NervePayAgent Passport
The cryptographic trust foundation for NervePay orchestration — every agent handoff is authenticated
Overview
NervePay Agent Passport is the trust layer beneath every orchestrated workflow. Traditional OAuth assumes human interaction (clicking consent screens), but agents need programmatic flows while maintaining cryptographic security. Every agent handoff in a multi-agent orchestration is authenticated automatically.
🛂 Orchestration-First Design
No passwords, no API keys to leak across handoffs, no redirect flows. Just cryptographic signatures proving agent identity at every step of your orchestration.
Key Features
Portable Identity
Each agent gets a unique passport ID - portable across platforms and services
Ed25519 Signatures
Sign requests with Ed25519 private key - no secrets stored on server
Replay Protection
One-time nonces prevent replay attacks - expires after 10 minutes
Timestamp Validation
5-minute window for request freshness - prevents old requests
Comprehensive Audit
Every authentication attempt logged - full transparency
Capability-Based
Transaction limits and permissions defined in passport document
How It Works
Issue Passport
Developer creates an agent passport via dashboard. System generates passport ID and Ed25519 keypair. Private key shown only once.
Sign Requests
Agent signs each API request with its Ed25519 private key. Signature payload includes method, path, nonce, timestamp, and passport ID.
Verify Signature
NervePay verifies signature using agent's public key (stored in passport document). Checks nonce freshness and timestamp validity.
Enforce Capabilities
System checks agent's transaction limits and permissions. Auto-approves low-risk, triggers HITL for high-risk transactions.
Audit Trail
Every auth attempt logged to agent_activity_log. Includes status, risk score, and request context.
Why Not Traditional OAuth?
| Feature | Traditional OAuth | NervePay Agent Auth |
|---|---|---|
| Identity | client_id + secret | Agent Passport |
| Authentication | Redirect flows | Ed25519 signatures |
| Security | Stored secrets | Cryptographic proofs |
| Replay Protection | ❌ None | ✅ One-time nonces |
| Portability | Locked to platform | ✅ Passports work anywhere |
| Agent-Friendly | Designed for humans | ✅ Agent-first design |
Works with Secrets Vault
Combine Agent Passport with the Secrets Vault. Agents authenticate with signatures, then securely access stored credentials at runtime.
# Agent makes authenticated vault request
X-Agent-DID: did:nervepay:agent:7xKp...
X-Signature: <ed25519_sig>
GET /v1/vault/secrets/OPENAI_API_KEYNext Steps
Authentication Guide
Learn how to sign requests and authenticate agents
Agent Secrets Vault
Secure encrypted storage for API keys and credentials
OAuth for External Providers
Guide for software providers to implement Agent Passport OAuth
Create Your First Agent Passport
Get started in the dashboard - takes less than 2 minutes