Clay Seal layer 1 — attested agent identity and Biscuit capability tokens
Project description
Clay Seal Identity
Clay Seal Identity is layer 1 of Clay Seal: cryptographically attested identity
for autonomous agents. The package is published as clayseal-identity and
imports from clayseal.identity.
Use this repo when you need to answer:
- Which agent is acting?
- Which human or service principal delegated that action?
- Is the credential short-lived, signed, and bound to the holder key?
- Can downstream systems verify the identity offline?
Current State
Implemented today:
- SPIFFE JWT-SVID agent credentials (RS256,
sub= the SPIFFE ID) for broad federation compatibility, and SPIFFE X.509-SVID certificates for mTLS (identify(..., request_x509=True)), published with a per-tenant trust bundle. - Ed25519 workload keys for sender-constraining (
cnf.jkt) and offline proof-of-possession. - SPIFFE-shaped agent identifiers and trust domains.
- Proof-of-possession confirmation claims for replay resistance.
- Biscuit primitives for native Clay Seal capability facts.
- A Python SDK centered on
ClaySeal. - An optional FastAPI identity service for centralized issuance and validation.
- SQLite-by-default development storage and Postgres-ready production storage.
- Alembic migrations, API-key hardening, and optional KMS envelope encryption.
Attestation model. Node attestation verifies platform-signed evidence a workload cannot forge without controlling the node: a Google-signed GCP instance identity token, a Kubernetes projected service-account token (checked via the cluster's TokenReview API), or an AWS EC2 instance identity document (RSA-2048 signature against AWS's regional certificate). The node token's audience binds the workload key being presented, so evidence captured elsewhere can't be replayed to bind a different key. For on-prem and bare-metal there is also a static trust-anchor attestor (operator-registered key). Enable attestors per deployment (see docs/THREAT_MODEL.md and docs/DEPLOYMENT.md).
Layer 1 deliberately does not issue action-scoped commit tokens or write execution receipts. Those live in the sibling layers:
| Layer | Repository | Purpose |
|---|---|---|
| L1 | this repo | Agent identity and credential issuance |
| L2 | Clay Seal Capabilities (private preview) | Commit tokens, mandates, leases, budgets |
| L3 | Clay Seal Receipts (private preview) | Verifiable execution receipts and audit |
This package stands alone: it has no dependency on the other layers, and every runtime dependency resolves from public PyPI.
Install
The client SDK (clayseal.identity) is intentionally lightweight:
pip install clayseal-identity
To also run the bundled FastAPI identity service, add the server extra (pulls
in FastAPI, SQLAlchemy, the Postgres driver, and Alembic); kms adds the AWS KMS
provider:
pip install "clayseal-identity[server]"
pip install "clayseal-identity[server,kms]"
From source (development)
git clone https://github.com/clayseal/clayseal-identity.git
cd clayseal-identity
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]" # client + server + test/lint/type tooling
pytest backend/tests sdk/python/tests -q
python examples/01_quickstart.py
Or run scripts/bootstrap.sh, which performs the steps above.
Quickstart
The fastest path is the zero-config embedded demo. It starts a throwaway local identity service, creates a tenant, identifies an agent, validates the token, and revokes it:
python examples/01_quickstart.py
python examples/02_capabilities.py
python examples/04_mcp_server.py # lock down an MCP server (needs the [mcp] extra)
Protect an MCP server
Most MCP servers in the wild are reachable by anything that can open a
connection. With the [mcp] extra, a FastMCP server accepts only Clay
Seal-credentialed agents, and each tool call is authorized against the
caller's capability token — attenuation included, so an agent that narrowed
itself mid-task is held to the narrowed rights:
from mcp.server.fastmcp import FastMCP
from clayseal.identity.integrations.mcp_server import (
ClaySealTokenVerifier, ToolGuard, build_auth_settings,
)
mcp = FastMCP("tools", token_verifier=verifier, auth=auth_settings)
@mcp.tool()
@guard.require()
def search_web(query: str) -> str: ...
Details in docs/INTEGRATIONS.md.
Framework integrations
Native on-ramps for the frameworks agents actually run in — a JavaScript
verifier (@clayseal/verify) for Node MCP servers and OpenClaw tool plugins,
and an agentskills.io skill for Hermes Agent. See
integrations/.
