@agentic-passport/core
v0.4.1
Published
AgentPassport core — framework-agnostic verifier + signer (RFC 9421, DPoP, mandate JWT).
Maintainers
Readme
@agentic-passport/core
Framework-agnostic verification + signing primitives for AgentPassport. Node-only (uses node:crypto).
Used by @agentic-passport/next (vendor SDK) and @agentic-passport/agent (agent SDK). Pull this directly if you're building a vendor in a non-Next.js framework (Hono, Express, Fastify, etc.).
Install
pnpm add @agentic-passport/core @agentic-passport/protocolWhat's in here
signRequest()/verifyRequest()— RFC 9421 HTTP message signatures (Web Bot Auth profile)signDpop()/verifyDpop()— RFC 9449 DPoP proofsverifyMandate()— EdDSA mandate JWT verification against trusted-issuer JWKSmintAccessToken()/verifyAccessToken()— DPoP-bound access tokenscanonicalizeTargetUri()— URL canonicalization for signature basecomputeBodyDigest()— RFC 9530Content-Digest
Example: verify a vendor-side request
import { verifyRequest } from '@agentic-passport/core';
const result = await verifyRequest(
{ method: req.method, url: req.url, body: bodyBytes, headers: req.headers },
{
resolveKey: async (keyId) => keyRegistry.get(keyId),
timestampWindowSeconds: 60,
isNonceSeen: nonceCache.has,
rememberNonce: nonceCache.set,
isKeyRevoked: revocationList.has,
now: () => Math.floor(Date.now() / 1000),
},
);
if (!result.ok) return new Response(JSON.stringify({ error_code: result.code }), { status: 401 });Spec
See the protocol spec for the wire format these primitives implement.
License
Apache-2.0. Repository
