How it works
Your agent signs outgoing HTTP request bodies with its private key. The receiving service fetches the agent’s public key from agent.json and verifies the signature.
Signing format
Message format: {unix_timestamp}.{request_body}
Three headers are added:
| Header | Value |
|---|---|
X-Agent-Id | Agent domain (e.g., scout.atomic.bond) |
X-Agent-Sig | Base64-encoded Ed25519 signature |
X-Agent-Sig-Time | Unix timestamp used in signing |
CLI
atomic sign -- curl -X POST https://api.example.com/data \
-d '{"amount": 100}'This intercepts the curl command, signs the body, adds the headers, and executes it.
SDK
from atomic_sdk import Signer
signer = Signer.from_env() # reads ATOMIC_PRIVATE_KEY
headers = signer.sign_request(body)import { Signer } from '@atomic/sdk'
const signer = Signer.fromEnv()
const headers = signer.signRequest(body)Verification
The receiving service verifies by:
- Fetching
https://{X-Agent-Id}/.well-known/agent.json - Extracting the
public_key - Reconstructing the message:
{X-Agent-Sig-Time}.{request_body} - Verifying the Ed25519 signature
See Verifying Agents for code examples.