The package is SDK-first: issue tokens, verify them offline, and wire framework checks through clayseal.identity APIs in your application code and tests.
The current SDK flow is service-backed: create or point at a tenant, then call
identify. dev_attestation=True is only for localhost demos/tests; production
callers pass a platform-issued attestation document.
from clayseal.identity import ClaySeal
tenant = ClaySeal.create_tenant("Acme AI", base_url="http://localhost:8000")
auth = ClaySeal(
api_key=tenant["api_key"],
base_url="http://localhost:8000",
dev_attestation=True, # localhost demos/tests only
)
session = auth.identify(
agent_type="researcher",
owner="alice@example.org",
capabilities=[{"resource": "repo", "action": "read"}],
)
claims = session.validate().claims
assert claims["sub"].startswith("spiffe://")
Hosted Service
Run the local FastAPI service:
uvicorn clayseal.backend.main:app --reload
Production deployments should run behind TLS, pin issuer and audience, use Postgres, run Alembic migrations before deploy, and store signing material in a KMS or equivalent key-management system.
Privacy and Data Handling
Layer 1 stores and processes identity metadata: agent IDs, trust domains, principals, credential timestamps, public keys, and operational audit metadata. Private keys, persisted agent certificates, admin API keys, and database credentials are secrets.
Read docs/PRIVACY.md before integrating with production user or employee data.
Documentation
- Developer guide
- Agent identity profile
- Identity-only integrations
- Agent tool integration backlog
- Federation notes
- Threat model
- Conformance guide
- Identity profiles
- Privacy and data handling
Compatibility Note
The public brand is Clay Seal. The package names and import paths intentionally
remain clayseal-* / clayseal.* for now so existing integrations keep
working.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file clayseal_identity-0.6.0.tar.gz.
File metadata
- Download URL: clayseal_identity-0.6.0.tar.gz
- Upload date:
- Size: 916.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
05821d22044a1f4e58a02b10f3bf0f8112ca3ce14deb5fa39d84c83d2a63cd5b
|
|
| MD5 |
fa54352e897fb63d220ba95fa2243eca
|
|
| BLAKE2b-256 |
ca20e9074c059f716f27fab20741a5e12f6f07ab44dcc8b2f14a5ced7831437a
|
Provenance
The following attestation bundles were made for clayseal_identity-0.6.0.tar.gz:
Publisher:
release.yml on clayseal/clayseal-identity
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
clayseal_identity-0.6.0.tar.gz -
Subject digest:
05821d22044a1f4e58a02b10f3bf0f8112ca3ce14deb5fa39d84c83d2a63cd5b - Sigstore transparency entry: 2139048367
- Sigstore integration time:
-
Permalink:
clayseal/clayseal-identity@7bf433fa7cbd671e95b7ef5e28245042d78e41c8 -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/clayseal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7bf433fa7cbd671e95b7ef5e28245042d78e41c8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file clayseal_identity-0.6.0-py3-none-any.whl.
File metadata
- Download URL: clayseal_identity-0.6.0-py3-none-any.whl
- Upload date:
- Size: 123.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fd93ac5911fa5b43d9bd1a130db58c6cf802d03aafd5d38df518ff5ac8018599
|
|
| MD5 |
7058064d29eec644fe5a702e257404f6
|
|
| BLAKE2b-256 |
9c1a702a343823283628f1241cd0e8fc4bbfbf4a7bb75b7b55fea41a90cc9fe4
|
Provenance
The following attestation bundles were made for clayseal_identity-0.6.0-py3-none-any.whl:
Publisher:
release.yml on clayseal/clayseal-identity
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
clayseal_identity-0.6.0-py3-none-any.whl -
Subject digest:
fd93ac5911fa5b43d9bd1a130db58c6cf802d03aafd5d38df518ff5ac8018599 - Sigstore transparency entry: 2139048408
- Sigstore integration time:
-
Permalink:
clayseal/clayseal-identity@7bf433fa7cbd671e95b7ef5e28245042d78e41c8 -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/clayseal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7bf433fa7cbd671e95b7ef5e28245042d78e41c8 -
Trigger Event:
push
-
Statement type: