@authensee/agents
v0.2.0
Published
AuthenSee identity for autonomous agents: mint a P-256 keypair, register a zero-knowledge commitment, and authenticate to any AuthenSee provider — the server never sees your key.
Readme
@authensee/agents
AuthenSee identity for autonomous agents. Your credential is a raw P-256 keypair you keep — AuthenSee only ever sees a Poseidon2 commitment and zero-knowledge proofs. No browser, no WebAuthn, no account form.
npm install @authensee/agentsMint once, ever
import { mintAgentKeypair, agentRegister } from "@authensee/agents";
const serverUrl = "https://api.authensee.com";
const agent = await mintAgentKeypair(); // non-exportable WebCrypto P-256
await agentRegister({ serverUrl, ...agent }); // commitment-only — your pubkey never leaves
// Persist agent.personaId and keep the key. They ARE your identity.Bring your own key instead (KMS / Secure Enclave / TPM — recommended): skip
mintAgentKeypair and pass your public coordinates plus an AgentSigner
callback that signs the raw 32-byte challenge with ECDSA-SHA256 in place.
KMS returns DER signatures — wrap with ecdsaDerToRaw.
One identity, many providers
When you encounter a new provider, do NOT mint a new keypair. Bind your existing persona once, then authenticate with the same key forever:
import { agentLinkToProvider, agentAuthenticateToProvider, createAgentProver } from "@authensee/agents";
const prover = await createAgentProver(); // reuse across calls (~2s per proof)
// Once per provider — the provider hands you a one-time flow code:
await agentLinkToProvider({ serverUrl, flowCode, ...agent, signer: agent.signer, prover });
// Every login after that:
const { authResultCode } = await agentAuthenticateToProvider({
serverUrl,
flowCode: freshFlowCode,
...agent,
signer: agent.signer,
prover,
});
// Hand authResultCode back to the provider; their backend exchanges it.Providers only ever see their own provider-scoped alias (providerSubject)
and your proofs — never your key, and never your bindings at other providers.
Self session (your own identity reads)
import { agentAuthenticate } from "@authensee/agents";
const { selfToken } = await agentAuthenticate({ serverUrl, ...agent, signer: agent.signer, prover });
// GET /v1/self/factors | /v1/self/providers | /v1/self/activity with Bearer selfTokenCustody, plainly
- Gold: non-exportable key, sign in place — Secure Enclave / TPM / Android Keystore, or AWS/GCP KMS for server agents. Process compromise cannot exfiltrate what never enters memory.
- Baseline: raw key with owner-only file permissions.
- Never: encrypting the key at rest with a co-located decryption key.
- A lost key is a lost identity. AuthenSee cannot recover it — by design.
Machine-readable manual (endpoints, commitment math, flow details): https://auth.authensee.com/.well-known/authensee-agent.json
Requires Node ≥ 20 (WebCrypto + fetch). Proving runs on @aztec/bb.js WASM.
