Agent Gateway
Exchange
Open authentication protocol for autonomous AI agents. Five cryptographic primitives for credential lifecycle management, key rotation, and tamper-evident audit trails.
Protocol Primitives
Five building blocks for autonomous credential management
Agent Identity Document
Cryptographic identity for AI agents. Binds an Ed25519 public key to trust tier, capabilities, and organisational context with IA-signed attestation.
Intent Manifest
Declarative credential request specifying target service, requested scopes, data handling commitments, and agent-signed justification for access.
Credential Lifecycle Contract
Time-bounded, scope-limited credential with ECDH-ES encrypted envelope. Supports automatic rotation, delegation chains, and idle timeout revocation.
Autonomous Rotation Protocol
Zero-downtime credential rotation with configurable overlap windows. Agents autonomously rotate keys before expiry without human intervention.
Delegation Chains
Scope-narrowing sub-credential delegation with depth limits and full provenance tracking. Parent credentials maintain revocation authority over entire chain.
Security Architecture
Cryptographic guarantees at every layer
Ed25519 Signatures
All protocol objects (AIDs, manifests, requests) are signed with Ed25519. Pure JS implementation via @noble/* libraries, zero native deps.
ECDH-ES+AES256GCM
Credential envelopes encrypted with ephemeral key agreement. Only the intended agent can decrypt the credential material.
SHA-3 Audit Ledger
Tamper-evident hash-chained event log. Every credential operation is recorded with SHA-3-256 linking, enabling integrity verification at any point.
APL Policy Engine
AGEX Policy Language provides deterministic policy evaluation for credential issuance decisions based on trust tier, scopes, and agent capabilities.
Nonce Replay Protection
Time-windowed nonce validation prevents request replay attacks. Configurable window with automatic cleanup of expired nonces.
Emergency Revocation
ERS cascade-revokes all credentials for a compromised AID within 60 seconds, notifying all affected service providers automatically.
Quick Start
npm install
npx @agexhq/setup
# Start the hub
agex hub start
# Or use the SDK in your agent
npm i @agexhq/sdk
API Endpoints
All routes prefixed with /agex/v1
| Method | Path | Description |
|---|---|---|
| POST | /aids/register | Register a new Agent Identity Document |
| GET | /aids/:aid_id | Retrieve AID details by ID |
| GET | /aids | List AIDs for authenticated org |
| DELETE | /aids/:aid_id | Revoke an AID |
| POST | /credentials/request | Submit an Intent Manifest for credential issuance |
| POST | /credentials/rotate | Rotate an active CLC via ARP |
| POST | /credentials/delegate | Create a delegation sub-credential |
| POST | /ers/signal | Trigger Emergency Revocation System |
| GET | /audit/events | Query tamper-evident audit log |
| GET | /audit/verify | Verify hash chain integrity |
| GET | /discovery/services | List registered service providers |