agentpass

The credit check for AI agents. Trust scoring, signed payments, spend limits, and compliance for autonomous agents.

Zero dependencies. Works with any agent framework.

The Problem

AI agents are making payments autonomously via Stripe MPP, but:

• No way to check if an agent is trustworthy before letting it pay
• No per-agent spend limits at the protocol level
• No proof which agent authorised which payment
• No audit trail linking agent identity to transactions
• A captured payment request can be replayed

AgentPass solves this. Platforms query agent trust before granting access -- the same way a bank checks your credit score before approving a loan.

Install

npm install @proofxhq/agentpass

Quick Start

const { Client, register } = require('@proofxhq/agentpass');

// 1. Register (once)
const account = await register({
  email: 'you@company.com',
  name: 'Your Name',
  password: 'SecurePass123!',
  company: 'Your Company'
});

// 2. Create client
const client = new Client({
  apiKey: account.apiKey
});

// 3. Create an agent
const agent = await client.createAgent({
  name: 'procurement-bot',
  scope: ['payments']
});

// 4. Make a payment (trust-checked, signed, audited)
const tx = await client.pay({
  agentId: agent.id,
  to: 'aws.amazon.com',
  amount: 5000,       // $50.00 in cents
  currency: 'usd',
  description: 'EC2 instance'
});

Trust Levels

Agents earn spending authority through proven behaviour:

Trust score is computed from 5 weighted dimensions: code attestation, execution success, behavioural consistency, operational tenure, and anomaly history.

Public Trust API

Any platform can check an agent's trust -- no auth required:

curl https://agentpass.co.uk/api/public/trust/agent_abc123

{
  "agentId": "agent_abc123",
  "status": "ACTIVE",
  "trust": { "score": 73, "level": 3, "label": "L3" },
  "recommendation": "ALLOW",
  "spendLimits": { "perTransaction": 100000, "daily": 500000 }
}

Security

Every transaction is ECDSA P-256 signed, replay protected, hash-chained, and anomaly scanned.

Additional protections:

• Developer-level aggregate spend limits (Sybil protection)
• Self-dealing detection (zero trust credit for circular payments)
• Dormancy auto-demotion (30/60/90 day inactivity penalties)
• Promotion rate limiting (minimum days at each level)
• Limit probing detection (near-boundary pattern blocking)
• Rate limiting on all endpoints

API Reference

// Agents
await client.createAgent({ name: 'bot', scope: ['payments'] });
await client.listAgents();
await client.getPassport(agentId);
await client.revokeAgent(agentId);

// Payments
await client.pay({ agentId, to, amount, currency });
await client.agentPay(fromId, toId, amount);
await client.listTransactions();

// Trust
await client.trustScore(agentId);
await client.trustReport(agentId);
await client.trustEvents(agentId);

// Wallet
await client.balance();
await client.topup({ amount: 100000 });

Error Handling

const { TrustLimitError, InsufficientFundsError, ReplayError } = require('@proofxhq/agentpass');

try {
  await client.pay({ agentId, to, amount: 999999, currency: 'usd' });
} catch (err) {
  if (err instanceof TrustLimitError) {
    // "Payment exceeds trust level L2 tx limit"
  }
}

How It Fits

Your AI Agent
    |
    v
AgentPass (trust check + sign + limit + audit)
    |
    v
Stripe / Payment Processor

Standards

• Signing: ECDSA P-256
• Audit: JSON + RFC 5424 syslog
• Based on MCPS Internet-Draft (IETF)
• Patent pending: CSAI-PAT-003

License

MIT

Links

• agentpass.co.uk -- Dashboard
• mcpsaas.co.uk -- MCP Security Proxy
• agentsign.dev -- Zero Trust Engine
• Security issues: contact@agentsign.dev