Cryptographic Identity & Trust Protocol for AI Agents
The "SSL certificates" for the AI agent economy. Open-source protocol that gives every AI agent a verifiable, cryptographic identity.
AI agents are operating across enterprise systems with zero identity verification. No one can answer:
- Which agent performed this action?
- Was it authorized?
- Can we prove compliance to regulators?
MCP servers expose powerful tools, but any agent can call any tool. There's no authentication, no authorization, no audit trail.
AstraCipher is a W3C-standards-based protocol that provides:
- Decentralized Identifiers (DIDs) --- Unique, cryptographic identity for every agent (
did:astracipher:mainnet:abc123) - Verifiable Credentials --- Signed attestations of capabilities, permissions, and trust levels
- Trust Chains --- Delegated authority with depth limits (Creator -> Authorizer -> Agent -> Sub-agent)
- Post-Quantum Cryptography --- ML-DSA-65 + ECDSA P-256 hybrid signatures (FIPS 204 compliant)
- Compliance Modules --- Generate regulatory-ready reports for 10+ frameworks worldwide
- 850M+ AI agents expected by 2030 (Gartner)
- MCP adopted by Anthropic, OpenAI, Google, Microsoft --- but has no identity layer
- AAIF (Linux Foundation + Anthropic) defines agent interoperability --- AstraCipher provides the missing identity primitive
- EU AI Act enforcement begins 2025-2026, requiring traceability for high-risk AI systems
- NIST AI RMF and ISO 42001 becoming enterprise prerequisites
# Install the CLI
npm install -g @astracipher/cli
# Initialize AstraCipher in your project
astracipher init
# Generate post-quantum key pair
astracipher keygen --algo hybrid
# Create an agent identity (DID)
astracipher create --name "my-data-agent" --key .astracipher/keys/agent.pub.json
# Issue a credential
astracipher issue \
--did did:astracipher:testnet:abc123 \
--capabilities read,write \
--trust-level 8 \
--validity 365d
# Verify a credential
astracipher verify --credential ./credential.jsonimport { AstraCipherClient } from '@astracipher/core';
import { HybridKeyManager } from '@astracipher/crypto';
const keyManager = new HybridKeyManager();
const keyPair = await keyManager.generateKeyPair('hybrid');
const client = new AstraCipherClient({ keyManager });
const did = await client.createDID('my-agent', keyPair);
const credential = await client.issueCredential(did, {
capabilities: ['read', 'write'],
trustLevel: 8,
});
const result = await client.verifyCredential(credential);Any MCP-compatible AI agent (Claude, GPT, etc.) can use AstraCipher tools:
{
"mcpServers": {
"astracipher": {
"command": "npx",
"args": ["@astracipher/mcp-server"]
}
}
}Available MCP tools:
create_agent_identity--- Create a DID for an agentverify_agent--- Verify an agent's credentialcheck_permissions--- Check agent permissions for a resourceinspect_credential--- View credential details
+----------------------------------------------------------+
| AstraCipher Protocol |
+---------------+----------------+-------------------------+
| @astracipher/ | @astracipher/ | @astracipher/ |
| crypto | core | compliance-* |
| (PQC keys, | (DIDs, VCs, | (DPDP, EU AI Act, |
| signing) | trust chain) | GDPR, SEBI, ...) |
+---------------+----------------+-------------------------+
| Integration Layer |
| +--------------+ +-------------+ +------------------+ |
| | MCP Server | | A2A Adapter | | REST API | |
| | (AI agents) | | (Google A2A)| | (server) | |
| +--------------+ +-------------+ +------------------+ |
+----------------------------------------------------------+
| Package | Description | Status |
|---|---|---|
@astracipher/crypto |
Post-quantum cryptographic primitives (ML-DSA-65, ML-KEM-768, ECDSA P-256, hybrid) | Core |
@astracipher/core |
DID management, credential issuance/verification, trust chains | Core |
@astracipher/cli |
Command-line interface for all AstraCipher operations | Core |
@astracipher/compliance-core |
Pluggable compliance engine for regulatory frameworks | Core |
@astracipher/sdk-python |
Python SDK for AstraCipher protocol | Core |
| Package | Description |
|---|---|
@astracipher/mcp-server |
MCP integration --- expose AstraCipher as AI agent tools |
@astracipher/a2a-adapter |
Google A2A protocol adapter for agent-to-agent auth |
Platform & Premium Modules (Proprietary --- astracipher-platform)
| Component | Description |
|---|---|
@astracipher/server |
Production verification server (PostgreSQL, org management, API keys) |
@astracipher/dashboard |
React dashboard for agent identity management |
| 10 compliance modules | DPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety |
AstraCipher uses hybrid post-quantum + classical cryptography by default:
| Algorithm | Standard | Purpose |
|---|---|---|
| ML-DSA-65 | FIPS 204 | Post-quantum digital signatures |
| ECDSA P-256 | FIPS 186-5 | Classical digital signatures |
| ML-KEM-768 | FIPS 203 | Post-quantum key encapsulation |
| Hybrid Mode | --- | Both PQC + classical must validate |
Built on audited libraries: @noble/post-quantum and @noble/curves.
Why hybrid? Classical ECDSA provides battle-tested security today. ML-DSA protects against quantum attacks. Both must validate --- so you get defense-in-depth against both classical and quantum adversaries.
| AstraCipher | Keycard (a16z) | Aembit | Microsoft Entra Agent ID | |
|---|---|---|---|---|
| Open source | BSL 1.1 | Closed | Closed | Closed |
| Post-quantum crypto | ML-DSA + ECDSA hybrid | No | No | No |
| W3C DID standard | Yes | No | No | Partial |
| MCP native | Yes | Yes | No | No |
| Compliance modules | 10+ frameworks | No | No | No |
| Self-hosted option | Yes | No | No | No |
| Vendor lock-in | None | Platform | Platform | Azure |
# Clone the repo
git clone https://github.com/AstraFintechLabs/astracipher.git
cd astracipher
# Install dependencies
npm install
# Build all packages
npx turbo build
# Run tests
npx turbo test
# Run the CLI locally
npx ts-node packages/cli/src/index.ts --helpastracipher/ # Public repo (BSL 1.1)
+-- packages/
| +-- crypto/ # PQC crypto primitives (ML-DSA, ML-KEM, ECDSA)
| +-- core/ # Protocol implementation (DIDs, VCs, trust chains)
| +-- cli/ # CLI tool
| +-- sdk-python/ # Python SDK
| +-- compliance-core/ # Compliance engine framework
+-- integrations/
| +-- mcp-server/ # MCP integration
| +-- a2a-adapter/ # Google A2A adapter
+-- e2e-test.mjs # E2E test suite (67 tests)
+-- .github/workflows/ # CI/CD pipeline
The production server, dashboard, and premium compliance modules (DPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety) are in the private astracipher-platform repository.
Business Source License 1.1 (BSL 1.1)
- Use: Free to use, modify, and self-host for any purpose
- Restriction: Cannot create a competing hosted agent identity/compliance service
- Change Date: February 18, 2030 (converts to Apache License 2.0)
- Full text: LICENSE
This means: startups, enterprises, and developers can freely use AstraCipher in their products. The only restriction is you can't take this code and launch a competing AstraCipher-as-a-Service offering.
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
Astra Fintech Labs --- Building trust infrastructure for the AI agent economy.
AstraCipher: Because in a world of autonomous AI agents, identity isn't optional.