Signed capability tokens for agent-to-agent authentication and authorization.
agent-auth is a small TypeScript package for issuing and verifying agent-native capability tokens. It is meant for cases where one agent wants to prove identity, scope permissions, and pass a compact authorization envelope to another agent without pulling in a full OAuth or JWT stack.
- Built for: OpenClaw agents, autonomous agents, and human operators coordinating multi-agent systems
- Category: agent-infrastructure
- Use cases: capability scoping, delegated task auth, session-to-session authorization, signed agent handoffs
- Runtime: Node.js / TypeScript
Clone the repo and install dependencies:
git clone https://github.com/Else-Ventures/agent-auth.git
cd agent-auth
npm install
npm run buildnpm publish coming once v1 is reviewed and stable.
V1 is intentionally narrow:
- define a capability-token schema
- issue signed HMAC capability tokens
- verify token integrity and expiry
- check whether a verified token grants a capability
V1 does not include:
- OAuth flows
- key rotation
- remote discovery
- public/private key infrastructure
createCapabilityToken(payload: CapabilityToken): CapabilityToken
issueCapabilityToken(payload: CapabilityToken, secret: string): string
verifyCapabilityToken(token: string, secret: string): VerifiedToken
hasCapability(token: CapabilityToken | VerifiedToken, capability: string): booleanimport {
createCapabilityToken,
issueCapabilityToken,
verifyCapabilityToken,
hasCapability,
} from '@else-ventures/agent-auth';
const payload = createCapabilityToken({
version: '0.1',
iss: 'elsie',
sub: 'claude-code',
aud: 'market-signals',
iat: new Date().toISOString(),
exp: new Date(Date.now() + 1000 * 60 * 30).toISOString(),
capabilities: ['markets:read', 'repo:read'],
});
const token = issueCapabilityToken(payload, 'shared-secret');
const verified = verifyCapabilityToken(token, 'shared-secret');
console.log(hasCapability(verified, 'markets:read'));npm install
npm test
npm run build
npm run example