auth-agents 0.4.0 → 0.4.2

package/README.md

@@ -1,6 +1,6 @@
 # auth-agents
 
-Verify AI agent identities with [Agent Auth](https://getagentauth.com). DID-based authentication using Ed25519 and Verifiable Credentials.
+Verify AI agent identities with [Agent Auth](https://usevigil.dev). DID-based authentication using Ed25519 and Verifiable Credentials.
 
 ## Install
 
@@ -126,7 +126,7 @@ if (auth.valid) {
 ## Website Integration (Next.js)
 
 ```typescript
-// app/api/auth/agent/route.ts
+// app/api/auth/agent-login/route.ts
 import { AuthAgents } from "auth-agents"
 
 const authAgents = new AuthAgents()
@@ -164,7 +164,7 @@ import { AuthAgents } from "auth-agents"
 const app = express()
 const authAgents = new AuthAgents()
 
-app.post("/auth/agent", express.json(), async (req, res) => {
+app.post("/auth/agent-login", express.json(), async (req, res) => {
   const { credential } = req.body
   const result = await authAgents.verify(credential)
 
@@ -188,7 +188,7 @@ app.post("/auth/agent", express.json(), async (req, res) => {
 
 ### `new AuthAgents(config?)`
 
-- `config.baseUrl` — API base URL (default: `https://auth.getagentauth.com`)
+- `config.baseUrl` — API base URL (default: `https://auth.usevigil.dev`). The SDK enforces HTTPS for all API communication. HTTP is only allowed for `localhost` during development.
 
 ### `AuthAgents.generateKeyPair()` — Static
 
@@ -229,9 +229,21 @@ Returns `VerifyResult` on success:
 }
 ```
 
+Returns `VerifyError` (HTTP 401) without throwing:
+```typescript
+{
+  valid: false
+  error: "credential_expired" | "invalid_issuer" | "signature_invalid" | "credential_revoked"
+  message: string
+}
+```
+
 ### `client.register(input)` — Register a new agent identity
 
 `input.public_key_jwk` is optional. Omit it for server-generated keys (Flow A). Provide it for BYOK (Flow B).
+You can also pass:
+- `credential_expires_in` — credential lifetime in seconds (`0` means non-expiring)
+- `metadata` — key/value metadata map (max key/value sizes enforced server-side)
 
 Returns `RegisterResult`:
 ```typescript
@@ -244,13 +256,17 @@ Returns `RegisterResult`:
 }
 ```
 
-### `client.challenge(did)` — Request an auth challenge
+### `client.challenge(did, site_id?)` — Request an auth challenge
+
+`site_id` is optional and scopes the challenge/session when your deployment uses site-level org provisioning.
 
 ### `client.authenticate(input)` — Submit signed challenge
 
+`input` supports optional `credential_expires_in` to customize the issued credential lifetime (`0` means non-expiring).
+
 ## Documentation
 
-Full API reference at [getagentauth.com/docs](https://getagentauth.com/docs/)
+Full API reference at [usevigil.dev/docs](https://usevigil.dev/docs/)
 
 ## License
 

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 interface AuthAgentsConfig {
-    /** Base URL of the Agent Auth API. Defaults to https://auth.getagentauth.com */
+    /** Base URL of the Agent Auth API. Defaults to https://auth.usevigil.dev */
     baseUrl?: string;
 }
 /** Ed25519 key pair in JWK format, returned by generateKeyPair() */
@@ -30,7 +30,7 @@ interface VerifyResult {
 }
 interface VerifyError {
     valid: false;
-    error: "credential_expired" | "invalid_issuer" | "signature_invalid";
+    error: "credential_expired" | "invalid_issuer" | "signature_invalid" | "credential_revoked";
     message: string;
 }
 type VerifyResponse = VerifyResult | VerifyError;
@@ -44,6 +44,8 @@ interface RegisterInput {
         crv: string;
         x: string;
     };
+    credential_expires_in?: number;
+    metadata?: Record<string, string>;
 }
 interface RegisterResult {
     did: string;
@@ -67,6 +69,7 @@ interface AuthVerifyInput {
     challenge_id: string;
     did: string;
     signature: string;
+    credential_expires_in?: number;
 }
 interface AuthVerifyResult {
     valid: true;
@@ -120,7 +123,8 @@ declare class AuthAgents {
      * Verify a VC-JWT credential issued by Agent Auth.
      *
      * @param credential - The VC-JWT string from the agent
-     * @returns Verified agent identity or error details
+     * @returns Verified agent identity. If API returns 401, returns
+     *          `{ valid: false, error, message }` instead of throwing.
      */
     verify(credential: string): Promise<VerifyResponse>;
     /**
@@ -136,14 +140,16 @@ declare class AuthAgents {
      * Request an authentication challenge nonce.
      *
      * @param did - The agent's DID
+     * @param site_id - Optional site scope for provisioned deployments
      * @returns Challenge ID and nonce to sign
      */
-    challenge(did: string): Promise<ChallengeResult>;
+    challenge(did: string, site_id?: string): Promise<ChallengeResult>;
     /**
      * Submit a signed challenge to authenticate and receive a fresh credential.
      *
-     * @param input - challenge_id, did, and base64url signature
-     * @returns Session token and fresh VC-JWT credential
+     * @param input - challenge_id, did, base64url signature, and optional credential_expires_in
+     * @returns Session token and fresh VC-JWT credential. If API returns 401,
+     *          returns `{ valid: false, error, message }` instead of throwing.
      */
     authenticate(input: AuthVerifyInput): Promise<AuthVerifyResponse>;
 }

