AgentPKI

live on production infrastructure

Try AgentPKI live.

Click Run mint → verify. The button calls our demo issuer to sign a fresh passport, then ships that passport to our edge verifier. Both are real production Cloudflare Workers — no mock, no replay.

demo.agentpki.dev/mint verify.agentpki.dev/v1/verify

Runs entirely in your browser. CORS-enabled on both Workers — the page itself has no backend. The demo issuer uses a hardcoded keypair clearly labeled DEMO-ONLY in source; production issuers use HSM-resident keys per spec §5.3.

Under the hood

A click of Run kicks off three real network calls — to two different production-deployed Cloudflare Workers.

step 1

Mint request

Your browser GETs demo.agentpki.dev/mint with a sub, scope, and lifetime. The issuer Worker signs a PASETO v4.public token with its Ed25519 private key.

step 2

Verify request

Your browser POSTs the token to verify.agentpki.dev/v1/verify. The verifier Worker fetches the issuer's public key from /.well-known/agentpki-issuer.json, validates the Ed25519 signature, consults the CRL, and returns a verdict.

step 3

Verdict

Returned as JSON: {"verdict":"allow", ...} with elapsed Worker compute time. In a real deployment this verdict tells your edge whether to serve the request.

Drop-in on every side.

Agents sign with the SDK. Sites verify with one POST. Bot-defense vendors slot in 30 lines of middleware.

Agent side · TypeScript npm: @agentpki/sdk 
import { AgentPKI } from '@agentpki/sdk';

const agent = new AgentPKI({
  issuer: 'anthropic.com',
  agentId: 'agent:anthropic.com/research-bot-v3',
  scope: ['read:articles', 'read:public-data'],
});

// Auto-signs every outbound request
// (RFC 9421 Mode B by default)
const res = await agent.fetch(
  'https://reuters.com/api/article/123'
);
Site side · POST to verifier verify.agentpki.dev 
POST https://verify.agentpki.dev/v1/verify
Content-Type: application/json

{
  "token": "v4.public.eyJpc3M...",
  "mode": "B",
  "request": {
    "method": "GET",
    "url": "https://reuters.com/..."
  }
}

→ HTTP 200  (21ms warm · 50ms cold)
{
  "verdict": "allow",
  "passport": {
    "issuer": "anthropic.com",
    "tier": 2,
    "scopes": ["read:articles"]
  },
  "abuse_score": 0.02,
  "crl_fresh": true,
  "replay_checked": true
}
Bot-defense middleware ~30 LOC drop-in 
// Slot into Cloudflare / DataDome /
// hCaptcha / Arkose decision pipelines.
// SIGNAL-only — never overrides yours.

const apkiSignal = async (req) => {
  const token = req.headers
    .get('AgentPKI-Token');
  if (!token) return null;

  const r = await fetch(
    'https://verify.agentpki.dev/v1/verify',
    { method: 'POST',
      body: JSON.stringify({ token }) }
  );
  const v = await r.json();
  return { verdict: v.verdict,
           tier: v.passport?.tier };
};

// → feeds your existing score
score -= (await apkiSignal(req))
  ?.verdict === 'allow' ? 30 : 0;

Want to mint passports from your own domain?

The demo's the easy part. Get your own DNS-verified issuer up in 3 minutes via the dashboard, or fork the production-grade real-issuer Worker template.

Spin up your own issuer — free Fork the Worker template

Talk to Founder

Personal reply from Founder within 48 hours. Tell us a bit about you — what you're building, what you'd want from AgentPKI, anything you want to push back on.

By submitting, you agree we can email you back. We don't share leads, ever.