@skhema/agent-sdk
v0.1.4
Published
Client SDK for Skhema registered agents — local keypair generation, enrollment-token redemption, and proof-of-possession request signing (Agent Auth Protocol).
Maintainers
Readme
@skhema/agent-sdk
Client SDK for Skhema registered agents. Generates the agent's keypair
locally, redeems a one-time enrollment token, and signs short-lived
proof-of-possession JWTs for every request. Built on the
Agent Auth Protocol (@better-auth/agent-auth).
Private keys never leave your runtime — only public keys are sent to Skhema.
Install
npm install @skhema/agent-sdkOnly runtime dependency is jose. Runs in Node
18+, Deno, and modern browsers. The core entry (@skhema/agent-sdk) is
isomorphic; the file-backed credential store lives at @skhema/agent-sdk/node.
Quick start
An org admin registers the agent in the Skhema dashboard and gets a one-time enrollment token. On the agent's host:
import { createAgentClient, createAgentFetch } from '@skhema/agent-sdk'
import { FileCredentialStore } from '@skhema/agent-sdk/node'
const agent = createAgentClient({
baseUrl: 'https://auth.skhema.com/api/auth',
store: new FileCredentialStore(), // ~/.skhema/agent.json (0600)
})
// One-time: redeem the enrollment token (keypairs generated locally).
await agent.enroll(process.env.SKHEMA_ENROLLMENT_TOKEN!)
// Per request: sign as the agent.
const session = await agent.session()
const skhemaFetch = createAgentFetch(agent)
const res = await skhemaFetch('https://api.skhema.com/v1/...')Building blocks
| Export | Purpose |
| --- | --- |
| createAgentClient / AgentClient | Facade: enroll, signRequestJwt, session, clear. |
| createAgentFetch | fetch wrapper that injects a fresh agent+jwt. |
| CredentialStore, MemoryCredentialStore | Pluggable persistence (extensibility seam). |
| FileCredentialStore (/node) | ~/.skhema/agent.json, 0600. |
| generateKeypair, signHostJwt, signAgentJwt | Low-level Ed25519 / JWT primitives. |
| discover, enrollHost, registerAgent, claimAgent, getAgentSession | Typed protocol calls. |
Status
Pre-1.0. The agent-binding strategy after host enrollment (register a fresh
agent vs claim a pre-created one) is configurable on enroll(); the claim
path is pending live verification against the Skhema auth server.