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 interface AuthAgentsConfig {
-    /** Base URL of the Agent Auth API. Defaults to https://auth.getagentauth.com */
+    /** Base URL of the Agent Auth API. Defaults to https://auth.usevigil.dev */
     baseUrl?: string;
 }
 /** Ed25519 key pair in JWK format, returned by generateKeyPair() */
@@ -30,7 +30,7 @@ interface VerifyResult {
 }
 interface VerifyError {
     valid: false;
-    error: "credential_expired" | "invalid_issuer" | "signature_invalid";
+    error: "credential_expired" | "invalid_issuer" | "signature_invalid" | "credential_revoked";
     message: string;
 }
 type VerifyResponse = VerifyResult | VerifyError;
@@ -44,6 +44,8 @@ interface RegisterInput {
         crv: string;
         x: string;
     };
+    credential_expires_in?: number;
+    metadata?: Record<string, string>;
 }
 interface RegisterResult {
     did: string;
@@ -67,6 +69,7 @@ interface AuthVerifyInput {
     challenge_id: string;
     did: string;
     signature: string;
+    credential_expires_in?: number;
 }
 interface AuthVerifyResult {
     valid: true;
@@ -120,7 +123,8 @@ declare class AuthAgents {
      * Verify a VC-JWT credential issued by Agent Auth.
      *
      * @param credential - The VC-JWT string from the agent
-     * @returns Verified agent identity or error details
+     * @returns Verified agent identity. If API returns 401, returns
+     *          `{ valid: false, error, message }` instead of throwing.
      */
     verify(credential: string): Promise<VerifyResponse>;
     /**
@@ -136,14 +140,16 @@ declare class AuthAgents {
      * Request an authentication challenge nonce.
      *
      * @param did - The agent's DID
+     * @param site_id - Optional site scope for provisioned deployments
      * @returns Challenge ID and nonce to sign
      */
-    challenge(did: string): Promise<ChallengeResult>;
+    challenge(did: string, site_id?: string): Promise<ChallengeResult>;
     /**
      * Submit a signed challenge to authenticate and receive a fresh credential.
      *
-     * @param input - challenge_id, did, and base64url signature
-     * @returns Session token and fresh VC-JWT credential
+     * @param input - challenge_id, did, base64url signature, and optional credential_expires_in
+     * @returns Session token and fresh VC-JWT credential. If API returns 401,
+     *          returns `{ valid: false, error, message }` instead of throwing.
      */
     authenticate(input: AuthVerifyInput): Promise<AuthVerifyResponse>;
 }

