The agentId is a URL that points to your agent’s identity document — a JSON file containing your agent’s name, developer info, and public key. In production, the server fetches this URL to get your public key and verify your identity proofs.
Scenario
Do you need a hosted agentId?
What to do
Development (server has skipAttestationVerification)
No
Use any URL as a placeholder. The server won’t actually fetch it.
Gateway mode (production)
Depends on gateway config
Many gateways trust registered agents without fetching the identity document.
Native mode (production)
Yes
Host agent.json at a URL the server can reach. See Step 1.
Every agent in ATH has an identity — a key pair and a document that ties them together. Think of it like an ID card: the document is the card, and the private key proves you’re the person on the card.
import { generateKeyPair, exportJWK, exportPKCS8 } from "jose";import fs from "fs";// Generate a key pairconst { publicKey, privateKey } = await generateKeyPair("ES256", { extractable: true,});// Save the private key (keep this secret!)const privatePem = await exportPKCS8(privateKey);fs.writeFileSync("agent-private.pem", privatePem);// Export the public key as JWK (this goes in your identity document)const publicJwk = await exportJWK(publicKey);publicJwk.kid = "default";publicJwk.alg = "ES256";console.log("Public JWK:", JSON.stringify(publicJwk, null, 2));
from cryptography.hazmat.primitives.asymmetric import ecfrom cryptography.hazmat.primitives import serializationimport json# Generate a key pairprivate_key = ec.generate_private_key(ec.SECP256R1())# Save the private key (keep this secret!)pem = private_key.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.NoEncryption(),)with open("agent-private.pem", "wb") as f: f.write(pem)# The PEM string is what you pass to the SDKpem_str = pem.decode()print("Private key saved to agent-private.pem")
ES256 is a digital signature algorithm using the P-256 elliptic curve. It creates two keys:
Private key — kept secret by your agent. Used to sign identity proofs.
Public key — shared openly. Used by servers to verify your proofs.
You don’t need to understand the cryptography. Just know: private key = secret, public key = shareable, and the SDK handles all the signing automatically.
In production, host this JSON file at the URL specified in agent_id. For example, if your agent_id is https://your-agent.com/.well-known/agent.json, the file must be fetchable at that URL.The demo includes a minimal identity server (agent/server.ts) that does this — it’s just an Express server with one route.
I'm in development — do I need to host this?
No. If the server you’re connecting to has skipAttestationVerification: true (like the demo), it won’t fetch your identity document. You still need to provide an agentId string when creating the client, but it can be any URL — the server just stores it as a label, without fetching it.In gateway mode, many gateways also skip or cache identity verification, so you may not need a reachable URL even in production. Check with your gateway operator.
When you call register(), authorize(), or exchangeToken(), the SDK automatically:
Creates a fresh attestation JWT (identity proof) containing your agentId, a timestamp, and a unique ID
Signs it with your private key
Includes it in the HTTP request to the server
The server receives the JWT, fetches your public key from your agent_id URL (or skips this in development), and verifies the signature. If it matches, the server knows the request really came from your agent.You never need to build or sign JWTs yourself — the SDK handles it all.
