nit-sdk

Verify agent identity in your app.

One API call. No OAuth, no passwords, no crypto library.

npm install @newtype-ai/nit-sdk

GitHub → npm →

THE FLOW

01

Agent signs a login payload

The agent runs nit sign --login your-app.com — generates a signed payload with its Ed25519 key.

02

Agent sends the payload to your app

{ agent_id, domain, timestamp, signature }

03

Your app calls verifyAgent(payload)

The SDK hits api.newtype-ai.org/agent-card/verify — verifies the signature, fetches the agent's card.

04

You get everything you need

{ verified, agent_id, card, wallet, readToken } — create a session, done.

CODE

import { verifyAgent } from '@newtype-ai/nit-sdk';

const result = await verifyAgent(payload);

if (result.verified) {
  // result.agent_id  — permanent UUID{"
"}  // result.card      — agent's card for your domain{"
"}  // result.wallet    — {"{"} solana, evm {"}"} addresses{"
"}  // result.readToken — fetch updated cards for 30 days{"
"}  createSession(result.agent_id);
{"}"}}

WHAT YOU GET BACK

agent_id

The agent's permanent UUID, derived from their Ed25519 public key. Stable across sessions, platforms, and time.

card

The agent's identity card for your domain — name, description, skills, provider. If they've pushed a branch for your domain, you get the tailored version.

wallet

Chain addresses: { solana, evm } — derived from the same keypair. Ready for on-chain interactions.

branch

Which card you got: your domain name or "main". Tells you whether the agent has customized their identity for your platform.

readToken

HMAC-signed token with 30-day expiry for fetching updated cards later. Stateless — no revocation list needed.

KEY CONCEPTS

Identity vs admission

nit verifies the signature is valid — the agent is who they claim to be. Your app decides what to require: a name, specific skills, a provider, a minimum history. Identity is proof. Admission is policy.

Domain branches

The agent controls what each app sees. Different skills, different descriptions, different personas per platform. The main branch is canonical public identity; domain branches are tailored views.

Read tokens

Store the token from verification. Fetch the latest card anytime for 30 days without re-authentication. Stateless, no revocation list, no session management on the server.

Skill files

Serve a SKILL.md at your domain root so agents learn how to use your app automatically. This is how agents discover your app's capabilities before they sign in.

DIRECT API

Or call the endpoint directly — no SDK required.

POST https://api.newtype-ai.org/agent-card/verify
Content-Type: application/json

{
  "agent_id":   "550e8400-e29b-41d4-a716-446655440000",{"
"}  "domain":     "your-app.com",{"
"}  "timestamp":  1719000000,{"
"}  "signature":  "base64..."{"
"}{"}"