Creduent
БесплатноНе проверенThe official JS/TS SDK for Creduent: the open standard and security protocol for cryptographic AI agent identity, authentication, and trust verification using E
Описание
The official JS/TS SDK for Creduent: the open standard and security protocol for cryptographic AI agent identity, authentication, and trust verification using Ed25519 and DNS.
README
npm version License Node Compatibility Downloads
The official JavaScript/TypeScript SDK for the Creduent Protocol, the open standard for cryptographic AI agent identity, Ed25519 signing, and attestation.
What is Creduent?
Creduent is an open application-layer protocol for cryptographic identity and trust verification of autonomous AI agents, originally created by Kashish Kanojia and stewarded by IDevSec. The official JavaScript/TypeScript SDK is developed and maintained by IDevSec.
Performs fully decentralized, local Ed25519 signature verification using the Web Crypto API (globalThis.crypto.subtle). Zero runtime dependencies, as it works natively on Node.js 18+, Vercel Edge, Cloudflare Workers, Deno, and modern browsers.
Protocol: idevsec.com/creduent | Docs: idevsec.com/creduent/docs | Registry: creduent.idevsec.com
Key Features
- Zero Runtime Dependencies: No third-party cryptography libraries. Uses only the built-in Web Crypto API.
- Edge-Compatible: Runs anywhere
globalThis.crypto.subtleis available, including Vercel Edge, Cloudflare Workers, Deno, and Node.js 18+. - Decentralized Verification: Validates Ed25519 signatures locally. No registry trust required for
verify(). - RFC 8785 JCS Canonicalization: Native TypeScript implementation for deterministic JSON serialization before signing.
- Dual CJS & ESM Support: Ships with full ESM and CommonJS exports alongside built-in TypeScript declarations.
- Registry Operations: Built-in support for webhook management, attestation renewals, and authenticated capability discovery.
- Agent Framework Integrations: First-class adapters for Vercel AI SDK and LangGraph JS.
Installation
npm install @idevsec/creduent
Quickstart
Verify an Agent (Decentralized)
The primary use case is to fetch an agent document and validate its Ed25519 signature locally:
import { verify } from "@idevsec/creduent";
const result = await verify("agent://idevsec/steward");
if (result.valid) {
console.log("Agent ID:", result.agent_id);
console.log("Owner:", result.document?.owner);
console.log("Capabilities:", result.document?.capabilities);
} else {
console.error("Verification failed:", result.reason);
}
Verify from a Raw Document
If you already have the agent.json document in memory:
import { verify } from "@idevsec/creduent";
import type { AgentDocument } from "@idevsec/creduent";
const doc: AgentDocument = {/* your agent.json object */};
const result = await verify(doc);
console.log(result.valid); // true | false
Resolve a Target
Resolve an agent:// URI, a domain, or a direct HTTPS URL to its agent.json document:
import { resolveTarget } from "@idevsec/creduent";
// Resolves via registry: https://creduent.idevsec.com/attest/<uri>
const doc = await resolveTarget("agent://idevsec/steward");
// Resolves via .well-known: https://example.com/.well-known/agent.json
const doc2 = await resolveTarget("example.com");
Register an Agent
import { registerAgent } from "@idevsec/creduent";
const record = await registerAgent({
agent_id: "agent://myorg/mybot",
domain: "myorg.com",
agent_json_url: "https://myorg.com/.well-known/agent.json",
metadata: { env: "production" },
});
console.log("Registered:", record.agent_id);
CommonJS
const { verify } = require("@idevsec/creduent");
verify("agent://idevsec/steward")
.then((result) => {
console.log(result.valid);
})
.catch(console.error);
Framework Integrations
Vercel AI SDK
Integrate agent verification as a tool within the Vercel AI SDK:
import { creduentVerifyToolDefinition } from "@idevsec/creduent";
import { tool } from "ai"; // Vercel AI SDK
export const creduentVerifyTool = tool({
description: creduentVerifyToolDefinition.description,
parameters: creduentVerifyToolDefinition.parameters,
execute: creduentVerifyToolDefinition.execute,
});
LangGraph JS
Ensure agent-to-agent interactions are secure using the LangGraph node middleware:
import { verifyAgentNode } from "@idevsec/creduent";
import { StateGraph } from "@langchain/langgraph";
interface State {
agentUri?: string;
verificationResult?: any;
}
const workflow = new StateGraph<State>({
channels: {
agentUri: null,
verificationResult: null,
},
}).addNode("verify", (state) => verifyAgentNode(state, { strict: true }));
// Add other nodes and compile...
How Verification Works
verify() performs a 4-step cryptographic check locally:
- Resolve: Fetches the
agent.jsondocument from the registry or.well-knownendpoint. - Schema check: Validates required fields (
version,agent_id,capabilities,signature). - Canonicalize: Removes the
signaturefield and applies RFC 8785 JCS serialization. - Verify: Validates the Ed25519 signature against all declared active public keys using
globalThis.crypto.subtle.
If any active key produces a valid signature, the result is valid: true. The registry does not need to be live for step 4 to succeed.
API Reference
verify(target)
Performs full cryptographic verification of an agent document.
- Parameters:
target(string | AgentDocument): Anagent://URI, domain, HTTPS URL, or a pre-fetched document object.
- Returns:
Promise<VerifyResult>
resolveTarget(target)
Resolves a target string to an AgentDocument without verifying the signature.
- Parameters:
target(string):agent://URI, domain, or HTTPS URL.
- Returns:
Promise<AgentDocument>
Set the CREDUENT_REGISTRY_URL environment variable to override the default registry (https://creduent.idevsec.com).
resolveAgent(uri, options)
Resolves the complete registry attestation record for the given agent URI.
