@agent-id/mcp 1.0.0

package/README.md

@@ -0,0 +1,121 @@
+# agentID
+
+MCP server that gives AI agents a verified identity. It authenticates the user via BankID, gets a signed JWT, and attaches it to every HTTP request the agent makes.
+
+Websites can verify the token offline using agentID's public keys — no need to block AI agents when you can verify who's behind them.
+
+## How it works
+
+```
+                  ┌──────────────────┐
+                  │   agentID API    │
+                  │  (BankID + JWT)  │
+                  └──────┬───────────┘
+                         │ 1. authenticate via BankID
+                         │ 2. receive signed JWT
+                         │
+User ← stdio → MCP Server ← HTTP + X-AgentID-Token → any website
+                         │
+                         │ website verifies JWT via /api/jwks
+```
+
+### Authentication flow
+
+1. Agent calls `start_authentication` → gets a BankID auth URL
+2. Agent shows the URL to the user → user completes BankID on their phone
+3. Agent calls `complete_authentication` → MCP server polls until done, caches the JWT
+4. Agent calls `authenticated_fetch` → every request carries `X-AgentID-Token: <jwt>`
+
+The JWT contains a pseudonymous identity (no PII), expires after 1 hour, and is signed with RS256.
+
+## Quick start
+
+```bash
+npm install
+npm run build
+```
+
+## Claude Desktop config
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "agentID": {
+      "command": "node",
+      "args": ["/absolute/path/to/agentID/dist/index.js"]
+    }
+  }
+}
+```
+
+Or if published to npm:
+
+```json
+{
+  "mcpServers": {
+    "agentID": {
+      "command": "npx",
+      "args": ["agentID"]
+    }
+  }
+}
+```
+
+## MCP Tools
+
+### `start_authentication`
+
+Start a BankID authentication session. Returns an `authUrl` to show the user and a `sessionId` for polling.
+
+No parameters.
+
+### `complete_authentication`
+
+Poll until BankID authentication completes. Caches the JWT automatically.
+
+| Param | Type | Required | Description |
+|-------|------|----------|-------------|
+| `sessionId` | string | yes | Session ID from `start_authentication` |
+
+### `authenticated_fetch`
+
+Make an HTTP request with the cached agentID token attached as `X-AgentID-Token`.
+
+| Param | Type | Required | Description |
+|-------|------|----------|-------------|
+| `url` | string | yes | URL to fetch |
+| `method` | GET / POST / PUT / DELETE | no (default GET) | HTTP method |
+| `body` | string | no | Request body for POST/PUT |
+| `headers` | object | no | Additional headers |
+
+Returns an error if no valid token is cached — call `start_authentication` first.
+
+## Example server
+
+A demo Express server that checks for the `X-AgentID-Token` header:
+
+```bash
+# Start it
+npx ts-node example-server/server.ts
+
+# Without token → 403
+curl http://localhost:4000/whoami
+
+# With token → 200
+curl -H "X-AgentID-Token: any-token" http://localhost:4000/whoami
+```
+
+Endpoints:
+- `GET /whoami` — agent verification status
+- `GET /data` — sample protected data
+- `POST /echo` — echoes request body
+
+## Development
+
+```bash
+npm run dev    # watch mode
+npm run build  # compile TypeScript
+npm start      # run the compiled server
+```

