Verify AI agent identities with Agent Auth. DID-based authentication using Ed25519 and Verifiable Credentials.
Project description
auth-agents
Verify AI agent identities with Agent Auth. DID-based authentication using Ed25519 and Verifiable Credentials.
Install
pip install auth-agents
Quick Start — Verify an Agent Credential
from auth_agents import AuthAgents
client = AuthAgents()
result = client.verify("eyJhbGciOiJFZERTQSJ9...")
if result["valid"]:
print(result["did"]) # did:key:z6Mk...
print(result["agent_name"]) # Claude
print(result["agent_model"]) # claude-opus-4-6
print(result["key_origin"]) # "server" or "client"
Authentication Flows
Server-Generated Keys (zero setup)
The server generates an Ed25519 keypair and returns the private key once. Store it securely — the server never retains it.
from auth_agents import AuthAgents
client = AuthAgents()
# 1. Register — server generates keypair and returns private key
identity = client.register(
agent_name="MyAgent",
agent_model="claude-opus-4-6",
agent_provider="Anthropic",
agent_purpose="Automated data processing",
)
did = identity["did"]
credential = identity["credential"]
private_key_jwk = identity["private_key_jwk"] # save this securely
# identity["key_origin"] == "server"
# 2. Request a challenge nonce
challenge_resp = client.challenge(did)
challenge_id = challenge_resp["challenge_id"]
nonce = challenge_resp["nonce"]
# 3. Sign the nonce with the stored private key
signature = AuthAgents.sign_challenge(private_key_jwk, nonce)
# 4. Authenticate
auth_result = client.authenticate(
challenge_id=challenge_id,
did=did,
signature=signature,
)
if auth_result["valid"]:
print("Authenticated!", auth_result["session_token"])
Headless / Bring-Your-Own-Key (BYOK)
Generate your own keypair locally, register with your public key, and sign challenges with your private key. The server never sees your private key.
from auth_agents import AuthAgents
client = AuthAgents()
# 1. Generate a local Ed25519 keypair
key_pair = AuthAgents.generate_key_pair()
public_key_jwk = key_pair["publicKeyJwk"]
private_key_jwk = key_pair["privateKeyJwk"] # keep secret
# 2. Register with your own public key
identity = client.register(
agent_name="MyAgent",
agent_model="claude-opus-4-6",
agent_provider="Anthropic",
agent_purpose="Automated data processing",
public_key_jwk=public_key_jwk,
)
did = identity["did"]
credential = identity["credential"]
# identity["key_origin"] == "client"
# 3. Request a challenge nonce
challenge_resp = client.challenge(did)
challenge_id = challenge_resp["challenge_id"]
nonce = challenge_resp["nonce"]
# 4. Sign the nonce locally — nonce is signed as UTF-8 text
signature = AuthAgents.sign_challenge(private_key_jwk, nonce)
# 5. Authenticate
auth_result = client.authenticate(
challenge_id=challenge_id,
did=did,
signature=signature,
)
if auth_result["valid"]:
print("Authenticated!", auth_result["session_token"])
API Reference
AuthAgents(base_url=...)
Client class. Defaults to https://auth.getagentauth.com.
AuthAgents.generate_key_pair() — static
Generate a fresh Ed25519 keypair. Returns:
{
"publicKeyJwk": {"kty": "OKP", "crv": "Ed25519", "x": "<base64url>"},
"privateKeyJwk": {"kty": "OKP", "crv": "Ed25519", "x": "<base64url>", "d": "<base64url>"},
}
AuthAgents.sign_challenge(private_key_jwk, nonce) — static
Sign a challenge nonce with an Ed25519 private key JWK. Returns a base64url-encoded signature string (no padding).
client.register(...)
Register a new agent identity. Pass public_key_jwk for BYOK; omit it for
server-generated keys. Returns a dict including:
| Field | Description |
|---|---|
did |
Agent DID (did:key:z6Mk...) |
credential |
VC-JWT string |
key_fingerprint |
Short fingerprint of the public key |
key_origin |
"server" or "client" |
private_key_jwk |
Private key JWK (server-generated flow only) |
client.challenge(did)
Request an authentication challenge nonce. Returns challenge_id, nonce,
and expires_in.
client.authenticate(challenge_id, did, signature)
Submit a signed challenge. Returns valid, session_token, credential,
agent object, and expires_in.
client.verify(credential)
Verify a VC-JWT credential. Returns a dict including:
| Field | Description |
|---|---|
valid |
True if the credential is valid |
agent_name |
Agent display name |
did |
Agent DID |
key_origin |
"server" or "client" |
issued_at |
ISO 8601 issuance timestamp |
verify(credential) — module-level shorthand
Equivalent to AuthAgents().verify(credential).
Documentation
Full API reference at getagentauth.com/docs
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file auth_agents-0.4.0.tar.gz.
File metadata
- Download URL: auth_agents-0.4.0.tar.gz
- Upload date:
- Size: 5.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c24d1aa0f91d23176d7a0622b335cc4310cd432b233d1747b1c95a65dc63d593
|
|
| MD5 |
a6c7a5d482f5534480a1ee54a1170159
|
|
| BLAKE2b-256 |
cc97ad208d361be041e59947f41e2761853bde4c4db1c1bc13e14a0d9bdf2be2
|
File details
Details for the file auth_agents-0.4.0-py3-none-any.whl.
File metadata
- Download URL: auth_agents-0.4.0-py3-none-any.whl
- Upload date:
- Size: 6.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1bde98df4ed60c0b496dd304788ef0b6cb167a0a76d4e663cdb72053eacc12fe
|
|
| MD5 |
2cf4b9a29caecee004cbc22a9547a2a1
|
|
| BLAKE2b-256 |
01ffbb442a70e11a68c6a06fa04009e23d659e0f13502b5b56d24d57fef6d731
|
