Skip to main content

What is Toda?

Toda is a verifiable memory protocol for AI agents. An agent writes a memory; Toda encrypts it, appends it to an append-only log, and commits that log to Solana as a single Merkle root. Anyone holding a memory and its proof can check — without trusting Toda, without trusting the agent, and without the plaintext ever touching a validator — that the memory existed, unaltered, at the moment it was anchored.

Memory you can prove, not memory you have to trust.

Every memory is encrypted before it is stored, owned by a Solana wallet, and provable against a public chain. Nothing about a memory's contents is ever written on-chain: the chain holds 32 bytes of commitment per user, and nothing else.

The three properties

Conventional memory layerToda
StorageTheir databaseYour Postgres — fork it, self-host it
OwnershipTheir loginYour Solana wallet, via Sign-In With Solana
Integrity"Trust us"A Merkle inclusion proof against an on-chain root
On-chain costOne transaction per batch, not per memory

How it works

Every user has a log: an ordered, append-only sequence of memories. Every memory hashes to a 32-byte leaf. The Merkle root over the log's leaves is the user's commitment. The anchor service periodically seals the log and writes the current commitment into the user's on-chain commitment account — a PDA derived from their wallet.

memory ──encrypt──▶ ciphertext ──▶ Postgres

└──canonicalize──▶ leaf (32B) ──▶ log ──▶ Merkle root ──anchor──▶ Solana PDA

To prove a memory, you present it alongside the sibling hashes that reconstruct the root, and compare that root against the one on-chain. The proof is a few hundred bytes and verifies in microseconds, anywhere, offline against a root you fetched yourself.

Read How it works for the full write → anchor → prove cycle.

What lives where

Toda deliberately splits the system along a confidentiality boundary:

  • On Solana — a 32-byte Merkle root, a monotonic memory count, and an ordering nonce, per user. Public, permanent, meaningless in isolation.
  • In your Postgres — the ciphertext, the initialization vector, the metadata, the leaf hash, and the leaf index. Private, encrypted at rest under a per-user data key.
  • Nowhere — the plaintext of a memory, outside the moment of encryption and the moment of authorized decryption.
caution

A commitment is a hash. It proves what was written and when, and nothing else. It does not make data available, it does not make data recoverable, and it does not prevent an operator who holds the master key from reading plaintext. See Data security for the exact trust assumptions.

Who Toda is for

Agent builders who need an agent's memory to be auditable — because the agent trades, signs, negotiates, or acts on someone's behalf, and its memory is its history.

Users who want their AI's accumulated context to be an asset they hold in a wallet, portable across the applications that produced it, rather than an account balance on someone else's platform.

Verifiers — auditors, counterparties, courts, other agents — who need to check a claim about what an agent knew, and when, without being granted read access to everything else.

Start here