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const axios_1 = __importDefault(require("axios"));
+const zod_1 = require("zod");
+// --- Config ---
+const AGENTID_URL = "https://agentpass.vercel.app";
+// --- Token cache ---
+let cachedToken = null;
+let tokenExpiresAt = 0;
+function getToken() {
+    if (cachedToken && Date.now() < tokenExpiresAt) {
+        return cachedToken;
+    }
+    cachedToken = null;
+    return null;
+}
+function setToken(jwt) {
+    cachedToken = jwt;
+    // Parse exp from JWT payload (base64url-decoded, no verification needed here)
+    try {
+        const payload = JSON.parse(Buffer.from(jwt.split(".")[1], "base64url").toString());
+        // Expire 30s early to avoid edge cases
+        tokenExpiresAt = (payload.exp * 1000) - 30_000;
+    }
+    catch {
+        // Fallback: 55 minutes
+        tokenExpiresAt = Date.now() + 55 * 60 * 1000;
+    }
+}
+// --- Axios client with token interceptor ---
+const client = axios_1.default.create();
+client.interceptors.request.use((config) => {
+    const token = getToken();
+    if (token) {
+        config.headers.set("X-AgentID-Token", token);
+    }
+    return config;
+});
+// --- Helpers ---
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+function textResult(data, isError = false) {
+    return {
+        content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+        isError,
+    };
+}
+// --- MCP Server ---
+const server = new mcp_js_1.McpServer({
+    name: "agentID",
+    version: "1.0.0",
+});
+// Tool 1: Start BankID authentication
+server.tool("start_authentication", "Start a BankID authentication session via agentID. " +
+    "Returns an authUrl that the user must open to complete BankID on their phone, " +
+    "and a sessionId to pass to complete_authentication.", {}, async () => {
+    try {
+        const res = await axios_1.default.post(`${AGENTID_URL}/api/auth/start`);
+        const { sessionId, authUrl, expiresAt } = res.data;
+        return textResult({
+            message: "BankID authentication started. Show the authUrl to the user so they can authenticate.",
+            sessionId,
+            authUrl,
+            expiresAt,
+        });
+    }
+    catch (error) {
+        return textResult({ error: error.response?.data ?? error.message }, true);
+    }
+});
+// Tool 2: Poll until BankID authentication completes
+server.tool("complete_authentication", "Poll agentID for BankID authentication completion. " +
+    "Call this after the user has been shown the authUrl from start_authentication. " +
+    "It will poll every 3 seconds until the user completes BankID, then cache the JWT.", {
+    sessionId: zod_1.z
+        .string()
+        .describe("The sessionId returned by start_authentication"),
+}, async ({ sessionId }) => {
+    const maxAttempts = 40; // ~2 minutes
+    let attempts = 0;
+    while (attempts < maxAttempts) {
+        attempts++;
+        try {
+            const res = await axios_1.default.get(`${AGENTID_URL}/api/auth/status`, {
+                params: { sessionId },
+            });
+            if (res.data.status === "complete") {
+                setToken(res.data.jwt);
+                return textResult({
+                    status: "authenticated",
+                    message: "BankID authentication successful. The agent identity token is now cached " +
+                        "and will be automatically attached to all authenticated_fetch requests.",
+                });
+            }
+            if (res.data.status === "failed") {
+                return textResult({
+                    status: "failed",
+                    message: "BankID authentication failed.",
+                    hintCode: res.data.hintCode,
+                }, true);
+            }
+            // Still pending — wait and retry
+            await sleep(3000);
+        }
+        catch (error) {
+            return textResult({ error: error.response?.data ?? error.message }, true);
+        }
+    }
+    return textResult({ status: "timeout", message: "Authentication timed out after 2 minutes." }, true);
+});
+// Tool 3: Make authenticated HTTP requests
+server.tool("authenticated_fetch", "Make an HTTP request with the agent's agentID identity token automatically attached " +
+    "as 'X-AgentID-Token'. The user must complete authentication first via " +
+    "start_authentication and complete_authentication.", {
+    url: zod_1.z.string().url().describe("The URL to fetch"),
+    method: zod_1.z
+        .enum(["GET", "POST", "PUT", "DELETE"])
+        .default("GET")
+        .describe("HTTP method"),
+    body: zod_1.z
+        .string()
+        .optional()
+        .describe("Request body (for POST/PUT)"),
+    headers: zod_1.z
+        .record(zod_1.z.string(), zod_1.z.string())
+        .optional()
+        .describe("Additional headers to include"),
+}, async ({ url, method, body, headers }) => {
+    if (!getToken()) {
+        return textResult({
+            error: "Not authenticated",
+            message: "No valid agentID token. Call start_authentication first, " +
+                "then complete_authentication after the user finishes BankID.",
+        }, true);
+    }
+    try {
+        const response = await client.request({
+            url,
+            method,
+            data: body,
+            headers: (headers ?? {}),
+        });
+        return textResult({
+            status: response.status,
+            headers: response.headers,
+            data: response.data,
+        });
+    }
+    catch (error) {
+        return textResult({
+            status: error.response?.status ?? "unknown",
+            error: error.response?.data ?? error.message,
+        }, true);
+    }
+});
+// --- Start ---
+async function main() {
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    console.error("agentID MCP server running on stdio");
+}
+main().catch((err) => {
+    console.error("Fatal:", err);
+    process.exit(1);
+});

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@agent-id/mcp",
+  "version": "1.0.0",
+  "description": "MCP server that gives AI agents a verified identity via BankID",
+  "main": "dist/index.js",
+  "bin": {
+    "agent-id-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "agent",
+    "identity",
+    "jwt",
+    "authentication",
+    "bankid"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "axios": "^1.13.5",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.3.0",
+    "typescript": "^5.9.3"
+  }
+}