myapi-asc 0.1.1

package/README.md

@@ -0,0 +1,87 @@
+# myapi-asc
+
+Ed25519 per-request signing for AI agents talking to MyApi. The agent's identity is its
+public key, not its IP or User-Agent — so workers can rotate freely without tripping the
+"suspicious device" alert.
+
+## Why
+
+OAuth tokens identify the *client*, not the *device*. AI agents legitimately run from
+load-balanced workers with rotating IPs, missing User-Agent headers, and short-lived
+hosts. Binding a token to a device fingerprint produced false-positive alerts.
+
+ASC fixes this: every request carries a fresh Ed25519 signature over `<timestamp>:<tokenId>`.
+The server verifies the signature against a registered public key. The key fingerprint is
+the agent's identity.
+
+## Install
+
+In-repo for now — copy the `packages/myapi-asc` directory or symlink it. npm publish later.
+
+```bash
+npm install ./packages/myapi-asc
+```
+
+## Use
+
+### Generate a keypair (once per agent)
+
+```js
+const { generateKeypair } = require('myapi-asc');
+const { publicKey, privateKey } = generateKeypair();
+// Save privateKey securely on the agent host.
+// Register publicKey in the MyApi dashboard → Connect an AI Agent.
+```
+
+### Sign each request
+
+```js
+const { sign } = require('myapi-asc');
+const headers = sign({ privateKey, tokenId: 'tok_abcd...' });
+// headers = { 'X-Agent-PublicKey': '...', 'X-Agent-Signature': '...', 'X-Agent-Timestamp': '...' }
+
+await fetch('https://api.myapi.com/api/v1/identity', {
+  headers: {
+    Authorization: `Bearer ${rawToken}`,
+    ...headers,
+  },
+});
+```
+
+### Drop-in fetch wrapper
+
+```js
+const { wrapFetch } = require('myapi-asc');
+const myFetch = wrapFetch(fetch, {
+  tokenId: 'tok_abcd...',
+  privateKey,
+  bearer: rawToken,
+});
+
+await myFetch('https://api.myapi.com/api/v1/identity');
+```
+
+## Curl (no SDK)
+
+```bash
+TS=$(date +%s)
+SIG=$(printf "$TS:$TOKEN_ID" | openssl pkeyutl -sign -inkey ed25519.pem -rawin | base64 -w0)
+PUB=$(openssl pkey -in ed25519.pem -pubout -outform DER | tail -c 32 | base64 -w0)
+
+curl -H "Authorization: Bearer $TOKEN" \
+     -H "X-Agent-PublicKey: $PUB" \
+     -H "X-Agent-Signature: $SIG" \
+     -H "X-Agent-Timestamp: $TS" \
+     https://api.myapi.com/api/v1/identity
+```
+
+## First-time approval
+
+The first signed request from an unregistered public key returns `403 DEVICE_APPROVAL_REQUIRED`
+and surfaces a pending approval in the dashboard. Once the user clicks **Approve**, that
+public key is permanently associated with the token. Subsequent signed requests pass.
+
+## Replay protection
+
+The server rejects requests whose `X-Agent-Timestamp` is more than 60s out of sync.
+Sign every request fresh — do not cache headers.

package/index.js

@@ -0,0 +1,66 @@
+// MyApi ASC (Agentic Secure Connection) — Ed25519 per-request signing for AI agents.
+//
+// Identity = your Ed25519 public key. Each request signs `${timestamp}:${fingerprint}` so the
+// server can prove the request came from the key-holder and was issued in the last 60s.
+// No User-Agent / IP dependency — your agent can move across IPs, workers, or hosts without
+// tripping false-positive "suspicious device" alerts.
+//
+//   const { generateKeypair, sign, wrapFetch } = require('myapi-asc');
+//   const { publicKey, privateKey } = generateKeypair();
+//   // 1) Register the publicKey via the MyApi dashboard (Connect-an-AI-Agent flow)
+//   // 2) Sign requests:
+//   const headers = sign({ privateKey });
+//   await fetch(url, { headers: { Authorization: `Bearer ${rawToken}`, ...headers } });
+//
+//   // or, drop-in fetch wrapper:
+//   const myFetch = wrapFetch(fetch, { privateKey, bearer: rawToken });
+
+const crypto = require('crypto');
+
+function generateKeypair() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+  const pubDer = publicKey.export({ format: 'der', type: 'spki' });
+  // SPKI Ed25519 wrapper is 12 bytes (302a300506032b6570032100), raw key follows
+  const rawPub = pubDer.subarray(12);
+  return {
+    publicKey: rawPub.toString('base64'),
+    privateKey: privateKey.export({ format: 'pem', type: 'pkcs8' }),
+  };
+}
+
+function sign({ privateKey }) {
+  if (!privateKey) throw new Error('sign() requires privateKey');
+  const keyObj = typeof privateKey === 'string' || Buffer.isBuffer(privateKey)
+    ? crypto.createPrivateKey(privateKey)
+    : privateKey;
+  const pubDer  = crypto.createPublicKey(keyObj).export({ format: 'der', type: 'spki' });
+  const rawPub  = pubDer.subarray(12);
+  const rawPubB64 = rawPub.toString('base64');
+  const fingerprint = crypto.createHash('sha256').update(rawPub).digest('hex').substring(0, 32);
+  const timestamp   = String(Math.floor(Date.now() / 1000));
+  const message     = Buffer.from(`${timestamp}:${fingerprint}`);
+  const signature   = crypto.sign(null, message, keyObj);
+
+  return {
+    'X-Agent-PublicKey': rawPubB64,
+    'X-Agent-Signature': signature.toString('base64'),
+    'X-Agent-Timestamp': timestamp,
+  };
+}
+
+function wrapFetch(fetchImpl, { privateKey, bearer }) {
+  if (!fetchImpl) throw new Error('wrapFetch() requires a fetch implementation');
+  return async (input, init = {}) => {
+    const signedHeaders = sign({ privateKey });
+    const headers = {
+      ...(init.headers || {}),
+      ...signedHeaders,
+    };
+    if (bearer && !headers.Authorization && !headers.authorization) {
+      headers.Authorization = `Bearer ${bearer}`;
+    }
+    return fetchImpl(input, { ...init, headers });
+  };
+}
+
+module.exports = { generateKeypair, sign, wrapFetch };

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "myapi-asc",
+  "version": "0.1.1",
+  "description": "MyApi Agentic Secure Connection — Ed25519 per-request signing for AI agents.",
+  "main": "index.js",
+  "engines": {
+    "node": ">=18"
+  },
+  "license": "MIT",
+  "keywords": ["myapi", "ed25519", "agent", "asc", "ai", "signing"]
+}