": "<from email>" }'
Response:
{
"user_id": "user_...",
"api_key": "whisper-...",
"plan": "trial",
"mcp_url": "https://mcp.whisper.security",
"docs_url": "https://www.whisper.security/docs/agent-signup",
"dashboard_url": "https://console.whisper.security"
}
The returned api_key is immediately usable. No further setup required.
3. Use the key
Against the graph DB:
curl -s https://graph.whisper.security/api/query \
-H "Authorization: Bearer <api_key>" \
-H "Content-Type: application/json" \
-d '{"query": "MATCH (h:HOSTNAME {name: \"example.com\"})-[:RESOLVES_TO]->(ip) RETURN ip.name LIMIT 10"}'
Against the MCP server — drop this into your Claude Desktop / Cursor / VS Code MCP client config:
{
"mcpServers": {
"whisper": {
"url": "https://mcp.whisper.security",
"headers": { "Authorization": "Bearer <your_api_key>" }
}
}
}
Node / TypeScript
const signup = await fetch('https://console.whisper.security/api/signup', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: 'your-agent@example.com',
attribution: { agent_name: 'my-agent', source: 'self' },
}),
}).then((r) => r.json());
// ... fetch the code from your inbox ...
const { api_key } = await fetch('https://console.whisper.security/api/signup/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ signup_id: signup.signup_id, code: process.env.CODE }),
}).then((r) => r.json());
const result = await fetch('https://graph.whisper.security/api/query', {
method: 'POST',
headers: {
Authorization: `Bearer ${api_key}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
query: 'MATCH (h:HOSTNAME {name: "example.com"})-[:RESOLVES_TO]->(ip) RETURN ip.name LIMIT 10',
}),
}).then((r) => r.json());
Python
import os, requests
signup = requests.post(
"https://console.whisper.security/api/signup",
json={
"email": "your-agent@example.com",
"attribution": {"agent_name": "my-agent", "source": "self"},
},
).json()
# ... fetch the code from your inbox ...
verified = requests.post(
"https://console.whisper.security/api/signup/verify",
json={"signup_id": signup["signup_id"], "code": os.environ["CODE"]},
).json()
api_key = verified["api_key"]
result = requests.post(
"https://graph.whisper.security/api/query",
headers={"Authorization": f"Bearer {api_key}"},
json={
"query": 'MATCH (h:HOSTNAME {name: "example.com"})-[:RESOLVES_TO]->(ip) RETURN ip.name LIMIT 10'
},
).json()
Error responses
400 captcha_missing_token— Bot sign-up protection is currently enabled on the Whisper Clerk instance. This shouldn't happen in normal operation. If you hit it, contactsupport@whisper.security.400 verification_failed— Wrong code. Response includesattempts_remaining. After 5 wrong attempts the signup is invalidated; re-call/api/signupfor a fresh code.404on/api/signup/verify— Signup expired (15-min window) or already consumed. Re-call/api/signup.429on/api/signup/verify— Too many attempts; signup invalidated. Re-call/api/signup.
Limits and quotas
The Trial plan applies to all new signups. Per the Whisper MCP plan limits:
- Free / Trial: 10 req/min, 500 req/day, max LIMIT 25 per Cypher query.
- Paid plans lift these caps — see pricing and console billing.
For ad-hoc queries that don't need an API key, the anonymous graph endpoint at https://graph.whisper.security/api/query allows 2-hop traversal, 100 queries/hour, 5-second timeout — no signup required.
See also
- Cypher query guide — the full Cypher reference for the Whisper graph.
- MCP reference — every tool the Whisper MCP server exposes.
- Pricing — Trial through Enterprise.
/llms-full.txt— single-file dump of the full graph schema, examples, and this quickstart for direct ingestion by LLMs.