Open-source agent authentication for AI agents — with Solana-native identity, on-chain attestation, and token-gated subscription tiers.
Built on the Agent Auth Protocol · Powered by Helius + Metaplex + Better Auth
Most auth systems were built for humans. AI agents are different — they run autonomously, act on behalf of users, and need cryptographic identity that:
- Proves wallet ownership on Solana via Ed25519 signatures (SIWS)
- Attests on-chain that the agent NFT and its SPL token are owned by the same wallet
- Scales access through token holdings — hold more CLAWD, unlock more capabilities
- Persists across sessions — one attestation hash binds the agent identity forever
This repo ships everything you need to implement this end-to-end.
| Package | Version | Description |
|---|---|---|
@clawd/agent-auth-solana |
 |
🔮 Solana extension — SIWS, DAS attestation, CAAP/1.0 |
@better-auth/agent-auth |
 |
⚡ Better Auth plugin — capabilities, JWTs, registration |
@auth/agent |
 |
🤖 Client SDK for agent runtimes |
@auth/agent-cli |
 |
🛠️ CLI + MCP server |
# Full stack (server + Solana + SDK)
npx @clawd/agent-auth-installOr pick what you need:
# Server only
npm install @better-auth/agent-auth better-auth
# Solana extension (SIWS + CAAP)
npm install @clawd/agent-auth-solana better-auth-solana @solana/kit
# Client SDK
npm install @auth/agent
# CLI
npm install -g @auth/agent-cliClawd Agent Attestation Protocol v1.0 — four phases, one permanent identity hash.
┌─────────────────────────────────────────────────────────────────┐
│ CAAP/1.0 Flow │
├──────────┬──────────────┬──────────────┬────────────────────────┤
│ Phase 1 │ Phase 2 │ Phase 3 │ Phase 4 │
│ SIWS │ DAS │ SPL │ Tier │
│ │ │ │ │
│ Sign msg │ getAssetsByO │ getTokenAcct │ CLAWD balance │
│ w/ wallet│ -wner (Heli) │ -sByOwner │ → tier badge │
│ │ │ │ │
│ Ed25519 │ Agent NFT │ CLAWD token │ Free → Diamond │
│ verify │ owner match │ owner match │ │
├──────────┴──────────────┴──────────────┴────────────────────────┤
│ attestationHash = sha256(agentId:wallet:mint:ts) │
└─────────────────────────────────────────────────────────────────┘
| Tier | CLAWD Required | Badge |
|---|---|---|
| 🩶 Free | 0 | Basic SIWS sign-in |
| 🟤 Bronze | 100,000+ | + Agent attestation, peer card |
| ⚪ Silver | 500,000+ | + History, priority verify |
| 🟡 Gold | 1,000,000+ | + Real-time monitoring, webhooks |
| 💎 Diamond | 5,000,000+ | + All features, enterprise SLA |
// lib/auth.ts
import { betterAuth } from "better-auth";
import { siws } from "better-auth-solana";
import { createCaapPlugin } from "@clawd/agent-auth-solana";
export const auth = betterAuth({
plugins: [
// Sign In With Solana
siws({ domain: "your-app.com" }),
// CAAP/1.0 — attestation, peer cards, tiers
createCaapPlugin({
heliusApiKey: process.env.HELIUS_API_KEY,
clawdMint: process.env.CLAWD_TOKEN_ADDRESS,
enableSubscriptionTiers: true,
enableDasAttestation: true,
}),
// Standard agent auth capabilities
agentAuth({
capabilities: [
{ name: "attest_agent", description: "Attest a Solana agent identity" },
{ name: "get_peer_card", description: "Fetch verified agent peer card" },
],
}),
],
});import { createAuthClient } from "better-auth/client";
import { siwsClient, createSIWSMessage } from "better-auth-solana/client";
const authClient = createAuthClient({ plugins: [siwsClient()] });
// Step 1: get nonce
const { data } = await authClient.siws.nonce({ walletAddress: address });
// Step 2: sign with wallet (Phantom, Backpack, etc.)
