Zero Trust Identity & Signing for AI Agents
Website | How It Works | Self-Host Server | npm
Every AI agent gets a cryptographic passport. Every execution is signed. Every MCP tool call is verified. No verification, no trust.
AgentSign is the identity and trust layer for autonomous AI agents. While tools like SSL verify who is connecting, AgentSign verifies who the agent is + what it did + proof it wasn't tampered with + its trust history.
Zero runtime dependencies. Node >= 18. Patent Pending.
AI agents are now autonomous -- they make API calls, access databases, execute code, and spend money. But there's no standard way to:
- Verify an agent's identity before granting tool access
- Prove what an agent did with cryptographic evidence
- Revoke a compromised agent (or an entire swarm) instantly
- Score trust based on actual behavior, not just permissions
- Verify agent integrity offline -- no server dependency
AgentSign solves all five. On-prem. Your keys. Your infrastructure.
npm install agentsignconst AgentSign = require('agentsign');
const agent = new AgentSign({ serverUrl: 'https://agentsign.internal:8888' });
// 1. Register -- agent enters identity pipeline
const { agent_id } = await agent.register({ name: 'Procurement Bot', category: 'finance' });
// 2. Advance through pipeline (INTAKE -> VETTING -> TESTING -> ACTIVE)
await agent.advanceToActive();
// 3. Get self-verifying passport (works offline)
const passport = await agent.getPassport();
// -> { agent_id, name, code_hash, trust_score: 85, pipeline_stage: 'ACTIVE', signature, ... }
// 4. Present passport to MCP server before using tools
const gate = await agent.verifyMCP('database-mcp', 'query_users');
// -> { decision: 'ALLOW', trust_score: 85, checks_passed: ['identity', 'trust', 'pipeline'] }
// 5. Sign every execution (cryptographic proof)
const signed = agent.sign({ query: 'SELECT * FROM users' }, { rows: 142 });
agent.verify(signed); // -> true (tamper-proof) +------------------+
| AgentSign |
| Engine (8888) |
+--------+---------+
|
+--------------+--------------+
| | |
+-----v-----+ +----v----+ +------v------+
| Identity | | Trust | | Execution |
| Pipeline | | Scoring | | Ledger |
+-----+------+ +----+----+ +------+------+
| | |
INTAKE -> VETTING -> TESTING -> ACTIVE |
| | |
+-----v-----+ +----v----+ +------v------+
| Agent | | MCP | | Swarm |
| Passport | | Trust | | Management |
| (offline) | | Layer | | (revoke all)|
+------------+ +---------+ +-------------+
| # | Subsystem | What It Does |
|---|---|---|
| 1 | Identity Pipeline | Agents go through INTAKE -> VETTING -> TESTING -> ACTIVE. Each gate is cryptographically recorded. |
| 2 | Agent Passport | Self-contained signed JSON. Agent carries it everywhere. Any system can verify offline. |
| 3 | Execution Chains | Every input/output pair is signed. Creates a tamper-proof DAG of what the agent did. |
| 4 | MCP Trust Layer | MCP servers call /api/mcp/verify before granting tool access. Identity + trust + policy check. |
| 5 | Trust Scoring | 0-100 score based on code attestation, execution history, success rate, pipeline stage. |
The killer feature. Every MCP tool call goes through identity verification:
// MCP server middleware (server-side)
app.post('/tools/query', async (req, res) => {
// Agent presents passport, AgentSign decides ALLOW or DENY
const gate = await fetch('http://agentsign:8888/api/mcp/verify', {
method: 'POST',
body: JSON.stringify({
agent_id: req.headers['x-agent-id'],
passport: req.headers['x-agent-passport'],
mcp_server_id: 'database-mcp',
tool_name: 'query'
})
});
const { decision } = await gate.json();
if (decision !== 'ALLOW') return res.status(403).json({ error: 'Trust gate denied' });
// ... execute tool
});Sign and verify locally. No server calls. No network dependency.
const signed = agent.sign(
{ invoice: 'INV-001', amount: 350 }, // input
{ status: 'paid', txId: 'tx_abc123' } // output
);
// -> { executionId, executionHash, signature, method: 'hmac', verified: true }
agent.verify(signed); // -> true
agent.verifyOutput({ status: 'paid', txId: 'tx_abc123' }, signed); // -> 'PASS'Default signer is file-based (keyed hashing, keys at ~/.agentsign/keys/). For hardware security:
| Signer | Install | Use Case |
|---|---|---|
| File (default) | -- | Dev, testing, small deployments |
| PKCS#11 | npm i pkcs11js |
Thales, SafeNet, YubiHSM, SoftHSM |
| AWS KMS | npm i @aws-sdk/client-kms |
AWS / CloudHSM |
| Azure Key Vault | npm i @azure/keyvault-keys @azure/identity |
Azure |
| GCP Cloud KMS | npm i @google-cloud/kms |
Google Cloud |
| HashiCorp Vault | -- (native fetch) | Vault Transit engine |
// Example: AWS KMS
const agent = new AgentSign({
serverUrl: 'http://localhost:8888',
signer: 'aws-kms',
aws: { keyId: 'arn:aws:kms:eu-west-2:123:key/abc-def', region: 'eu-west-2' },
});
const signed = await agent.signAsync(input, output);# Docker (recommended)
docker run -d -p 8888:8888 -v agentsign-data:/app/data ghcr.io/razashariff/agentsign:latest
# Or Helm (Kubernetes)
helm install agentsign ./deploy/helm/agentsign \
--set signer=aws-kms \
--set aws.keyId=arn:aws:kms:eu-west-2:123:key/abcServer repo: github.com/razashariff/agentsign
| Method | Description |
|---|---|
register({ name, category }) |
Register agent, enters INTAKE pipeline stage |
advance() |
Advance one pipeline stage |
advanceToActive() |
Auto-advance to ACTIVE |
getPassport() |
Get self-verifying passport (works offline) |
getAgent() |
Get agent details + trust score |
revoke(reason) |
Instant revocation |
verifyMCP(mcpId, tool) |
Present passport to MCP Trust Gate |
sign(input, output) |
Local cryptographic signing |
verify(execution) |
Verify signed execution |
verifyOutput(output, exec) |
Check output integrity |
pay(to, pence, desc) |
Trust Gate payment (identity + policy + Stripe) |
freeze() / unfreeze() |
Freeze/unfreeze agent wallet |
INTAKE --> VETTING --> TESTING --> DEV_APPROVED --> PROD_APPROVED --> ACTIVE
|
REVOKED
| AgentSign | API Keys | OAuth | mTLS | |
|---|---|---|---|---|
| Agent identity | Cryptographic passport | Shared secret | Token (human-centric) | Cert (connection only) |
| What agent did | Signed execution chain | Nothing | Nothing | Nothing |
| Tamper detection | Cryptographic hash chain | None | None | None |
| Trust scoring | 0-100 behavioral | None | Scopes (static) | None |
| Offline verification | Yes (passport) | No | No | Partial |
| Swarm revocation | Instant (all agents) | Manual | Manual | CRL lag |
| MCP integration | Native Trust Gate | None | None | None |
PRs welcome. See CONTRIBUTING.md.
MIT. Patent Pending.
Built by CyberSecAI. Website: agentsign.dev.