diff --git a/README.md b/README.md
index 78f81e5..72dc904 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ class ApplicationController < ActionController::Base
   private
 
   def verify_agent!
-    @current_agent ||= Vestauth.provider.verify(http_method: request.method, uri: request.original_url, headers: request.headers)
+    @current_agent ||= Vestauth.tool.verify(http_method: request.method, uri: request.original_url, headers: request.headers)
   rescue => e
     render json: { error: { status: 401, code: 401, message: e.message } }, status: 401
   end
diff --git a/lib/vestauth.rb b/lib/vestauth.rb
index 6838801..6d35759 100644
--- a/lib/vestauth.rb
+++ b/lib/vestauth.rb
@@ -3,13 +3,18 @@
 require_relative "vestauth/version"
 require_relative "vestauth/agent"
 require_relative "vestauth/binary"
+require_relative "vestauth/tool"
 require_relative "vestauth/provider"
 
 module Vestauth
   class Error < StandardError; end
 
-  def self.provider
-    Provider
+  def self.tool
+    Tool
+  end
+
+  class << self
+    alias provider tool
   end
 
   def self.agent
diff --git a/lib/vestauth/binary.rb b/lib/vestauth/binary.rb
index 785acd8..5d98dc8 100644
--- a/lib/vestauth/binary.rb
+++ b/lib/vestauth/binary.rb
@@ -10,10 +10,10 @@ def initialize(executable: "vestauth")
       @executable = executable
     end
 
-    def provider_verify(http_method:, uri:, signature:, signature_input:, signature_agent:)
+    def tool_verify(http_method:, uri:, signature:, signature_input:, signature_agent:)
       command = [
         @executable,
-        "provider",
+        "tool",
         "verify",
         http_method,
         uri,
diff --git a/lib/vestauth/provider.rb b/lib/vestauth/provider.rb
index c89eae5..76f6315 100644
--- a/lib/vestauth/provider.rb
+++ b/lib/vestauth/provider.rb
@@ -1,42 +1,7 @@
 # frozen_string_literal: true
 
-module Vestauth
-  module Provider
-    module_function
-
-    def verify(http_method:, uri:, headers:)
-      signature = signature_header(headers)
-      signature_input = signature_input_header(headers)
-      signature_agent = signature_agent_header(headers)
-
-      attrs = {
-        http_method: http_method,
-        uri: uri,
-        signature: signature,
-        signature_input: signature_input,
-        signature_agent: signature_agent
-      }
-      vestauth_binary.provider_verify(**attrs)
-    end
-
-    def vestauth_binary
-      Vestauth::Binary.new
-    end
-    private_class_method :vestauth_binary
+require_relative "tool"
 
-    def signature_header(headers)
-      headers["Signature"] || headers["signature"]
-    end
-    private_class_method :signature_header
-
-    def signature_input_header(headers)
-      headers["Signature-Input"] || headers["signature-input"]
-    end
-    private_class_method :signature_input_header
-
-    def signature_agent_header(headers)
-      headers["Signature-Agent"] || headers["signature-agent"]
-    end
-    private_class_method :signature_agent_header
-  end
+module Vestauth
+  Provider = Tool
 end
diff --git a/lib/vestauth/tool.rb b/lib/vestauth/tool.rb
new file mode 100644
index 0000000..beeb263
--- /dev/null
+++ b/lib/vestauth/tool.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Vestauth
+  module Tool
+    module_function
+
+    def verify(http_method:, uri:, headers:)
+      signature = signature_header(headers)
+      signature_input = signature_input_header(headers)
+      signature_agent = signature_agent_header(headers)
+
+      attrs = {
+        http_method: http_method,
+        uri: uri,
+        signature: signature,
+        signature_input: signature_input,
+        signature_agent: signature_agent
+      }
+      vestauth_binary.tool_verify(**attrs)
+    end
+
+    def vestauth_binary
+      Vestauth::Binary.new
+    end
+    private_class_method :vestauth_binary
+
+    def signature_header(headers)
+      headers["Signature"] || headers["signature"]
+    end
+    private_class_method :signature_header
+
+    def signature_input_header(headers)
+      headers["Signature-Input"] || headers["signature-input"]
+    end
+    private_class_method :signature_input_header
+
+    def signature_agent_header(headers)
+      headers["Signature-Agent"] || headers["signature-agent"]
+    end
+    private_class_method :signature_agent_header
+  end
+end
diff --git a/spec/binary_spec.rb b/spec/binary_spec.rb
index d693f6c..d757495 100644
--- a/spec/binary_spec.rb
+++ b/spec/binary_spec.rb
@@ -1,16 +1,16 @@
 # frozen_string_literal: true
 
