Zero trust identity for autonomous AI agents. Every action signed. Every tool gated. Every agent verified. No identity, no trust.
Agent security is not optional. OWASP Agentic Top 10 and the EU AI Act now require it.
AgentSign is grounded in IETF specifications, OWASP guidance, and published intellectual property. Not a wrapper -- the standard itself.
Contributor to Section 7: Message Integrity & Replay Protection. The official OWASP guidance for securing Model Context Protocol deployments.
MCPS: Cryptographic security layer for Model Context Protocol. Message signing, trust verification, and replay protection for MCP tool servers.
AgentPass: Challenge-response identity and trust framework for autonomous AI agent payments. Cryptographic proof before any financial transaction.
The secure transport layer for AI agents. Mandatory cryptographic signing, identity, and audit on every agent-to-server API call. No insecure mode.
Patent applications filed at the UK Intellectual Property Office covering agent identity, MCP security, agent transport, ATTP, and payment authorisation.
Zero-dependency Node.js SDK. Agent identity, passport signing, MCP Trust Gate, and verification in one package. Works with any framework.
We audited 12 popular agent frameworks. None have cryptographic agent identity, execution signing, or trust scoring.
| Framework | Stars | Identity | Signing | Trust Score | MCP Gate | Revocation |
|---|---|---|---|---|---|---|
| AutoGPT | 182K | ✗ | ✗ | ✗ | ✗ | ✗ |
| LangChain / LangGraph | 100K+ | ✗ | ✗ | ✗ | ✗ | ✗ |
| MCP Ecosystem | 80.7K | ✗ | ✗ | ✗ | ✗ | ✗ |
| OpenHands | 64K | ✗ | ✗ | ✗ | ✗ | ✗ |
| Microsoft AutoGen | 50.4K | ~ | ✗ | ✗ | ✗ | ✗ |
| CrewAI | 45.6K | ✗ | ✗ | ✗ | ✗ | ✗ |
| HuggingFace smolagents | 25.5K | ✗ | ✗ | ✗ | ✗ | ✗ |
| OpenAI Agents SDK | 19.4K | ✗ | ✗ | ✗ | ✗ | ✗ |
| Google ADK / Vertex | 15.6K | ~ | ✗ | ✗ | ✗ | ~ |
| NeMo Guardrails | 5.7K | ✗ | ✗ | ✗ | ✗ | ✗ |
| Amazon Bedrock | Managed | ~ | ✗ | ✗ | ✗ | ~ |
| Devin / Cognition AI | Closed | ✗ | ✗ | ✗ | ✗ | ✗ |
| AgentSign | OSS | ✓ | ✓ | ✓ | ✓ | ✓ |
✓ = native support ~ = partial (cloud-locked IAM) ✗ = not available Source: GitHub, March 2026.
600,000+ agents running without identity = 600,000+ potential attack vectors
The EU AI Act (August 2026) mandates traceability for high-risk AI systems. If your agents can't prove who they are, you're not compliant.
Register, onboard your agent, verify anywhere. No OAuth, no dashboard required. Pure API.
Without this, your agent is an anonymous process with production access. That violates OWASP ASI03.
Every agent gets a unique identity backed by HMAC-SHA256 signatures. Register, onboard, and go. The agent carries its signed passport everywhere.
A self-contained, signed JSON document the agent carries everywhere. Any system can verify it offline -- no server needed. Like SSL certificates, but for AI agents.
The identity layer between agents and MCP tool servers. Before any agent calls a database, file system, or API via MCP, the Trust Gate checks identity, stage, and trust score.
Any service can verify an agent's passport in one API call. Check if the signature is valid, the agent hasn't been revoked, and the passport hasn't been tampered with.
Sign up, onboard your agent, verify everything. That's it.
Create a free account via the console or API. Get an API key instantly. No credit card required.
Register your agent with one API call. It gets a cryptographic identity and signed passport.
Verify any agent's identity before granting access. Public endpoint, no auth needed.
Teams are already integrating MCPS into their security stack.
AI agent observability and governance platform. Real-time risk analysis, human-in-the-loop approvals, and cost attribution -- secured with MCPS cryptographic identity verification.
Integrate MCPS into your agent platform, MCP gateway, or security tool. Get listed in our ecosystem.
Become a Partner →No credit card required. Upgrade when you need more agents.
Need unlimited agents? Contact us for Enterprise pricing.
The cost of not signing your agents?
Data breaches, regulatory fines under the EU AI Act, and rogue agents with production access. The free tier covers 5 agents -- there is no reason not to start today.
AgentSign runs wherever you need it. Start with our cloud to test, deploy on-prem for production. Same API, same SDK.
Get started in 30 seconds. We host the server. Ideal for testing, small teams, and prototyping.
Deploy in your VPC. Your infrastructure, your signing keys, your data. Zero calls to us. Full compliance.
Both options use the same SDK (npm install agentsign). Switch from cloud to on-prem with one config change.
We audited the MCP ecosystem. 518 servers scanned. Zero agent identity.
"AI agents inherit extensive permissions and cannot reliably distinguish legitimate instructions from attacker-injected content, enabling zero-click exfiltration, session hijacking, and credential vault takeover."
-- OWASP LLM01:2025 / TLDR InfoSec, March 2026
"83% of organizations plan to deploy agentic AI, yet only 29% feel prepared to secure it. Every framework authenticates the user. None authenticate the agent."
-- OWASP Agentic Top 10 (ASI03), December 2025
These are documented, published CVEs and breaches -- not hypotheticals:
The root cause in every case: no agent identity, no message signing, no trust verification. MCP has no security layer. These attacks will keep happening until the protocol has one.
AgentSign adds the missing identity layer. No valid passport = no access. Revoked = instant kill switch.
Three API calls. Five minutes. Zero trust from day one.
Every unsigned agent is a liability.
41% of MCP servers have zero auth. 6 CVEs in 9 months. Tool poisoning succeeds 72.8% of the time. The time to act is now.
No credit card required. 5 agents free forever. See compliance requirements.