OpenAPI Extension

Agent auth for every API.

One extension. One middleware line. Agents authenticate with signed trust tokens. APIs verify locally. No gateway. No SaaS dependency.

agentrust.io
The Extension

3 lines in your OpenAPI spec

openapi.yaml 
# Add to any OpenAPI 3.0 / 3.1 spec
x-agent-auth:
  algorithm: ES256
  trustLevels: [L0, L1, L2, L3, L4]
  issuerKeysUrl: /.well-known/agent-trust-keys

paths:
  /v1/charges:
    post:
      x-agent-trust-required: L2
API server (one line) 
const { verifyAgentTrust } = require('mcp-secure');
app.use(verifyAgentTrust({ minTrust: 'L2' }));
Agent side (two lines) 
const { AgentIdentity } = require('mcp-secure');
const agent = new AgentIdentity({ trustToken: 'eyJ...' });
await agent.fetch('https://api.stripe.com/v1/charges');
Demo API

4 endpoints, 4 trust levels

Each endpoint requires a minimum trust level. The middleware verifies locally.

EndpointMethodDescriptionRequired Trust
/api/dataGETRead dataL1
/api/chargesPOSTCreate paymentL2
/api/executePOSTExecute workflowL3
/api/adminDELETEAdmin operationL4
Live Demo

Try it now

Select an agent and an endpoint. Watch the trust verification happen in real time.

Agent Trust Verification

How It Works

Local verification. Like JWT.

1. Agent sends request with signed trust token
Agent --> API: POST /v1/charges + X-Agent-Trust header

2. Middleware verifies locally (no remote call)
Verify ECDSA signature (cached public key)
Check token expiry
Read trust_level from payload
Compare against endpoint requirement

3. Allow or deny
Agent trust L2 >= Required L2 --> ALLOW

No gateway. No remote call. No vendor dependency.
Trust Framework

L0 through L4

The API sets the minimum. The token carries the level. The middleware compares.

LevelMeaningTypical Access
L0Unknown agentRejected
L1Identity verifiedRead-only
L2Trust establishedRead + write
L3Highly trustedRead + write + execute
L4Fully trustedFull access