const message = createSIWSMessage({
address,
challenge: data,
statement: "Sign in to my app",
});
const signature = await wallet.signMessage(new TextEncoder().encode(message));
// Step 3: verify → session created
await authClient.siws.verify({
message,
signature: Buffer.from(signature).toString("base64"),
walletAddress: address,
});import { attestAgent, computeTier } from "@clawd/agent-auth-solana";
const result = await attestAgent("my-agent-id", walletAddress, {
heliusRpcUrl: `https://mainnet.helius-rpc.com/?api-key=${process.env.HELIUS_API_KEY}`,
clawdMint: "8cHzQHUS2s2h8TzCmfqPKYiM4dSt4roa3n7MyRLApump",
});
if (result.verified) {
const { tier, clawdBalance } = computeTier(result.tokenBalance ?? 0);
console.log(`✅ Agent verified`);
console.log(` Tier: ${tier} (${clawdBalance.toLocaleString()} CLAWD)`);
console.log(` Hash: ${result.attestationHash}`);
}Every CAAP server auto-exposes /.well-known/agent-configuration:
{
"issuer": "https://your-app.com",
"provider_name": "Your App",
"modes": ["delegated", "autonomous"],
"solana": {
"network": "mainnet-beta",
"attestation_protocol": "CAAP/1.0",
"clawd_mint": "8cHzQHUS2s2h8TzCmfqPKYiM4dSt4roa3n7MyRLApump"
},
"capabilities": [
{ "name": "attest_agent", "description": "Attest agent identity on-chain" },
{ "name": "get_peer_card", "description": "Fetch verified agent peer card" },
{ "name": "list_agents", "description": "List verified agents" }
]
}| App | Description | Stack |
|---|---|---|
apps/directory |
Agent directory — browse CAAP-verified Solana agents | Next.js 15, Drizzle, Better Auth |
apps/agent-extension |
Browser extension for agent identity management | Vite, React, TypeScript |
| Example | What it shows |
|---|---|
examples/agent-deploy |
Basic agent auth flow with email sign-in |
examples/agent-coffee |
Agent commerce with billing and orders |
examples/brex-agent |
Fintech agent with payment capabilities |
examples/stripe-agents |
Stripe payment agent with approval flow |
examples/gmail-proxy |
Gmail proxy with WebAuthn approval |
examples/vercel-proxy |
Vercel proxy with passkey auth |
AI coding agents can use the CAAP skill file:
# With Claude Code / skills-enabled runtimes
npx skills add clawd/caap
# Or reference directly
cat skills/caap.mdCopy .env.example in any app and fill in:
# Required for CAAP attestation
HELIUS_API_KEY=your_helius_api_key # helius.dev
CLAWD_TOKEN_ADDRESS=8cHzQHUS2s2h8TzCmfqPKYiM4dSt4roa3n7MyRLApump
# Required for Better Auth
BETTER_AUTH_SECRET= # openssl rand -base64 32
DATABASE_URL=postgresql://...
# Optional: Helius webhook verification
HELIUS_WEBHOOK_SECRET= # for real-time wallet monitoringNo private keys are ever stored or committed. The repo contains zero secrets.
# Clone and install
git clone https://github.com/Solizardking/agent-auth
cd agent-auth
pnpm install
# Build all packages
pnpm build
# Run tests
pnpm test
# Type check
pnpm typecheck
# Format (Oxfmt)
pnpm fmtNode.js ≥22 required. Uses pnpm workspaces + Turbo.
PRs welcome. Please open an issue first for large changes.
- Fork the repo
- Create a branch:
git checkout -b feat/your-feature - Make your changes and add tests
- Run
pnpm fmt && pnpm typecheck && pnpm test - Open a PR
See CONTRIBUTING.md if it exists, otherwise just open an issue.
Packages are published to npm under the @clawd and @better-auth scopes. To publish:
# Bump versions
pnpm bump
# Publish (requires NPM_TOKEN in environment or .npmrc)
NPM_TOKEN=your_token pnpm -r publish --access publicOr push a tag to trigger the GitHub Actions release workflow:
git tag v0.1.0 && git push origin v0.1.0agent-auth/
├── packages/
│ ├── agent-auth/ # @better-auth/agent-auth — server plugin
│ ├── agent-auth-solana/ # @clawd/agent-auth-solana — Solana extension
│ ├── sdk/ # @auth/agent — client SDK
│ └── cli/ # @auth/agent-cli — CLI + MCP
├── apps/
│ ├── directory/ # Agent directory (Next.js)
│ └── agent-extension/ # Browser extension (Vite)
├── examples/ # Reference implementations
└── skills/ # AI agent skill files (caap.md)