package/dist/index.js

@@ -24,10 +24,20 @@ __export(index_exports, {
   verify: () => verify
 });
 module.exports = __toCommonJS(index_exports);
-var DEFAULT_BASE_URL = "https://auth.getagentauth.com";
+var DEFAULT_BASE_URL = "https://auth.usevigil.dev";
 var AuthAgents = class {
   constructor(config) {
-    this.baseUrl = (config?.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    const url = (config?.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    try {
+      const parsed = new URL(url);
+      if (parsed.protocol !== "https:" && parsed.hostname !== "localhost" && parsed.hostname !== "127.0.0.1") {
+        throw new Error("AuthAgents: baseUrl must use HTTPS (http://localhost allowed for development)");
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("AuthAgents:")) throw e;
+      throw new Error("AuthAgents: baseUrl must be a valid URL");
+    }
+    this.baseUrl = url;
   }
   // ---- Static Crypto Helpers ---------------------------------------------
   /**
@@ -72,6 +82,12 @@ var AuthAgents = class {
    * @returns base64url-encoded Ed25519 signature
    */
   static async signChallenge(privateKeyJwk, nonce) {
+    if (!privateKeyJwk?.d) {
+      throw new Error("privateKeyJwk must contain the 'd' (private key) parameter");
+    }
+    if (!nonce) {
+      throw new Error("nonce must not be empty");
+    }
     const key = await crypto.subtle.importKey(
       "jwk",
       { ...privateKeyJwk, key_ops: ["sign"] },
@@ -94,15 +110,28 @@ var AuthAgents = class {
    * Verify a VC-JWT credential issued by Agent Auth.
    *
    * @param credential - The VC-JWT string from the agent
-   * @returns Verified agent identity or error details
+   * @returns Verified agent identity. If API returns 401, returns
+   *          `{ valid: false, error, message }` instead of throwing.
    */
   async verify(credential) {
     const res = await fetch(`${this.baseUrl}/v1/credentials/verify`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ credential })
+      body: JSON.stringify({ credential }),
+      signal: AbortSignal.timeout(1e4)
     });
-    return res.json();
+    const body = await res.json().catch(() => ({}));
+    if (res.status === 401) {
+      return {
+        valid: false,
+        error: body.error ?? "signature_invalid",
+        message: body.message ?? "Credential verification failed"
+      };
+    }
+    if (!res.ok) {
+      throw new Error(body.error ?? body.message ?? `Verify failed (${res.status})`);
+    }
+    return body;
   }
   // ---- Agent Registration ------------------------------------------------
   /**
@@ -117,7 +146,8 @@ var AuthAgents = class {
     const res = await fetch(`${this.baseUrl}/v1/identities`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(input)
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) {
       const body = await res.json().catch(() => ({}));
@@ -132,13 +162,15 @@ var AuthAgents = class {
    * Request an authentication challenge nonce.
    *
    * @param did - The agent's DID
+   * @param site_id - Optional site scope for provisioned deployments
    * @returns Challenge ID and nonce to sign
    */
-  async challenge(did) {
+  async challenge(did, site_id) {
     const res = await fetch(`${this.baseUrl}/v1/auth/challenge`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ did })
+      body: JSON.stringify(site_id ? { did, site_id } : { did }),
+      signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) {
       const body = await res.json().catch(() => ({}));
@@ -151,16 +183,29 @@ var AuthAgents = class {
   /**
    * Submit a signed challenge to authenticate and receive a fresh credential.
    *
-   * @param input - challenge_id, did, and base64url signature
-   * @returns Session token and fresh VC-JWT credential
+   * @param input - challenge_id, did, base64url signature, and optional credential_expires_in
+   * @returns Session token and fresh VC-JWT credential. If API returns 401,
+   *          returns `{ valid: false, error, message }` instead of throwing.
    */
   async authenticate(input) {
     const res = await fetch(`${this.baseUrl}/v1/auth/verify`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(input)
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(1e4)
     });
-    return res.json();
+    const body = await res.json().catch(() => ({}));
+    if (res.status === 401) {
+      return {
+        valid: false,
+        error: body.error ?? "signature_invalid",
+        message: body.message ?? "Authentication failed"
+      };
+    }
+    if (!res.ok) {
+      throw new Error(body.error ?? body.message ?? `Authentication failed (${res.status})`);
+    }
+    return body;
   }
 };
 async function verify(credential) {

