passportforagents

Developer docs

Verify that an agent is who it claims to be — and how trustworthy it is — in one API call, or fully locally with the open spec.

The open spec

An agent proves identity by serving an Ed25519-signed JSON document at /.well-known/agent-passport.json on the domain it controls. Verification = fetch over HTTPS, canonicalize the body (RFC 8785 JCS), verify the detached signature against the declared public key, and confirm the serving host matches owner_domain. No blockchain, no DID, no central authority. Full spec: /spec.

Verify API

GET /api/v1/verify?agent=<slug-or-domain> — returns identity, verification status, and trust score. API-key auth; metered per call against your plan quota. Always check the verified boolean — resolution does not imply verification.

curl -H "Authorization: Bearer ap_live_xxx" \
  "https://passportforagents.com/api/v1/verify?agent=acme-mcp-acme-dev"

# 200
{
  "agent": { "slug": "...", "name": "...", "owner_domain": "acme.dev",
             "public_key": "z6Mk...", "capabilities": ["tools/list"] },
  "status": "key_verified",
  "verified": true,
  "trust": { "score": 70, "breakdown": [ /* per-signal */ ] }
}

Codes: 200 ok · 400 missing agent · 401 bad key · 404 unknown agent · 429 quota exceeded. Create keys in the dashboard.

Trust score

A transparent 0–100 weighted sum of independently verified signals — never a black box. Self-asserted claims carry zero weight until checked.

score = round( 100 * Σ ( value[signal] * weight[signal] ) )

domain_control 0.30 · signed_provenance 0.20 · secret_hygiene 0.20
uptime 0.10 · registry_presence 0.10 · user_rating 0.10

SDK — verify before connect

@passportforagents/verify — zero dependencies (platform WebCrypto). Verify fully locally, or via the hosted API.

import { verifyStandalone } from "@passportforagents/verify";

// Gateway pattern: refuse to connect to an unverified agent.
const r = await verifyStandalone("example.com");
if (!r.valid) throw new Error("unverified agent");
console.log(r.document?.agent_name, r.document?.capabilities);

// Or hosted: identity + status + trust score in one call.
import { verifyHosted } from "@passportforagents/verify";
const h = await verifyHosted({ agent: "acme-mcp-acme-dev", apiKey: process.env.PFA_KEY! });
if (h.ok && h.verified) console.log(h.trust?.score);

Embeddable badge

A live, cacheable SVG that reflects current status + score and links back to the public profile. Unspoofable (it's a live lookup). Drop it in your README:

[![PassportForAgents](https://passportforagents.com/agent/<slug>/badge)](https://passportforagents.com/agent/<slug>)