As autonomous AI agents begin to interact directly with web services and APIs, a critical question emerges: How can we trust that a digital agent is who it claims to be? Today, HUMAN Security is releasing an open-source project to help answer that question.
We are proud to release HUMAN Verified AI Agent, an open-source demonstration of cryptographically authenticated communication between AI agents and digital services using HTTP Message Signatures (RFC 9421).
This project is more than a technical showcase. It’s a contribution to the trust layer for the agentic internet: a future where AI agents must identify, authenticate, and authorize themselves in order to operate freely and safely.
Why Agent Identity Matters
Most bot detection and identity systems rely on identifiers such as IP addresses, user-agent strings, or API keys, which are possible to spoof or misuse. HUMAN Verified AI Agent moves the conversation forward by offering an early look at how agents can move beyond these checks and instead authenticate using public-key cryptography to prove that a request came from a specific agent.
Agents in this system sign every HTTP request using HTTP Message Signatures, a W3C-approved standard that ensures the authenticity and integrity of each message. These signatures are verified by a gateway service using a public key registry, allowing web services to cryptographically validate that a specific agent sent a given request.
This model is designed to scale. Each agent is uniquely identified using OWASP’s Agent Name Service (ANS), which provides a DNS-like naming system for AI agents—e.g., planner.trip.v1.human-security.com. This ensures not only that requests are signed, but also that they’re traceable and governable.
What the Demo Shows
The open-source release includes a demo with a multi-agent system that provides trip planning via three collaborating agents:
- Planner (LLM Agent): Orchestrates the trip and delegates subtasks
- Weather Agent: Fetches weather data for the destination
- Attractions Agent: Retrieves local points of interest
Each agent possesses its own Ed25519 key pair and signs requests independently. A secure gateway service validates these signatures before passing requests to external APIs.
The demo includes a mock verifier and a pre-configured key registry, so developers can experience signature-based agent identity immediately, without managing a certificate authority.
Building the Agentic Future
This release aligns with HUMAN’s broader mission: to be the secure infrastructure provider for how AI agents interact with the internet. By publishing this system openly, we’re inviting developers, researchers, and commercial agent builders to test, learn, and extend these practices. In a world where AI agents interact across the digital ecosystem, trust must be programmable, verifiable, and adaptive.
Explore the repository on GitHub.
Want your agents verified? Contact: agent.verification@humansecurity.com