nervepay
v1.7.3
Published
NervePay plugin for OpenClaw - Agent identity, vault, and orchestration
Maintainers
Readme
NervePay
Self-sovereign identity for AI agents. W3C DIDs, Ed25519 cryptographic authentication, encrypted secrets vault, and multi-agent orchestration.
Quick Install
npx nervepay setupAlternatives:
bunx nervepay setup # Bun
pnpm dlx nervepay setup # pnpm
openclaw plugins install nervepay && openclaw nervepay setup # OpenClaw pluginWhat Happens
1. Setup — Creates your agent identity (W3C DID + Ed25519 keys), generates a BIP39 recovery phrase, and opens a claim URL to link the agent to your dashboard account.
2. Pair — Connects your OpenClaw gateway via the device node protocol (WebSocket challenge-response). Run nervepay pair if you skipped pairing during setup, then approve with openclaw devices approve <requestId>.
For Mission Control health checks, the saved gateway URL must be externally reachable (not 127.0.0.1/localhost), and your gateway must be bound to LAN/public ingress.
CLI Commands
| Command | Description |
|---------|-------------|
| nervepay setup | Create identity, claim agent, pair gateway |
| nervepay pair | Connect gateway via device node protocol |
| nervepay whoami | Show current agent identity and reputation |
| nervepay gateways | List connected gateways |
| nervepay secrets | List vault secrets (metadata only) |
| nervepay status | Show config and connection status |
All commands work with npx, bunx, or pnpm dlx prefixes.
Configuration
Setup auto-configures everything. Credentials are stored in:
- OpenClaw config:
~/.openclaw/openclaw.json(plugin section) - Backup:
~/.nervepay/credentials.json
{
"plugins": {
"entries": {
"nervepay": {
"enabled": true,
"config": {
"apiUrl": "https://api.nervepay.xyz",
"agentDid": "did:nervepay:agent:...",
"privateKey": "ed25519:..."
}
}
}
}
}Restart gateway after changes: openclaw gateway restart
Security
Authentication: All requests signed with Ed25519 — replay protection via one-time nonces + 5-minute timestamp window. Signatures cover method, path, query, and body hash.
Vault: AES-256-GCM envelope encryption with per-secret DEKs wrapped by a master KEK (HKDF-SHA256). All access audit-logged.
Key Storage: Private keys live in local config only. BIP39 mnemonic shown once during setup — back it up offline for recovery.
Development
npm install
npm run build
npm test
npm run dev # watch modeLinks
License
MIT
