OpenA2A: CLI · HackMyAgent · Secretless · AIM · Browser Guard · DVAA

Agent Identity Management (AIM)

No way to audit what an agent did, control what it can do, or revoke access when something goes wrong. AIM fixes that -- open-source identity, governance, and access control for AI agents.

Website | Demos | Discord

Quick Start

npx opena2a-cli identity create --name my-agent

Agent created:
  ID:         aim_7f3a9c2e
  Name:       my-agent
  Public Key: ed25519:x8Kp...mQ4R
  Stored:     ~/.opena2a/aim-core/identities/my-agent.json
  Audit Log:  ~/.opena2a/aim-core/audit.jsonl

Your agent now has a cryptographic identity, an append-only audit log, and a trust score -- no server required.

Dashboard screenshots

Fleet overview — 298 agents monitored, 24 actions blocked, risk by category

Agent registry with trust scores, verification status, and type classification

8-factor trust score — verification, compliance, uptime, action success, security alerts

MCP server dependencies with attestation status and confidence scores

See all demos

Two Ways to Start

Solo developer, single agent, no infrastructure:

npm install @opena2a/aim-core

Local Ed25519 keys, file-based audit log, YAML capability policies. Everything stays on your machine.

Team, fleet of agents, full governance:

docker pull opena2a/aim-server
docker pull opena2a/aim-dashboard

PostgreSQL-backed audit log, REST API, dashboard, OAuth 2.0 token endpoint, cross-machine fleet management.

Or use AIM Cloud -- no infrastructure required.

CLI Commands

The CLI is the fastest path to managing agent identity. Install once:

npm install -g opena2a-cli

Then:

# Local identity
opena2a identity create --name my-agent    # Create Ed25519 identity
opena2a identity trust                     # Calculate trust score
opena2a identity sign --data "hello"       # Sign data
opena2a identity audit                     # View audit log
opena2a identity attach --all              # Connect to all detected tools

# Cloud (aim.opena2a.org)
opena2a login                              # Authenticate via browser
opena2a identity create --name my-agent --server cloud   # Register on server
opena2a identity list --server cloud       # List all agents
opena2a identity tag add production --server cloud       # Tag agents
opena2a identity mcp list --server cloud   # View MCP connections
opena2a identity activity --server cloud   # View activity log
opena2a whoami                             # Check auth status

For a full security dashboard across all your agents:

npx opena2a-cli review

Security Review: ~/my-project
  Identity:     aim_7f3a9c2e (my-agent)
  Trust Score:  0.85 (strong)
  Capabilities: 3 allowed, 1 denied
  Audit Events: 47 (last 24h)
  MCP Servers:  2 verified, 0 drifted

What AIM Provides

Cryptographic identity, OAuth 2.0 auth, capability enforcement, audit trail, 8-factor trust scoring, MCP attestation, lifecycle management, policy engine, tag/MCP management, and a full web dashboard.

See all features

Cryptographic identity -- Ed25519 keypairs generated on agent creation. Every agent gets a verifiable identity with signing and verification capabilities. Post-quantum (ML-DSA-44/65/87) and hybrid Ed25519+ML-DSA modes available server-side.

OAuth 2.0 and machine-to-machine auth -- JWT-bearer grant for agent-to-server authentication. Device authorization flow (RFC 8628) for CLI login via browser. No API key management needed after opena2a login.

Capability enforcement -- Declare what each agent can do; block everything else at runtime. Per-capability trust thresholds (e.g., system:admin requires 70% trust, file:read requires 0%). Per-capability execution modes: auto (immediate), notify (execute + alert), review (queue for human approval). Policies defined in YAML (local) or via REST API (server).

Audit trail -- Append-only, tamper-evident log of every action. JSON-lines locally, PostgreSQL with full query API on the server. Audit events include action, target, result, timestamp, and tool attribution.

Trust scoring -- 8-factor weighted algorithm: verification status (25%), uptime (15%), action success rate (15%), security alerts (15%), compliance (10%), agent age (10%), drift detection (5%), and user feedback (5%). Historical trends and confidence levels tracked. Trust scores gate capability access via per-capability thresholds.

Delegation chains -- Cryptographically signed delegation with Ed25519. Scope narrowing enforced at each hop. Trust attenuation: each delegation hop reduces effective trust by a configurable factor (default 0.8x per hop, minimum floor of 0.3). Prevents deep delegation chains from bypassing trust requirements.

MCP attestation -- Agents attest to the quality and security of MCP servers they use. Multi-agent consensus protocol: 3+ unique attesters across 2+ owners = verified. Supply chain visualization on the dashboard.

Lifecycle management -- Full agent state machine: pending, verified, suspended, revoked. Suspend agents instantly when compromised, revoke permanently (30-day data retention). Status affects trust score automatically.

Policy management -- YAML-based local policies or server-managed via REST API. Default-deny or default-allow with granular capability rules. Plugin-scoped policies for per-tool control.

Tag and MCP management -- Organize agents with tags, attach/detach MCP server connections. Manageable via CLI (identity tag add, identity mcp add), REST API, or dashboard.

Dashboard -- Web UI for fleet management at aim.opena2a.org. Agent overview, trust score breakdowns, MCP network graph, audit timeline, security violations, capability requests, and policy editor.

