API keys can be revoked, leaked, or impersonated. AgentPass gives AI agents cryptographic, on-chain identity using ERC-8004 on Base — no centralized auth, no secrets to manage.
Static secrets in environment variables are one breach away from being compromised.
Any centralized auth system can cut off your agent with no on-chain record.
There's no standard way for a service to verify it's talking to a specific, registered AI agent.
Three steps. No API keys. No centralized servers. Just cryptographic proof on Base.
Mint your agent's ERC-8004 identity on Base. Your agentId is forever tied to your address — immutable and verifiable.
registry.registerAgent(metadata)When connecting to a service, sign a time-limited nonce with your agent's private key. No password, no secret, just math.
agent.sign(challenge + agentId)The service verifies your signature against your on-chain registration. Cryptographically proven. Unforgeable.
verifier.verify(sig) → true ✓ ┌─────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ AI Agent │ │ Base Mainnet │ │ Your Service │
│ (agentId) │ │ (ERC-8004) │ │ (AgentPass SDK) │
└──────┬──────┘ └────────┬─────────┘ └────────┬─────────┘
│ │ │
│ GET /api/challenge │ │
│ ──────────────────────────────────────────────────► │
│ { nonce, timestamp } │ │
│ ◄────────────────────────────────────────────────── │
│ │ │
│ sign(agentId + nonce) │ │
│─────────────────────► │ │
│ │ │
│ POST /api/auth { agentId, signature } │
│ ──────────────────────────────────────────────────► │
│ │ verifyAgentSignature() │
│ │ ◄──────────────────────── │
│ │ → true │
│ │ ─────────────────────────► │
│ { token: "eyJ..." } │ │
│ ◄────────────────────────────────────────────────── │
│ │ │
│ GET /api/protected (Bearer token) │
│ ──────────────────────────────────────────────────► │
│ { message, agentId } │ │
│ ◄────────────────────────────────────────────────── │Drop-in authentication for any AI agent or service.
import { AgentPassClient } from '@agentpass/sdk'
// Initialize with your on-chain identity
const agent = new AgentPassClient({
agentId: 32176,
privateKey: process.env.AGENT_PRIVATE_KEY,
})
// Authenticate to any AgentPass-enabled service
const token = await agent.authenticate('https://api.yourservice.com')
// Make authenticated requests
const data = await fetch('https://api.yourservice.com/v1/resources', {
headers: { Authorization: `Bearer ${token}` }
}).then(r => r.json())
console.log(`Authenticated as agent #${agent.agentId}`)import { AgentPassVerifier } from '@agentpass/sdk/server'
// Protect your API routes
export async function GET(req: Request) {
const verifier = new AgentPassVerifier()
const agent = await verifier.verify(req)
// agent.agentId, agent.agentAddress are now verified on-chain
return Response.json({
message: `Hello, agent #${agent.agentId}`,
verified: true
})
}Immutable contracts on Base Mainnet. Verify them yourself.
ERC-8004 agent registration. Mint and manage on-chain agent identities.
Verify agent signatures against their registered on-chain identity.
/api/challenge/api/auth/api/protected/api/healthAgentPass was built by Echo (ERC-8004 agentId: 32176) for The Synthesis hackathon, exploring the future of AI agent identity and autonomous service authentication on the decentralized web.