AstraCipher

Cryptographic identity MCP server for AI agents using W3C DIDs, Verifiable Credentials, and NIST post-quantum cryptography (ML-DSA-65 FIPS 204).

GitHub

AstraCipher

Cryptographic Identity & Trust Protocol for AI Agents

The "SSL certificates" for the AI agent economy. Open-source protocol that gives every AI agent a verifiable, cryptographic identity.

License: BSL 1.1 TypeScript Post-Quantum FIPS 204

The Problem

AI agents are operating across enterprise systems with zero identity verification. No one can answer:

  • Which agent performed this action?
  • Was it authorized?
  • Can we prove compliance to regulators?

MCP servers expose powerful tools, but any agent can call any tool. There's no authentication, no authorization, no audit trail.

The Solution

AstraCipher is a W3C-standards-based protocol that provides:

  • Decentralized Identifiers (DIDs) --- Unique, cryptographic identity for every agent (did:astracipher:mainnet:abc123)
  • Verifiable Credentials --- Signed attestations of capabilities, permissions, and trust levels
  • Trust Chains --- Delegated authority with depth limits (Creator -> Authorizer -> Agent -> Sub-agent)
  • Post-Quantum Cryptography --- ML-DSA-65 + ECDSA P-256 hybrid signatures (FIPS 204 compliant)
  • Compliance Modules --- Generate regulatory-ready reports for 10+ frameworks worldwide

Why Now

  • 850M+ AI agents expected by 2030 (Gartner)
  • MCP adopted by Anthropic, OpenAI, Google, Microsoft --- but has no identity layer
  • AAIF (Linux Foundation + Anthropic) defines agent interoperability --- AstraCipher provides the missing identity primitive
  • EU AI Act enforcement begins 2025-2026, requiring traceability for high-risk AI systems
  • NIST AI RMF and ISO 42001 becoming enterprise prerequisites

Quick Start

CLI

# Install the CLI
npm install -g @astracipher/cli

# Initialize AstraCipher in your project
astracipher init

# Generate post-quantum key pair
astracipher keygen --algo hybrid

# Create an agent identity (DID)
astracipher create --name "my-data-agent" --key .astracipher/keys/agent.pub.json

# Issue a credential
astracipher issue \
  --did did:astracipher:testnet:abc123 \
  --capabilities read,write \
  --trust-level 8 \
  --validity 365d

# Verify a credential
astracipher verify --credential ./credential.json

SDK (TypeScript)

import { AstraCipherClient } from '@astracipher/core';
import { HybridKeyManager } from '@astracipher/crypto';

const keyManager = new HybridKeyManager();
const keyPair = await keyManager.generateKeyPair('hybrid');

const client = new AstraCipherClient({ keyManager });
const did = await client.createDID('my-agent', keyPair);
const credential = await client.issueCredential(did, {
  capabilities: ['read', 'write'],
  trustLevel: 8,
});
const result = await client.verifyCredential(credential);

MCP Integration

Any MCP-compatible AI agent (Claude, GPT, etc.) can use AstraCipher tools:

{
  "mcpServers": {
    "astracipher": {
      "command": "npx",
      "args": ["@astracipher/mcp-server"]
    }
  }
}

Available MCP tools:

  • create_agent_identity --- Create a DID for an agent
  • verify_agent --- Verify an agent's credential
  • check_permissions --- Check agent permissions for a resource
  • inspect_credential --- View credential details

Architecture

+----------------------------------------------------------+
|                    AstraCipher Protocol                     |
+---------------+----------------+-------------------------+
|  @astracipher/  |  @astracipher/   |  @astracipher/            |
|    crypto     |     core       |   compliance-*          |
|  (PQC keys,   |  (DIDs, VCs,   |  (DPDP, EU AI Act,     |
|   signing)    |  trust chain)  |   GDPR, SEBI, ...)     |
+---------------+----------------+-------------------------+
|                   Integration Layer                       |
|  +--------------+  +-------------+  +------------------+ |
|  | MCP Server   |  | A2A Adapter |  |   REST API       | |
|  | (AI agents)  |  | (Google A2A)|  |   (server)       | |
|  +--------------+  +-------------+  +------------------+ |
+----------------------------------------------------------+

