Universal Non-Human Identity (NHI) Platform for AI Agents
This repository contains public documentation, SDK integration guides, and conceptual architecture for Countersig.
Countersig 2.0 is a production-grade identity and trust platform purpose-built for autonomous AI agents. It provides verifiable identity, multi-chain credential binding, reputation scoring, and machine-to-machine authentication — enabling agents to prove who they are, what they can do, and why they should be trusted.
Countersig is the identity and trust layer within the broader CounterAegis platform.
Note: For source code access, see the private repository. This repo contains public documentation, integration guides, and conceptual architecture.
- Frontend: countersig.com
- API: api.countersig.com
- Documentation: Wiki
- Platform: counteraegis.com
Countersig 2.0 is built around a pluggable, multi-provider authentication architecture — not just crypto wallets. This is what distinguishes it from every other agent identity solution on the market.
| Provider | Purpose | Standard / Protocol |
|---|---|---|
| Cryptographic (Ed25519) | Wallet-based agent identity for blockchain-native agents | Challenge-response signature verification |
| OAuth2 / OIDC | Enterprise SSO for managed AI agents | OpenID Connect with config-driven issuers & audiences |
| Microsoft Entra ID | Azure workload identity for enterprise AI deployments | Entra ID Workload Identity Federation (tenant-aware) |
| API Keys | Programmatic machine-to-machine access | SHA-256 hashed keys with prefix matching & org scoping |
| Agent-to-Agent (A2A) | Direct agent-to-agent trust verification | Short-lived JWT (60s) with JWKS public-key distribution |
| PKI Challenge-Response | Ongoing cryptographic proof of identity | Nonce-based challenge with replay prevention |
Additional security hardening:
- Human user auth with bcrypt-12 password hashing, access/refresh token rotation, and Redis-backed session management
- Account lockout after 5 failed attempts (15-minute cooldown)
- Tamper-evident hash-chain audit logging
- Multi-tenant RBAC with org-scoped API keys
- Rate limiting per endpoint category
- Multi-Chain Identity — Solana, EVM (Ethereum / Base / Polygon), and chain-agnostic agent registration
- W3C DID/VC Credentials — Standards-compliant Decentralized Identifiers and Verifiable Credentials
- Trust & Reputation — Multi-dimensional reputation scoring with on-chain attestations and community flagging
- Organization Management — Multi-tenant RBAC with fine-grained permissions and API key scoping
- Embeddable Widget — Drop-in trust badge for any website (React, vanilla JS, or iframe)
- Audit System — Tamper-evident hash-chain audit logging for compliance
- Policy Engine — Configurable automated policy enforcement with dynamic trust evaluation
┌───────────────────────────────────────────────────────────────────────────────────┐
│ Client Layer │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────┐ │
│ │ Frontend SPA │ │ Embed Widget │ │ SDK/CLI │ │ MCP │ │ A2A Clients │ │
│ │ (React+Vite) │ │ (iframe/JS) │ │ (JS/TS) │ │ (Claude) │ │ (JWKS) │ │
│ │countersig.com│ │ │ │ │ │ │ │ │ │
│ └──────┬───────┘ └──────┬───────┘ └────┬─────┘ └────┬─────┘ └──────┬───────┘ │
└─────────┼────────────────┼──────────────┼────────────┼──────────────┼────────────┘
└────────────────┴──────────────┴────────────┴──────────────┘
│
┌────────────▼────────────┐
│ API Gateway: Caddy 2 │
│ Auto-SSL, Rate Limiting│
└────────────┬────────────┘
│
┌─────────────────────────────────────────▼─────────────────────────────────────────┐
│ Backend API (Express 4) │
│ ┌──────────────────────────────────────────────────────────────────────────────┐ │
│ │ Pluggable Auth Layer │ │
