AgentPass -- The credit check for AI agents. IETF Draft

Documentation

Get your AI agents verified and making trusted payments in under 5 minutes.

Quick Start Trust Levels Identity Verification API Reference Security

Quick Start

Step 1: Install

npm install @proofxhq/agentpass

Step 2: Register

const { Client, register } = require('@proofxhq/agentpass');

const account = await register({
  email: 'you@company.com',
  name: 'Your Name',
  password: 'SecurePass123!',
  company: 'Your Company'
});

// Save your API key securely
console.log('API Key:', account.apiKey);

Step 3: Create an Agent

const client = new Client({ apiKey: account.apiKey });

const agent = await client.createAgent({
  name: 'procurement-bot',
  scope: ['payments']
});

// IMPORTANT: Save the agent private key securely (shown only once)
console.log('Agent ID:', agent.id);
console.log('Private Key:', agent.agentPrivateKey); // Store in KMS/vault
console.log('Trust Score:', agent.trust.score);

Step 4: Make a Payment

const tx = await client.pay({
  agentId: agent.id,
  to: 'aws.amazon.com',
  amount: 5000,       // $50.00 in cents
  currency: 'usd',
  description: 'EC2 instance'
});

console.log('TX:', tx.transactionId);
console.log('Signed:', tx.verified);   // ECDSA P-256
console.log('Hash:', tx.hash);         // SHA-256 chain

Step 5: Prove Identity (for third-party stores)

// Agent proves it is who it claims to be
const proof = await client.proveIdentity(
  agent.id,
  agent.agentPrivateKey  // Never leaves your machine
);

console.log('Verified:', proof.verified);
console.log('Trust:', proof.trust.score);
console.log('Recommendation:', proof.recommendation);

Trust Levels

Agents start at L1 and earn higher trust through consistent, legitimate behaviour. Trust score is computed from 5 weighted dimensions.

LevelScorePer TXDailyUse Case
L00-19$0$0No financial access
L120-39$10$50Micro-payments
L240-59$100$500Standard transactions
L360-79$1,000$5,000Enterprise purchasing
L480-100$50,000$200,000Full access (audited)

Scoring Dimensions

Code Attestation 20%
Has the agent code been verified?
Execution Success 20%
What % of transactions succeed?
Behavioural Consistency 20%
How predictable is the agent?
Operational Tenure 20%
How long has it been active?
Anomaly History 20%
Any flags, demotions, or blocks?

What Changes Trust?

EventEffect
Successful payment+0.5 trust bonus
Payment blocked (over limit)-2 trust penalty
Anomaly detected-5 per anomaly
Critical anomaly (3+ simultaneous)-20 trust penalty
Failed identity verification-10 (impersonation flag)
Limit probing detected-15 + blocked
Inactive 30 days-10 dormancy penalty
Inactive 60 days-20 dormancy penalty
Inactive 90 days-30 (drops to L0)

Identity Verification

Prevent agent impersonation with cryptographic challenge-response. Each agent has its own ECDSA P-256 key pair. The private key never leaves the developer's infrastructure.

How It Works

Store: GET /api/identity/challenge/agent_abc
AgentPass: { challenge: "a7f3b2...", expiresIn: 60 }

Agent: signs challenge with private key
Agent: POST /api/identity/verify { agentId, challenge, signature }

AgentPass: verifies signature against registered public key
AgentPass: { verified: true, trust: { score: 68, level: 3 }, recommendation: "ALLOW" }

What Gets Caught

Wrong key
IMPERSONATION_DETECTED. Trust penalised -10. Logged.
Replay challenge
CHALLENGE_REPLAYED. Each challenge is single-use.
Expired challenge
CHALLENGE_EXPIRED. 60-second window.
Agent mismatch
Challenge was issued for a different agent.

Key Management

ModeHowBest For
Developer-managedYou generate keys, register public key with us. We never see private key.Production (use AWS KMS, GCP Cloud KMS)
AgentPass-generatedWe generate key pair, show private key once. You store it.Quick start, sandbox, testing

API Reference

Agents

MethodEndpointAuthDescription
POST/api/agents/createAPI KeyCreate agent (returns passport + key pair)
GET/api/agentsAPI KeyList all agents with trust scores
GET/api/agents/:id/passportAPI KeyGet agent passport (verified)
POST/api/agents/:id/revokeAPI KeyRevoke agent (immediate, permanent)

Payments

MethodEndpointAuthDescription
POST/api/payAPI KeyMake payment (trust-checked, signed)
POST/api/pay/agent-to-agentAPI KeyAgent-to-agent transfer
GET/api/transactionsAPI KeyList transactions (hash-chained)
GET/api/transactions/:idAPI KeyTransaction detail + signature verification

Trust

MethodEndpointAuthDescription
GET/api/trust/:agentIdAPI KeyTrust score + full dimensions
GET/api/trust/:agentId/reportAPI KeyFull trust report
GET/api/trust/:agentId/eventsAPI KeyTrust event timeline
GET/api/public/trust/:agentIdNonePublic trust check (for stores)

Identity

MethodEndpointAuthDescription
GET/api/identity/challenge/:agentIdNoneGet challenge (60s expiry)
POST/api/identity/verifyNoneVerify signed challenge

Wallet

MethodEndpointAuthDescription
GET/api/wallets/balanceAPI KeyCheck balance
POST/api/wallets/topupAPI KeyAdd funds (sandbox: fake, production: Stripe)

Security

Every Transaction

Platform Protections

For Stores (Integrating Trust Checks)

One API call. No SDK needed. No auth required.

curl https://agentpass.co.uk/api/public/trust/agent_abc123

{
  "trust": { "score": 73, "level": 3 },
  "status": "ACTIVE",
  "recommendation": "ALLOW",
  "spendLimits": { "perTransaction": 100000, "daily": 500000 }
}

See it working: Demo Store | CloudByte Store (third-party example)

Error Handling

const { TrustLimitError, InsufficientFundsError, ReplayError } = require('@proofxhq/agentpass');

try {
  await client.pay({ agentId, to, amount: 999999, currency: 'usd' });
} catch (err) {
  if (err instanceof TrustLimitError) {
    // Payment exceeds trust level limit
  }
  if (err instanceof InsufficientFundsError) {
    // Wallet balance too low
  }
  if (err instanceof ReplayError) {
    // Duplicate nonce -- replay attack blocked
  }
}

Ready to start?

Free sandbox with $10,000 test balance. No credit card needed.

Create Free Account

npm: @proofxhq/agentpass | IETF Draft | contact@agentsign.dev