Engram is a decentralized AI memory layer built on Bittensor subnet 450. It lets you store text, images, and PDFs as content-addressed vector embeddings that are replicated across a network of incentivized miners and permanently archived on Arweave.

How does Engram differ from Pinecone or Weaviate?

Unlike centralised vector databases, Engram has no single point of failure or central authority. Data is stored across multiple miners on the Bittensor blockchain, each of whom must cryptographically prove they hold your data. There is no monthly subscription — miners are paid in TAO tokens by the network.

What is a content-addressed CID?

A CID (content identifier) is a SHA-256 hash derived from the vector embedding and metadata of your stored content. The same text always produces the same CID, regardless of which miner stores it — making storage verifiable and tamper-proof.

How do I store data on Engram?

You can use the Python SDK (pip install engram-subnet), the CLI, or the web playground at theengram.space/playground. Each method returns a permanent CID you can use to retrieve the data later.

What is Bittensor subnet 450?

Subnet 450 is Engram's slot on the Bittensor network. Bittensor is a decentralized machine learning network where miners and validators earn TAO tokens for running useful AI services. Engram's subnet uses those incentives to ensure permanent, verifiable vector storage.

Namespace Attestation

Link a namespace to a Bittensor hotkey. The hotkey's on-chain TAO stake becomes a publicly verifiable trust signal — no central moderation required.

Overview

Engram cannot verify whether stored content is true — that's an unsolvable problem for any decentralized system. What it can do is make accountability legible and on-chain-verifiable.

Namespace attestation works like this: a namespace owner signs a challenge with their Bittensor hotkey. Their TAO stake on that hotkey determines a trust tier. Every query result carries the trust tier of its namespace. Agents decide which tiers they're willing to trust — Engram enforces nothing at the content level.

Tip

Think of it like domain reputation on the web. TCP/IP doesn't verify content truthfulness — reputation layers built on top of it do. Attestation is Engram's reputation layer.

Trust tiers

Tier	Stake required	What it means
sovereign	≥ 1000 TAO	Protocol-level trusted entity — significant economic stake at risk
verified	≥ 100 TAO	Meaningful accountability — costly to abandon and re-create
community	≥ 1 TAO	Basic skin in the game — cheap but not free
anonymous	< 1 TAO or unattested	No guarantees — treat as untrusted

Stake is refreshed from the metagraph every 10 minutes. If an owner's stake drops below their tier threshold, the tier degrades automatically — no manual intervention required.

How it works

The namespace owner signs a canonical message with their Bittensor sr25519 hotkey
The miner verifies the signature and reads the owner's TAO stake from the metagraph
A trust tier is assigned based on stake and persisted alongside the namespace
Every query result from that namespace carries the trust_tier field
Agents filter results by the minimum trust tier they're willing to accept

Attesting a namespace

Using the Python SDK

python

from engram.miner.attestation import build_attestation_payload
import bittensor as bt
import requests
# Load your wallet
wallet = bt.wallet(name="my_wallet")
# Build a signed attestation payload
payload = build_attestation_payload(wallet.hotkey, "my_agent_memory")
# Submit to your miner
resp = requests.post("http://your-miner:8091/AttestNamespace", json=payload)
print(resp.json())
# {
#   "ok": true,
#   "namespace": "my_agent_memory",
#   "trust_tier": "verified",
#   "stake_tao": 250.0
# }

Using curl

You need to build the signature yourself. The canonical message to sign is:

text

engram-attest:{namespace}:{timestamp_ms}

bash

curl -X POST http://your-miner:8091/AttestNamespace \
  -H "Content-Type: application/json" \
  -d '{
    "namespace":    "my_agent_memory",
    "owner_hotkey": "5YourHotkeyAddress...",
    "signature":    "0xsignature_hex...",
    "timestamp_ms": 1712345678123
  }'

Note

The timestamp must be within ±60 seconds of the miner's clock (replay protection). Generate it fresh — don't reuse a previous payload.

Checking a namespace's trust tier

bash

curl http://your-miner:8091/attestation/my_agent_memory
# {
#   "namespace":    "my_agent_memory",
#   "owner_hotkey": "5YourHotkeyAddress...",
#   "trust_tier":   "verified",
#   "stake_tao":    250.0,
#   "attested_at":  1712345678.0,
#   "attested":     true
# }

Filtering query results by trust

Every query result now includes a trust_tier field. Unattested namespaces return "anonymous".

python

results = client.query("attention mechanisms in transformers")
# Only use results from verified or sovereign namespaces
trusted = [r for r in results if r["trust_tier"] in ("verified", "sovereign")]
for r in trusted:
    print(f"{r['score']:.4f}  [{r['trust_tier']}]  {r['cid']}")

python

# Example result structure
{
  "cid":        "v1::a3f2b1c4...",
  "score":      0.9821,
  "metadata":   {"source": "arxiv", "title": "Attention Is All You Need"},
  "trust_tier": "verified"
}

Tip

For production agents, combine namespace attestation with private namespaces: attest your private namespace so other parties can verify you own it, while keeping the content encrypted so miners can't read it.

API reference

POST /AttestNamespace

Field	Type	Required	Description
namespace	string	Yes	The namespace to attest
owner_hotkey	string (SS58)	Yes	Bittensor hotkey address of the owner
signature	string (hex)	Yes	sr25519 signature over canonical message
timestamp_ms	integer	Yes	Unix milliseconds — must be within ±60s of server time

GET /attestation/{namespace}

Field	Type	Description
namespace	string	The queried namespace
owner_hotkey	string	Hotkey that attested (omitted if unattested)
trust_tier	string	sovereign / verified / community / anonymous
stake_tao	float	TAO at last refresh (omitted if unattested)
attested_at	float	Unix timestamp of attestation (omitted if unattested)
attested	boolean	Whether this namespace has been attested

Threat model

Threat	Protected?
Attacker injects content into your attested namespace	✓ Yes — only owner's hotkey can attest; namespace key still required to write
Attacker buys high stake, poisons, then unstakes	Partial — economic cost deters casual attacks; stake lock period adds friction
Unattested namespace serves bad content	Expected — tier shows as 'anonymous'; agents should reject or weight accordingly
Owner's stake drops after attesting	✓ Handled — tier auto-degrades when stake falls below threshold on next refresh
Replay attack reuses old attestation payload	✓ Yes — timestamp window ±60s; old payloads rejected
Attacker spoofs hotkey without signing	✓ Yes — sr25519 signature verification required

Note

Attestation solves accountability, not content truth. A sovereign-tier namespace proves the owner has significant economic stake at risk — it does not prove their content is accurate. Use it as a trust signal, not a content guarantee.

Private Namespaces

LangChain

engram docs · v0.1edit on github →