import { ATHGatewayClient } from "@ath-protocol/client";import { importPKCS8 } from "jose";import fs from "fs";// Load your persistent private key (or generate ephemeral for dev)const pem = fs.readFileSync("agent-private.pem", "utf-8");const privateKey = await importPKCS8(pem, "ES256");const client = new ATHGatewayClient({ url: "https://your-gateway.com", agentId: "https://your-agent.com/.well-known/agent.json", privateKey, keyId: "default", // must match the "kid" in your identity document});// 1. DISCOVER — what providers and scopes are available?const discovery = await client.discover();console.log("Providers:");for (const p of discovery.supported_providers) { console.log(` ${p.provider_id}: ${p.available_scopes.join(", ")}`);}// 2. REGISTER — "I'm an agent, may I access this provider?"// The SDK automatically signs an attestation JWT with your private key.const reg = await client.register({ developer: { name: "My Company", id: "my-company" }, providers: [{ provider_id: "my-provider", scopes: ["read", "write"] }], purpose: "AI shopping assistant",});console.log("Agent status:", reg.agent_status);// reg.client_id and reg.client_secret are stored internally by the SDK// 3. AUTHORIZE — "Please ask the user to approve me"// Returns a URL for the user to visit in their browser.const auth = await client.authorize("my-provider", ["read", "write"]);console.log("Send the user to this URL:", auth.authorization_url);console.log("Session ID (save this!):", auth.ath_session_id);// ⏳ WAIT — the user opens the URL in their browser, sees a consent// screen listing the permissions, and clicks "Approve".// The session expires after 10 minutes if the user doesn't act.// 4. TOKEN — "The user approved, give me my access token"const token = await client.exchangeToken("auth-code", auth.ath_session_id);console.log("Access token:", token.access_token);console.log("Granted scopes:", token.effective_scopes);console.log("Scope breakdown:", token.scope_intersection);// {// agent_approved: ["read", "write"], ← what the service approved// user_consented: ["read", "write"], ← what the user approved// effective: ["read", "write"] ← the intersection (what you got)// }// 5. USE THE API — call endpoints through the ATH proxyconst products = await client.proxy("my-provider", "GET", "/products");console.log("Products:", products);// POST requests with a body:await client.proxy("my-provider", "POST", "/cart/add", { productId: "prod-123", quantity: 2,});// 6. REVOKE — clean up when done (token also expires naturally)await client.revoke();console.log("Token revoked. Done!");
pip install ath-sdk cryptography
from ath import ATHGatewayClient# Load your private keywith open("agent-private.pem") as f: pem = f.read()with ATHGatewayClient( url="https://your-gateway.com", agent_id="https://your-agent.com/.well-known/agent.json", private_key=pem, key_id="default",) as client: # 1. DISCOVER discovery = client.discover() for p in discovery.supported_providers: print(f" {p.provider_id}: {p.available_scopes}") # 2. REGISTER — SDK signs attestation JWT automatically reg = client.register( developer={"name": "My Company", "id": "my-company"}, providers=[{"provider_id": "my-provider", "scopes": ["read", "write"]}], purpose="AI shopping assistant", ) print(f"Agent status: {reg.agent_status}") # 3. AUTHORIZE — get URL for user consent auth = client.authorize("my-provider", ["read", "write"]) print(f"Send user to: {auth.authorization_url}") print(f"Session ID: {auth.ath_session_id}") # ⏳ WAIT for user to approve in browser (10 min timeout) # 4. TOKEN token = client.exchange_token("auth-code", auth.ath_session_id) print(f"Granted scopes: {token.effective_scopes}") # 5. USE THE API products = client.proxy("my-provider", "GET", "/products") print(f"Products: {products}") client.proxy("my-provider", "POST", "/cart/add", { "productId": "prod-123", "quantity": 2, }) # 6. REVOKE client.revoke() # Save credentials for next session (avoids re-registration) client.save_credentials("my-agent-creds.json")
npm install -g athx# Configure (one-time)athx config initathx config set-gateway my-gw https://your-gateway.comathx config set agent-id https://your-agent.com/.well-known/agent.jsonathx config set key-path ./agent-private.pem # your ES256 private key
GATEWAY="my-gw"# 1. DISCOVERathx discover -g $GATEWAY# 2. REGISTERathx register -g $GATEWAY --provider my-provider --scopes "read,write"# 3. AUTHORIZE — prints a URL for the user to visitathx authorize -g $GATEWAY --provider my-provider --scopes "read,write"# Output:# Session: ath_sess_abc123# Please visit: https://...# → Open that URL in your browser, log in, click Approve# 4. TOKEN — after the user approvedathx token -g $GATEWAY --code AUTH_CODE --session ath_sess_abc123# 5. USE THE APIathx proxy my-provider GET /products -g $GATEWAYathx proxy my-provider POST /cart/add -g $GATEWAY \ --body '{"productId":"prod-123","quantity":2}'# 6. REVOKEathx revoke -g $GATEWAY --provider my-provider
If you don’t configure --key-path, athx generates an ephemeral key each run. This works for development (with skipAttestationVerification) but means your identity changes every restart.
”I’m talking to this specific server” (prevents the proof from being replayed to a different server)
iat
”I created this proof at this time” (must be within 5 minutes of server time)
exp
”This proof expires at this time”
jti
”This is a unique proof” (prevents the same proof from being used twice)
You never build this yourself. The SDK constructs and signs it automatically. But understanding what’s inside helps you debug errors like INVALID_ATTESTATION.