│ │ ┌────────────┐ ┌──────────┐ ┌────────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │Cryptographic│ │ OAuth2/ │ │Google OAuth│ │ Entra ID │ │ API Keys │ │ │
│ │ │ (Ed25519) │ │ OIDC │ │ │ │(Azure AD)│ │ (M2M) │ │ │
│ │ └─────┬──────┘ └────┬────┘ └─────┬──────┘ └────┬─────┘ └────┬─────┘ │ │
│ │ ┌─────┴──────────────┴────────────┴─────────────┴────────────┴────────────┐ │ │
│ │ │ AuthManager (Strategy Router) │ │ │
│ │ └───────────────────────────────────┬─────────────────────────────────────┘ │ │
│ │ ┌────────────┐ ┌──────────────┐ │ ┌─────────────┐ │ │
│ │ │ A2A JWT │ │PKI Challenge │ │ │ Human Auth │ │ │
│ │ │ (60s) │ │ (Nonce) │ │ │ (bcrypt-12) │ │ │
│ │ └────────────┘ └──────────────┘ │ └─────────────┘ │ │
│ └──────────────────────────────────────┼────────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────────────────────────┼────────────────────────────────────────┐ │
│ │ Service Layer │ │ │
│ │ ┌────────────┐ ┌─────────────┐ ┌────┴───────┐ ┌──────────────┐ │ │
│ │ │Agent Mgmt │ │ Policy │ │ RBAC │ │ Audit │ │ │
│ │ │ (DID/VC) │ │ Engine │ │ │ │ (hash chain) │ │ │
│ │ └────────────┘ └─────────────┘ └────────────┘ └──────────────┘ │ │
│ │ ┌────────────┐ ┌─────────────┐ ┌────────────┐ │ │
│ │ │ Reputation │ │Badge Builder│ │ Webhook │ │ │
│ │ │ Scoring │ │ │ │ (BullMQ) │ │ │
│ │ └────────────┘ └─────────────┘ └────────────┘ │ │
│ └───────────────────────────────────────────────────────────────────────────────┘ │
│ │ │
└─────────────────────────────────────────┼──────────────────────────────────────────┘
│
┌────────────▼────────────┐
│ Data Layer │
│ PostgreSQL 16 │ Redis 7 │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ External Services │
│ CounterAegis Platform │
│ URLhaus Threat Feed │
└─────────────────────────┘
| Layer | Technology |
|---|---|
| Frontend | React 19, Vite 6, TailwindCSS |
| Backend | Node.js 20, Express 4 |
| Database | PostgreSQL 16, Redis 7 |
| Auth | JWT (Ed25519 + HMAC-SHA256), OAuth2/OIDC |
| Deployment | Docker Compose, Caddy 2 (auto-SSL) |
| Queue | BullMQ (webhook delivery) |
| Monitoring | prom-client (Prometheus metrics) |
| Hosting | Hostinger CDN (frontend), VPS (backend) |
This is a documentation and concepts repository. To integrate with Countersig, use the published client libraries below or explore the API Reference.
For deployment and self-hosting guides, see docs/DEPLOYMENT_GUIDE.md.
Countersig public packaging follows a Developer/Production split:
| Tier | Price | Included |
|---|---|---|
| Developer | Free for prototyping and side projects | Self-serve setup, single-product usage, SDK and API quickstart path |
| Production | Starts at $30K/year | Production scope, compliance alignment, and full CounterAegis platform path |
For production scoping, use the CounterAegis sales call:
https://calendly.com/ccie14019/enterprise-consultation
See docs/API_REFERENCE.md for the complete API reference, or visit the live API docs.
Now live on npm:
| Package | Version | Install | Description |
|---|---|---|---|
| @countersig/sdk | 1.0.0 | npm install @countersig/sdk |
TypeScript SDK for all Countersig operations |
| @countersig/mcp | 1.0.0 | npm i -g @countersig/mcp |
MCP server for Claude Code / Claude Desktop |
| @countersig/verify | 1.0.0 | npm install @countersig/verify |
Lightweight A2A token verification |
| @countersig/react | 1.0.1 | npm install @countersig/react |
React components — trust badges, reputation displays, capability lists |
# Install globally
npm install -g @countersig/mcp
# Add to Claude
claude mcp add countersig -- countersig-mcpThen ask Claude: "Register a new agent called my-assistant with text-generation capabilities"
See docs/DEVELOPER_GUIDE.md for architecture details, multi-chain integration, enterprise auth setup, and SDK usage.