# Agritech integrations

**Whisper sits beside the agricultural stack you already run and anchors exactly one thing: a routable, verifiable identity at the cloud/IP boundary. That's the layer where a harvested grant or a scraped API today looks identical to the real thing.**

Everything below is a **proposed** integration pattern (our design, not a vendor endorsement), and every one is written the same way: *Whisper complements the mechanism you have; it never replaces it.* We do not sit on the ISOBUS/J1939 bus, we do not touch tractor-implement (TIM) functional safety, and we do not intercept a drone's Part-89 Remote-ID broadcast. Whisper's job is the network identity of whatever is talking to your cloud: the telematics gateway, the FMIS consumer, the drone ground station, the LPWAN concentrator, expressed as an IPv6 `/128` that DNSSEC, DANE and RDAP can prove and one owner-thrown call can revoke.

> **One spine under all six.** Each integration reuses the same shipped primitive: a deterministic `/128` derived from a device's *public* key plus its equipment PIN ([Equipment & ECU identity](/docs/equipment-identity)), published with a DANE pin and an RDAP record, verifiable by anyone with no account.

## Anchor the boundary, not the hitch

| Layer | Owner / mechanism | Whisper's role |
|---|---|---|
| Implement bus (ISOBUS / J1939 on CAN) | ISO 11783 `NAME` + AEF conformance | **none**: never touches the bus; the `/128` is the NAME's provable public counterpart |
| Tractor-implement automation | TIM functional safety, AEF certification | **none**: the safety case stays exactly where it is |
| Drone air interface | FAA Remote ID (Part 89) broadcast | **none**: anchors the internet-facing ground half, not the broadcast |
| Machine ↔ cloud (IP) | vendor device CA + mTLS / OAuth bearer | **anchors here**: an out-of-tenancy `/128` the caller *is*, provable without the vendor's CA |

At the IP boundary, identity today is a *claim* carried in a header. Whisper turns it into a *network fact*: the source address itself, forward-confirmed in DNS, pinned in DANE, registered in RDAP.

## John Deere Operations Center: the keystone

The Operations Center is the keystone FMIS surface: a single platform touching 400M+ engaged acres, with a mature public API programme. Access rides OAuth 2.0, an access token good for roughly twelve hours and a refresh token good for 365 days, and both are bearer credentials: portable to any IP on earth. That is exactly right for authorizing *applications*, and it says nothing about *which network endpoint* is presenting the grant a year after it was issued.

The integration is to give every sanctioned consumer (your integration hosts, your partners' backends) a Whisper `/128` and allowlist those addresses beside the OAuth check. The grant authorizes the application, exactly as the platform designed; the address proves the endpoint. A refresh token that leaks into a scraper's hands is now separable from the real integration by a fact the scraper cannot fake, and the who-accessed-what record becomes per-identity.

```sh
# The platform side: is this API caller one of the sanctioned integration endpoints?
dig -x 2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8 +short
# a6f1007b9e2d30c8.<tenant>.agents.whisper.online.

curl -s https://whisper.online/verify-identity/2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8
# {"is_whisper_agent": true, "dane_ok": true, "jws_ok": true, "evidence": { … }}
```

> **Complements the platform's OAuth 2.0, does not replace it.** Authorization, scopes and consent stay with the platform. Whisper adds the network fact behind the grant. Proposed pattern, not a vendor endorsement.

## ISOBUS & AEF Guideline 040: claim on the bus, proof on the wire

On the implement bus, ISO 11783 identifies every device with a 64-bit `NAME`: manufacturer code, function, ECU instance, identity number, carried in SAE J1939 framing on CAN. The `NAME` is self-declared, and nothing on the bus can cryptographically verify it. AEF Guideline 040, the AEF's ISOBUS security principles, names exactly this class of gap.

Whisper's integration deliberately does not put cryptography on the bus. It gives the same machine a **provable public counterpart** at the IP boundary: the telematics gateway derives its `/128` from its secure-element key with the machine's PIN as the domain separator, and everything the machine says *to the cloud* sources from an address anyone can verify against the IANA root. The bus keeps its NAME; the wire gains a proof.

```sh
whisper verify --trustless a6f1007b9e2d30c8.<tenant>.agents.whisper.online
# dnssec   pass   DNSSEC-root   AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root
# dane     pass   DNSSEC-root   served leaf SPKI-SHA256 == TLSA pin
```

> **Complements ISOBUS and AEF Guideline 040, does not replace them.** Whisper issues no bus messages, changes no ISOBUS conformance, and never reaches the J1939/CAN authenticator or TIM functional safety.