 RSpec.describe Vestauth::Binary do
-  describe "#provider_verify" do
-    it "calls vestauth provider verify and parses json output" do
+  describe "#tool_verify" do
+    it "calls vestauth tool verify and parses json output" do
       status = instance_double(Process::Status, success?: true)
       binary = described_class.new
 
       expect(Open3).to receive(:capture3).with(
-        include("vestauth provider verify GET https://api.vestauth.com/whoami")
+        include("vestauth tool verify GET https://api.vestauth.com/whoami")
       ).and_return(['{"uid":"agent-123"}', "", status])
 
-      result = binary.provider_verify(
+      result = binary.tool_verify(
         http_method: "GET",
         uri: "https://api.vestauth.com/whoami",
         signature: "sig1=:abc:",
@@ -28,7 +28,7 @@
       allow(Open3).to receive(:capture3).and_return(["", "bad signature", status])
 
       expect do
-        binary.provider_verify(
+        binary.tool_verify(
           http_method: "GET",
           uri: "https://api.vestauth.com/whoami",
           signature: "sig1=:abc:",
diff --git a/spec/vestauth_spec.rb b/spec/vestauth_spec.rb
index dc1958f..0f09444 100644
--- a/spec/vestauth_spec.rb
+++ b/spec/vestauth_spec.rb
@@ -5,18 +5,20 @@
     expect(Vestauth::VERSION).not_to be nil
   end
 
-  it "exposes namespaced provider and agent modules" do
-    expect(Vestauth.provider).to eq(Vestauth::Provider)
+  it "exposes namespaced tool/provider and agent modules" do
+    expect(Vestauth::Tool).to eq(Vestauth::Provider)
+    expect(Vestauth.tool).to eq(Vestauth::Tool)
+    expect(Vestauth.provider).to eq(Vestauth::Tool)
     expect(Vestauth.agent).to eq(Vestauth::Agent)
     expect(Vestauth.binary).to eq(Vestauth::Binary)
   end
 
-  it "delegates provider verify to binary provider_verify" do
+  it "delegates tool verify to binary tool_verify" do
     binary = instance_double(Vestauth::Binary)
     allow(Vestauth::Binary).to receive(:new).and_return(binary)
-    allow(binary).to receive(:provider_verify).and_return({ "uid" => "agent-123" })
+    allow(binary).to receive(:tool_verify).and_return({ "uid" => "agent-123" })
 
-    result = Vestauth.provider.verify(
+    result = Vestauth.tool.verify(
       http_method: "GET",
       uri: "https://api.vestauth.com/whoami",
       headers: {
@@ -26,7 +28,7 @@
       }
     )
 
-    expect(binary).to have_received(:provider_verify).with(
+    expect(binary).to have_received(:tool_verify).with(
       http_method: "GET",
       uri: "https://api.vestauth.com/whoami",
       signature: "sig1=:abc:",
@@ -39,15 +41,15 @@
   it "passes through missing headers and lets binary verify fail if needed" do
     binary = instance_double(Vestauth::Binary)
     allow(Vestauth::Binary).to receive(:new).and_return(binary)
-    allow(binary).to receive(:provider_verify).and_return({ "success" => false })
+    allow(binary).to receive(:tool_verify).and_return({ "success" => false })
 
-    Vestauth.provider.verify(
+    Vestauth.tool.verify(
       http_method: "GET",
       uri: "https://api.vestauth.com/whoami",
       headers: {}
     )
 
-    expect(binary).to have_received(:provider_verify).with(
+    expect(binary).to have_received(:tool_verify).with(
       http_method: "GET",
       uri: "https://api.vestauth.com/whoami",
       signature: nil,