package/dist/index.mjs

@@ -1,8 +1,18 @@
 // src/index.ts
-var DEFAULT_BASE_URL = "https://auth.getagentauth.com";
+var DEFAULT_BASE_URL = "https://auth.usevigil.dev";
 var AuthAgents = class {
   constructor(config) {
-    this.baseUrl = (config?.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    const url = (config?.baseUrl ?? DEFAULT_BASE_URL).replace(/\/+$/, "");
+    try {
+      const parsed = new URL(url);
+      if (parsed.protocol !== "https:" && parsed.hostname !== "localhost" && parsed.hostname !== "127.0.0.1") {
+        throw new Error("AuthAgents: baseUrl must use HTTPS (http://localhost allowed for development)");
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("AuthAgents:")) throw e;
+      throw new Error("AuthAgents: baseUrl must be a valid URL");
+    }
+    this.baseUrl = url;
   }
   // ---- Static Crypto Helpers ---------------------------------------------
   /**
@@ -47,6 +57,12 @@ var AuthAgents = class {
    * @returns base64url-encoded Ed25519 signature
    */
   static async signChallenge(privateKeyJwk, nonce) {
+    if (!privateKeyJwk?.d) {
+      throw new Error("privateKeyJwk must contain the 'd' (private key) parameter");
+    }
+    if (!nonce) {
+      throw new Error("nonce must not be empty");
+    }
     const key = await crypto.subtle.importKey(
       "jwk",
       { ...privateKeyJwk, key_ops: ["sign"] },
@@ -69,15 +85,28 @@ var AuthAgents = class {
    * Verify a VC-JWT credential issued by Agent Auth.
    *
    * @param credential - The VC-JWT string from the agent
-   * @returns Verified agent identity or error details
+   * @returns Verified agent identity. If API returns 401, returns
+   *          `{ valid: false, error, message }` instead of throwing.
    */
   async verify(credential) {
     const res = await fetch(`${this.baseUrl}/v1/credentials/verify`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ credential })
+      body: JSON.stringify({ credential }),
+      signal: AbortSignal.timeout(1e4)
     });
-    return res.json();
+    const body = await res.json().catch(() => ({}));
+    if (res.status === 401) {
+      return {
+        valid: false,
+        error: body.error ?? "signature_invalid",
+        message: body.message ?? "Credential verification failed"
+      };
+    }
+    if (!res.ok) {
+      throw new Error(body.error ?? body.message ?? `Verify failed (${res.status})`);
+    }
+    return body;
   }
   // ---- Agent Registration ------------------------------------------------
   /**
@@ -92,7 +121,8 @@ var AuthAgents = class {
     const res = await fetch(`${this.baseUrl}/v1/identities`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(input)
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) {
       const body = await res.json().catch(() => ({}));
@@ -107,13 +137,15 @@ var AuthAgents = class {
    * Request an authentication challenge nonce.
    *
    * @param did - The agent's DID
+   * @param site_id - Optional site scope for provisioned deployments
    * @returns Challenge ID and nonce to sign
    */
-  async challenge(did) {
+  async challenge(did, site_id) {
     const res = await fetch(`${this.baseUrl}/v1/auth/challenge`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ did })
+      body: JSON.stringify(site_id ? { did, site_id } : { did }),
+      signal: AbortSignal.timeout(1e4)
     });
     if (!res.ok) {
       const body = await res.json().catch(() => ({}));
@@ -126,16 +158,29 @@ var AuthAgents = class {
   /**
    * Submit a signed challenge to authenticate and receive a fresh credential.
    *
-   * @param input - challenge_id, did, and base64url signature
-   * @returns Session token and fresh VC-JWT credential
+   * @param input - challenge_id, did, base64url signature, and optional credential_expires_in
+   * @returns Session token and fresh VC-JWT credential. If API returns 401,
+   *          returns `{ valid: false, error, message }` instead of throwing.
    */
   async authenticate(input) {
     const res = await fetch(`${this.baseUrl}/v1/auth/verify`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify(input)
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(1e4)
     });
-    return res.json();
+    const body = await res.json().catch(() => ({}));
+    if (res.status === 401) {
+      return {
+        valid: false,
+        error: body.error ?? "signature_invalid",
+        message: body.message ?? "Authentication failed"
+      };
+    }
+    if (!res.ok) {
+      throw new Error(body.error ?? body.message ?? `Authentication failed (${res.status})`);
+    }
+    return body;
   }
 };
 async function verify(credential) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "auth-agents",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Verify AI agent identities with Agent Auth. DID-based authentication using Ed25519 and Verifiable Credentials.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -22,7 +22,7 @@
   },
   "keywords": [
     "agent-auth",
-    "getagentauth",
+    "usevigil",
     "auth-agents",
     "ai-agent",
     "did",
@@ -38,7 +38,7 @@
     "type": "git",
     "url": "https://github.com/AgenthAgent/auth-agents-sdk-node"
   },
-  "homepage": "https://getagentauth.com",
+  "homepage": "https://usevigil.dev",
   "devDependencies": {
     "tsup": "^8.0.0",
     "typescript": "^5.0.0"