Skip to content

KanonivThe identity and delegation layer for AI agents

Cryptographic agent identity. Attenuated authority. Entity resolution. One library across Rust, TypeScript, and Python - with byte-identical outputs.

Install

bash
cargo add kanoniv-agent-auth
bash
npm install @kanoniv/agent-auth
bash
pip install kanoniv-agent-auth

5 lines to add auth to any MCP server

typescript
import { McpProof, verifyMcpCall } from "@kanoniv/agent-auth";

function handleToolCall(args: Record<string, unknown>) {
  const { proof, cleanArgs } = McpProof.extract(args);
  if (proof) {
    const result = verifyMcpCall(proof, rootIdentity);
    console.log(`Agent ${result.invoker_did} verified (depth: ${result.depth})`);
  }
  // use cleanArgs for your tool logic
}

No external service. No API key management. The proof is self-contained - the server verifies the entire delegation chain using only the cryptographic material in the request.

How delegation works

Authority flows from a root (human or system) to agents, narrowing at each step:

Root (Human)
  |-- delegates to Manager: [resolve, search, merge]
      |-- delegates to Worker: [resolve] (narrower)
          |-- calls MCP tool with proof
              |-- server verifies entire chain back to root

Caveats accumulate. Each delegation can restrict actions, set expiry times, cap costs, or scope to specific resources. You can only give away a subset of what you have.

CaveatWhat it restricts
action_scopeAllowed actions (e.g. ["resolve", "search"])
expires_atRFC 3339 expiry timestamp
max_costCost ceiling for the operation
resourceResource glob pattern (e.g. "entity:customer:*")
contextKey/value context match (e.g. session_id)
customArbitrary key/value constraint

Choose your path

Adding auth to an MCP server? Start with MCP Server Auth - 5 lines, 5 minutes.

Building agents that delegate to each other? See Agent Identity then Delegation.

Need identity resolution for multi-agent systems? Go to the API Quickstart - resolve your first entity in 60 seconds.

Open source

Agent identity and delegation are MIT-licensed and open source at github.com/kanoniv/agent-auth. The entity resolution engine is a managed service at kanoniv.com.

The identity and delegation layer for AI agents.