- Parameters:
uri(string): The canonicalagent://URI.options(ClientOptions, optional): Configuration options.
- Returns:
Promise<AgentRecord>
registerAgent(payload, options)
Registers an AI agent's identity with the Creduent registry.
- Parameters:
payload(RegisterPayload):agent_id,domain,agent_json_url, optionalmetadata.options(ClientOptions, optional): Configuration options.
- Returns:
Promise<AgentRecord>
verifyAgent(uri, options)
Checks whether an agent's attestation status is active and valid (verified or trusted). Cleanly returns false on HTTP 404 and HTTP 410 (revoked) instead of throwing, allowing hosts to fail-closed gracefully.
- Parameters:
uri(string): The canonicalagent://URI.options(ClientOptions, optional)
- Returns:
Promise<boolean>
renewAgent(payload, options)
Renews an agent's cryptographic registry attestation.
- Parameters:
payload(RenewPayload): Containsagent_id,new_expires_at, and signature.options(ClientOptions, optional)
- Returns:
Promise<RenewResult>
registerWebhook(payload, options)
Registers a webhook URL for status change notifications.
- Parameters:
payload(WebhookPayload): Containsagent_id,webhook_url, and signature.options(ClientOptions, optional)
- Returns:
Promise<WebhookResult>
queryWebhook(agentId, options)
Retrieves the currently registered webhook URL for the specified agent.
- Parameters:
agentId(string): The agent URI.options(ClientOptions, optional)
- Returns:
Promise<WebhookResult>
discoverAgent(targetUri, myAgentId, privateKeyPem, options)
Performs authenticated capability discovery by querying the target agent's /discover endpoint with challenge-response validation.
- Parameters:
targetUri(string): Target agent URI.myAgentId(string, optional): Your agent URI.privateKeyPem(string, optional): Your private key PEM.options(ClientOptions, optional)
- Returns:
Promise<DiscoveryResult>
Security: Authenticated discovery only contacts endpoints using
https:. If the agent document's endpoint field uses any other scheme, the function returnsauthenticated: falsewith an error instead of making the request. This prevents SSRF in Node.js server-side deployments.
signPayload(payload, privateKeyPem)
Utility to sign an arbitrary JSON payload using JCS canonicalization + Ed25519.
- Parameters:
payload(any): The payload to sign.privateKeyPem(string): Private key in PEM format.
- Returns:
string(Base64-encoded signature)
canonicalize(obj)
Deterministic RFC 8785 JSON Canonicalization Scheme (JCS) serialization.
- Returns:
string
import { canonicalize } from "@idevsec/creduent";
const canonical = canonicalize({ b: 2, a: 1 });
// => '{"a":1,"b":2}'
verifySignature(publicKey, signature, data)
Low-level Ed25519 signature verification using the Web Crypto API.
import { verifySignature } from "@idevsec/creduent";
const valid = await verifySignature(
"ed25519:V43yNaTrpqQj9YJnjYVL2HdOrqUDcnflhzNGuHTaFD8=",
"<base64-signature>",
"<canonical-json-string>"
);
Types
interface AgentDocument {
version: string;
agent_id?: string;
owner?: string;
public_key?: string;
keys?: KeyRecord[];
endpoint?: string;
capabilities?: string[];
issued_at?: string;
signature?: string;
// v2.0 decoupled fields
identity?: {
agent_id: string;
owner: string;
keys: KeyRecord[];
endpoint: string;
delegated_from?: string;
};
policy?: {
capabilities: string[];
};
[key: string]: any;
}
interface KeyRecord {
public_key: string;
status: "active" | "revoked";
expires_at?: string;
revoked_at?: string;
}
interface VerifyResult {
valid: boolean;
agent_id?: string;
reason?: string;
document?: AgentDocument;
}
interface RegisterPayload {
agent_id: string;
domain: string;
agent_json_url: string;
metadata?: Record<string, string>;
}
interface ClientOptions {
baseUrl?: string;
headers?: Record<string, string>;
}
interface RenewPayload {
agent_id: string;
new_expires_at: string;
signature: string;
}
interface RenewResult {
agent_id: string;
issuer: string;
level: "verified" | "trusted" | "unverified" | "revoked";
domain: string;
public_key: string;
registered_at: string;
issued_at: string;
expires_at: string;
}
interface WebhookPayload {
agent_id: string;
webhook_url: string;
signature: string;
}
interface WebhookResult {
agent_id: string;
webhook_url: string;
}
interface DiscoveryResult {
target_agent_id: string;
endpoint?: string;
capabilities?: string[];
authenticated: boolean;
error?: string;
}
Environment Variables
| Variable | Default | Description |
|---|---|---|
CREDUENT_REGISTRY_URL |
https://creduent.idevsec.com |
Override the registry used for agent:// URI resolution. |
Protocol Specification
- Protocol overview: idevsec.com/creduent
- Technical reference: idevsec.com/creduent/docs
- CLI: github.com/idevsec/creduent-cli
- Standards documents: github.com/idevsec/creduent (CREDUENT-001 through CREDUENT-006)
License
Licensed under the Apache License 2.0. See the LICENSE file for the full legal text.
Установить Creduent в Claude Desktop, Claude Code, Cursor
unyly install creduentСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add creduent -- npx -y @idevsec/creduentFAQ
Creduent MCP бесплатный?
Да, Creduent MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Creduent?
Нет, Creduent работает без API-ключей и переменных окружения.
Creduent — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Creduent в Claude Desktop, Claude Code или Cursor?
Открой Creduent на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Creduent with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
