The identity and trust infrastructure for autonomous AI agents.
AI agents are operating across production systems with no verifiable identity. API keys prove a human logged in -- they don't prove which agent is making the call, whether it's been tampered with, or whether it should be trusted.
When an agent calls an MCP server, accesses a database, or makes a payment, nothing cryptographically proves who that agent is. There's no passport, no trust score, no kill switch.
AgentSign gives every AI agent a cryptographic identity. One API call onboards an agent and returns a signed passport. Any system can verify that passport -- offline, in milliseconds, with no server roundtrip needed.
Developer signs up (API or console) and gets an API key. They onboard agents via API -- each agent gets a unique ID, trust score, and HMAC-SHA256 signed passport. The passport is a self-contained JSON document the agent carries everywhere. Any service can verify it by calling POST /api/verify or by checking the signature locally.
The killer feature. Before an MCP server grants tool access, it calls POST /api/mcp/verify with the agent's ID. AgentSign checks identity, pipeline stage, trust score, and permissions. Returns ALLOW or DENY in milliseconds. This is the gate between agents and tools.
HMAC-SHA256 with a server-held signing key. Deterministic JSON canonicalization ensures signatures are reproducible. Passports include agent_id, name, permissions, stage, trust_score, issued_at, and signature. Tamper with any field and verification fails.
Built by CyberSecAI Ltd, London, UK. The same team behind ProofX (content protection) and CarX (AI car diagnostics).