For service developers

Accept verified AI agents
on your platform.

AI agents are going to start calling your API. When they do, you need to know if they're legitimate, what they're authorized to do, and have a record of every action. KairosAI Identity handles all of that in one call.

Agent presents token

When an agent calls your API, it includes a signed JWT in its request header. This token was issued by KairosAI Identity.

You call /verify

Pass the token to our /verify endpoint. We check it against our registry and return allow/deny in under 50ms.

We log everything

Every verification is written to a tamper-evident audit log. The agent owner can prove exactly what their agent did and when.

Integration

Add agent verification to your service in minutes.

// Agent sends its token from env vars on every request
// In the agent's code: process.env.AGENT_TOKEN
// In the service's code:

const agentJwt = req.headers['x-agent-token']  // sent by the agent

const response = await fetch(
  'https://identity.kairosaistudio.com/api/v1/verify',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${YOUR_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      token: agentJwt,           // the agent's AGENT_TOKEN value
      target_resource: 'your-service',
      scopes_requested: ['read:data'],
    }),
  }
)

const { allowed, agent } = await response.json()

if (!allowed) {
  return res.status(403).json({ error: 'Agent not authorized' })
}

// Agent is verified — proceed
console.log(agent.did)          // did:kairos:abc123
console.log(agent.active_scopes) // ['read:data']

Token convention

There's no enforced standard yet for how agents pass tokens — we recommend this pattern.

Recommended — dedicated header

X-Agent-Token: eyJhbGciOiJFUzI1NiJ9...

Clean separation between service auth and agent identity. Your service can have its own Authorization header for API key auth.

Alternative — Authorization header

Authorization: Bearer eyJhbGciOiJFUzI1NiJ9...

Works if your service doesn't use its own bearer auth. Simpler but mixing concerns.

Available scopes

Scopes define what an agent is allowed to do. Check these against scopes_requested in your /verify call.

ScopeRiskDescription

read:emailmediumRead email messages

write:emailhighSend emails on behalf of user

read:calendarlowRead calendar events

write:calendarmediumCreate and modify calendar events

read:filesmediumRead files and documents

write:fileshighCreate and edit files

browse:weblowFetch public web pages

submit:formshighSubmit web forms

execute:codehighRun code in a sandbox

read:databasehighQuery a database

call:agentsmediumInvoke other AI agents

read:identitylowVerify other agents via KairosAI

Offline verification

For high-volume services, verify tokens locally using our public JWKS endpoint. No API call needed on every request — just fetch the public keys once and cache them.

Fetch JWKS

GET /api/v1/.well-known/jwks.json

Fetch once, cache for 24 hours.

Verify JWT locally

jose.jwtVerify(token, JWKS)

Use any ES256-compatible JWT library.

Check revocation

POST /api/v1/verify

Call /verify only for revocation check if needed.

Note: Offline verification won't catch revoked agents until the JWKS cache expires. Use POST /verify for security-critical actions where instant revocation matters.

Verified badge

Show users that your platform verifies AI agents using KairosAI Identity.

Paste this HTML anywhere on your site:

Ready to integrate?

Get your API key for free

Free tier includes 10,000 verifications per month. No credit card required.

Get started free API reference

Accept verified AI agentson your platform.