AgentSign
Zero trust identity & signing for AI agents
Start new thread
Raza Sharif

AgentSign - Zero trust identity & signing for AI agents

by
AgentSign is an open-source zero trust engine for AI agents. Every agent gets a cryptographic passport -- a self-contained signed JSON that proves identity and works offline. Before any MCP tool access, agents present their passport. AgentSign checks identity, trust score, and pipeline stage, returning ALLOW or DENY. Features: identity pipeline, execution chains, trust scoring (0-100), swarm revocation, HSM support. Self-hosted, on-prem, zero runtime deps. npm install agentsign. MIT licensed.

Add a comment

Replies

Best
Raza Sharif
Maker
📌
Hey Product Hunt! I'm Raza, founder of CyberSecAI. I built AgentSign because I kept seeing the same problem: AI agents are getting more autonomous every month -- they call APIs, access databases, execute code, make purchases -- but there's no standard identity layer. No way to verify WHO an agent is, WHAT it did, or revoke it when things go sideways. We have mTLS for services. We have OAuth for users. We have nothing for agents. AgentSign fills that gap. The core idea is simple: every agent gets a cryptographic passport (think digital identity card), and before it can touch any tool, it has to present that passport. The system checks identity, trust score, and pipeline stage, then returns ALLOW or DENY. What makes it different from access control or API gateways: - It's agent-native. The identity pipeline (INTAKE -> VETTING -> TESTING -> ACTIVE) mirrors how you'd onboard a human contractor. - Execution chains. Every input/output pair is signed into a tamper-proof chain. If an agent's output gets modified downstream, you'll know. - Trust is earned, not configured. Agents start at score 20 and build trust through verified executions, code attestation, and clean history. - The MCP Trust Layer sits between agents and MCP tool servers. This is the missing piece in the MCP ecosystem -- tool servers today have no way to verify who's calling them. Technical highlights: HMAC-SHA256 signing by default, optional ECDSA P-256 via HSMs (PKCS#11, AWS KMS, Azure KV, GCP KMS, HashiCorp Vault). Zero runtime dependencies in the SDK. Docker one-liner for the server. Nothing phones home -- your keys, your infrastructure. If you're building with autonomous agents and wondering "how do I actually trust these things?", give the Colab notebook a spin -- takes 2 minutes, no install needed: https://colab.research.google.co... Or just: npm install agentsign The GitHub repo has the full server + SDK. Stars genuinely help with visibility -- we're MIT licensed and committed to keeping this open. Would love your feedback. Happy to answer any questions about the architecture, crypto design, or how it fits into your agent stack.