## Secure element / TPM: the birth certificate

This is the shipped spine the other five build on. Whisper derives the machine or ECU `/128` from the device's *public* `SubjectPublicKeyInfo` plus its equipment PIN (and, optionally, an implement/ECU serial). The private key stays sealed where it was born.

```
CALL whisper.agents({op:'connect', args:{
  tier:                'wireguard',
  identity_public_key: '<base64 SPKI of the device key>',
  vin:                 '1AGCM82633A004352'
}}) YIELD op, ok, status, result, error
  RETURN op, ok, status, result, error
```

```sh
curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  -H "content-type: application/json" \
  -d @connect.json | jq .      # connect.json = {"query":"CALL whisper.agents({op:'connect', ...})"}
# {"ok": true, "status": 200, "result": {
#    "address": "2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8",
#    "wireguard": { … }}}
```

| Re-provision with… | Result |
|---|---|
| the *same* key + PIN | `200`: the **same** `/128` returns (idempotent) |
| a *different* PIN on the same tenant's key | `409`: the identity is already bound; no silent rebind |
| a non-string identifier | `400`: a clear input error, never an opaque 500 |

```
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8'}})
  YIELD op, ok, status, error RETURN op, ok, status, error
```

> **Complements the secure element / TPM, does not replace it.** The full derivation is on [Equipment & ECU identity](/docs/equipment-identity).

## Cross-brand data exchange

Mixed fleets are the norm, so the industry built cross-brand exchange: DataConnect-style agreements move machine data between four major OEM and FMIS clouds so a grower sees one map, whichever colour the machine is. Every hop in that chain is a cloud-to-cloud API call, and each hop is a place where "who accessed this grower's data" can go dark.

The integration is per-party identity along the chain: each participating cloud endpoint, each broker, each consuming FMIS carries a Whisper `/128`, so the access trail survives the brand boundary.

```sh
# Any party in the chain, or the grower's advocate, verifies a participant:
curl -s https://whisper.online/verify-identity/2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8
# and the per-identity access log is one keyed call:
# CALL whisper.agents({op:'logs', args:{agent:'<the consumer /128>', kind:'conn', from:'-30d'}})
```

> **Complements the exchange's contract and consent model, does not replace it.** Whisper anchors the transport identity on each side so the agreement is enforced against a network fact, not a portable secret.

## Ag drones: the ground half of Remote ID

Agricultural drones fly under FAA Remote ID (Part 89): the aircraft broadcasts its identity on the air interface, and that broadcast is the regulator's domain, not ours. But everything *behind* the flight is internet infrastructure: the ground control station, the fleet backend, the spray-log upload, the USS/UTM endpoints.

Give the ground station and the fleet backend each a `/128`: command-and-telemetry egress becomes attributable per controller, and a spray log arrives from an identity the food-traceability chain can cite.

```sh
# The fleet backend verifies a ground station before accepting a mission upload:
curl -s https://whisper.online/verify-identity/2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8
# and its egress policy is default-deny, one keyed call:
whisper policy --agent 2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8 \
  --default deny --allow fleet.example-ops.com,uss.example-provider.com
```

> **Complements Remote ID, does not replace it.** The Part-89 broadcast stays untouched.

## Irrigation & LPWAN sensor networks

A centre-pivot controller or a LoRaWAN gateway concentrating a thousand soil-moisture sensors is a small computer with a cellular uplink, usually behind a carrier NAT. LoRaWAN's own OTAA join keys authenticate the *sensors to the gateway*; nothing authenticates the *gateway to the internet*.

The integration is one `/128` per gateway or controller, with default-deny egress policy: a hijacked irrigation controller can't quietly talk to anything but its own platform.

```sh
whisper policy --agent 2a04:2a01:e5a7:41c9:a6f1:7b:9e2d:30c8 \
  --default deny --allow telemetry.example-irrigation.com
# What did it actually reach last night? Per-identity, one keyed call:
# CALL whisper.agents({op:'logs', args:{agent:'<the gateway /128>', kind:'dns', from:'-24h'}})
```

> **Complements LoRaWAN's OTAA keys, does not replace them.** See [Egress governance](/docs/egress-governance).

## Shipped today vs proposed

| Building block | Status |
|---|---|
| Deterministic `/128` from a device's public key + PIN | **shipped, live** |
| Provision via the control plane (`op:'connect'`, WireGuard tier) | **shipped, live** |
| Keyless verify: `whisper verify --trustless`, `/verify-identity`, `dig -x`, RDAP | **shipped, live** |
| Revoke: `/128` + PTR + DANE torn down at DNS-TTL speed, owner-thrown | **shipped, live** |
| Attribution graph over the public API (`CALL whisper.identify(…)`) | **shipped, live** |
| The six integration *guides* on this page | **proposed** (our design, not a vendor endorsement) |

> The `--pin` CLI flag is not shipped yet; the 17-character PIN rides in the `vin` argument of the control-plane call, which *is* live.

## On the roadmap

- **Microsoft Sentinel connector**: *shipped today*, alongside the **Splunk** connector.
- **OpenCTI** threat-intelligence integration: *shipped today*.
- **STIX/TAXII export + sector-ISAC sharing formats**: *roadmap*.
- **An equipment-native `pin` argument and an ISOBUS-NAME domain separator**: *roadmap*.

## Next

- [Equipment & ECU identity](/docs/equipment-identity): the shipped derivation these integrations all build on
- [Equipment API-abuse cure](/docs/equipment-api-abuse-cure), the primary wedge: identity at the farm-API ingress
- [Agriculture compliance](/docs/agriculture-compliance): where the evidence lands for ISO 24882, the Data Act and ADT

---

← [Equipment API-abuse cure](/docs/equipment-api-abuse-cure) · [Agriculture compliance →](/docs/agriculture-compliance)