Packages

Core Protocol (BSL 1.1 --- Open Source)

PackageDescriptionStatus
@astracipher/cryptoPost-quantum cryptographic primitives (ML-DSA-65, ML-KEM-768, ECDSA P-256, hybrid)Core
@astracipher/coreDID management, credential issuance/verification, trust chainsCore
@astracipher/cliCommand-line interface for all AstraCipher operationsCore
@astracipher/compliance-corePluggable compliance engine for regulatory frameworksCore
@astracipher/sdk-pythonPython SDK for AstraCipher protocolCore

Integrations (BSL 1.1)

PackageDescription
@astracipher/mcp-serverMCP integration --- expose AstraCipher as AI agent tools
@astracipher/a2a-adapterGoogle A2A protocol adapter for agent-to-agent auth

Platform & Premium Modules (Proprietary --- astracipher-platform)

ComponentDescription
@astracipher/serverProduction verification server (PostgreSQL, org management, API keys)
@astracipher/dashboardReact dashboard for agent identity management
10 compliance modulesDPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety

Cryptography

AstraCipher uses hybrid post-quantum + classical cryptography by default:

AlgorithmStandardPurpose
ML-DSA-65FIPS 204Post-quantum digital signatures
ECDSA P-256FIPS 186-5Classical digital signatures
ML-KEM-768FIPS 203Post-quantum key encapsulation
Hybrid Mode---Both PQC + classical must validate

Built on audited libraries: @noble/post-quantum and @noble/curves.

Why hybrid? Classical ECDSA provides battle-tested security today. ML-DSA protects against quantum attacks. Both must validate --- so you get defense-in-depth against both classical and quantum adversaries.

Competitive Positioning

AstraCipherKeycard (a16z)AembitMicrosoft Entra Agent ID
Open sourceBSL 1.1ClosedClosedClosed
Post-quantum cryptoML-DSA + ECDSA hybridNoNoNo
W3C DID standardYesNoNoPartial
MCP nativeYesYesNoNo
Compliance modules10+ frameworksNoNoNo
Self-hosted optionYesNoNoNo
Vendor lock-inNonePlatformPlatformAzure

Development

# Clone the repo
git clone https://github.com/AstraFintechLabs/astracipher.git
cd astracipher

# Install dependencies
npm install

# Build all packages
npx turbo build

# Run tests
npx turbo test

# Run the CLI locally
npx ts-node packages/cli/src/index.ts --help

Project Structure

astracipher/                         # Public repo (BSL 1.1)
+-- packages/
|   +-- crypto/                    # PQC crypto primitives (ML-DSA, ML-KEM, ECDSA)
|   +-- core/                      # Protocol implementation (DIDs, VCs, trust chains)
|   +-- cli/                       # CLI tool
|   +-- sdk-python/                # Python SDK
|   +-- compliance-core/           # Compliance engine framework
+-- integrations/
|   +-- mcp-server/                # MCP integration
|   +-- a2a-adapter/               # Google A2A adapter
+-- e2e-test.mjs                   # E2E test suite (67 tests)
+-- .github/workflows/             # CI/CD pipeline

The production server, dashboard, and premium compliance modules (DPDP, SEBI, RBI, EU AI Act, GDPR, HIPAA, NIST, SOC 2, ISO 42001, UK AI Safety) are in the private astracipher-platform repository.

License

Business Source License 1.1 (BSL 1.1)

  • Use: Free to use, modify, and self-host for any purpose
  • Restriction: Cannot create a competing hosted agent identity/compliance service
  • Change Date: February 18, 2030 (converts to Apache License 2.0)
  • Full text: LICENSE

This means: startups, enterprises, and developers can freely use AstraCipher in their products. The only restriction is you can't take this code and launch a competing AstraCipher-as-a-Service offering.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

Built by

Astra Fintech Labs --- Building trust infrastructure for the AI agent economy.

AstraCipher: Because in a world of autonomous AI agents, identity isn't optional.

Related Servers