Issue, verify, delegate, rotate, revoke. One ~5MB binary, zero dependencies, air-gapped capable. Ed25519 + ML-DSA-65 hybrid signatures.
Every major agent framework has the same blind spot.
Bearer tokens, env vars, shared secrets. Any process on the machine can read them. That's not identity — it's a Post-it note.
MCP and A2A give agents ways to talk. But neither says how to prove who's talking. Two agents meet — and neither can verify the other is real.
Four supply chain attacks in 12 days. 100M+ downloads hit. Agent-to-agent exploits aren't theoretical — they're being used right now.
No SDK. No containers. No cloud account. Just a ~5MB binary.
One command creates a signed agent card with Ed25519 + ML-DSA-65 keys, scoped permissions, and a SPIFFE ID. Takes under a second.
Sign HTTP requests (RFC 9421). Run challenge-response auth. Any service can verify your agent's identity without a third party.
Agent A grants Agent B a subset of its permissions. Scopes can only narrow, never widen. Cryptographic chain all the way back to a human.
New keys, re-signed cards, zero downtime. Or permanent revocation — once revoked, it's done. Tamper-evident audit log records everything.
Every signature uses both Ed25519 and ML-DSA-65 (FIPS 204). Both must validate. If either algorithm breaks, the other still holds. Agent identities outlive the agents that use them — plan accordingly.
Human → agent → sub-agent. Each step can only narrow scope and shorten TTL. A sub-agent with "calendar:read" can never promote itself to "calendar:write". Any downstream service verifies the full chain in one call.
Download it. Run it. That's the install process. No cloud. No Docker. No Python. No npm. Works air-gapped — defense, fintech, healthcare, edge devices. Everything's stored in local SQLite.
Install, issue an identity, run the E2E lab. Everything works offline.