Fine-Grained Authorization (FGA)

5-step authorization pipeline that evaluates every agent action before execution:

1. Capability check -- does the agent have the required capability?
2. Attribute check -- do agent attributes satisfy the policy conditions?
3. Context check -- does the runtime context (time, location, risk level) permit the action?
4. Chain check -- if delegated, is the delegation chain valid and within scope?
5. Intent check -- does the declared intent match the action being performed?

All five steps must pass. Any failure returns a typed denial with the specific step that blocked the action.

const decision = await aim.authorize({
  agent: 'billing-agent',
  action: 'db:write',
  resource: 'invoices',
  context: { riskLevel: 'elevated' }
});
// { allowed: false, deniedAt: 'context', reason: 'elevated risk requires human approval' }

Privileged Access Management (PAM)

Three privilege tiers with escalating controls:

Tier	Examples	Controls
STANDARD	file:read, api:call	Normal capability enforcement
PRIVILEGED	db:write, deploy:staging	Time-bound session, audit-intensive logging
SUPER_PRIVILEGED	infra:destroy, secrets:rotate	Human approval gate, dual authorization

Human approval gates -- SUPER_PRIVILEGED actions queue for human review. Configurable approval timeout (default 5 minutes), automatic denial on expiry.

Break-glass -- emergency override for blocked critical actions. Requires a break-glass token, logs to a separate tamper-evident audit stream, and triggers immediate review notification.

Certification campaigns -- periodic review of agent privilege assignments. Managers approve or revoke each privilege. Unreviewed privileges expire automatically.

CyberArk Integration

CCP (Central Credential Provider) bridge for retrieving vaulted credentials at runtime without exposing secrets to the agent context. PSM (Privileged Session Manager) streaming for recording and auditing privileged agent sessions.

const aim = new AIMCore({
  agentName: 'billing-agent',
  vault: {
    provider: 'cyberark',
    ccpUrl: process.env.CYBERARK_CCP_URL,
    appId: 'aim-agents',
    safe: 'AgentCredentials'
  }
});

// Agent requests credential by reference, never sees the value
const cred = await aim.getCredential('db-connection-string');

SIEM Integration

Built-in adapters for forwarding audit events to enterprise SIEM platforms:

• Splunk -- HTTP Event Collector (HEC) adapter. Sends structured JSON events with AIM-specific source type and index configuration.
• Microsoft Sentinel -- Data Collector API adapter. Maps AIM audit events to custom log tables with workspace ID routing.

Both adapters support buffered batch delivery, automatic retry with backoff, and event filtering by severity.

# aim-config.yaml
siem:
  adapter: splunk
  hecUrl: https://splunk.internal:8088
  token: ${SPLUNK_HEC_TOKEN}
  index: aim_agent_audit
  sourcetype: aim:audit
  minSeverity: warning

SDKs

SDK	Install	Status
Python	pip install -e sdk/python/ (local) or download from AIM dashboard	Stable
Java	org.opena2a:aim-sdk:1.0.0 (Maven / Gradle)	Stable
TypeScript/Node.js	npm install @opena2a/aim-core	Stable

aim-core: For Library Developers

If you are building a tool or framework that needs to embed agent identity, @opena2a/aim-core provides programmatic access without requiring a running server.

npm install @opena2a/aim-core

import { AIMCore } from '@opena2a/aim-core';

const aim = new AIMCore({ agentName: 'my-assistant' });

// Ed25519 identity -- created on first run, persisted to ~/.opena2a/aim-core/
const identity = aim.getIdentity();
console.log('Agent ID:', identity.agentId);

// Capability enforcement -- define what the agent can do
aim.loadPolicy({ allow: ['db:read', 'api:call'], deny: ['db:write'] });
aim.checkCapability('db:read');   // passes
// aim.checkCapability('db:write'); // throws CapabilityDenied

// Audit log -- append-only, tamper-evident
aim.logEvent({ action: 'db:read', target: 'customers', result: 'allowed', plugin: 'my-assistant' });

// Trust scoring -- 8-factor calculation
const score = aim.calculateTrust();
console.log('Trust:', score.overall); // e.g. 0.45

Feature	aim-core (local)	Full AIM (server + dashboard)
Ed25519 identity	Local keypair	Server-issued + PQC (ML-DSA)
OAuth 2.0 auth	N/A	JWT-bearer + device flow
Audit log	JSON-lines file	PostgreSQL + query API
Capability policy	YAML file	REST API + visual editor
Trust scoring	8-factor local	Real-time + history + trends
MCP attestation	N/A	Multi-agent consensus
Lifecycle	N/A	Suspend, revoke, verify
Tags + MCPs	N/A	Organize + attach via CLI/API
Multi-agent	Per-machine	Cross-machine fleet
Dashboard	N/A	Full web UI

This is the same library used by HackMyAgent's --with-aim flag to add agent identity during security remediation.

Server Deployment

For team and fleet deployments, the AIM server provides a REST API, dashboard, and PostgreSQL-backed storage.

curl -sSL https://raw.githubusercontent.com/opena2a-org/agent-identity-management/main/scripts/quickstart.sh | bash

Opens dashboard at localhost:3000, API at localhost:8080. Secrets are auto-generated. Login credentials are printed at the end.

Images on Docker Hub. See infrastructure/DEPLOYMENT.md for tag conventions and production deployment.

Using with HackMyAgent

HackMyAgent can add AIM agent identity as part of its security remediation flow:

hackmyagent fix-all --with-aim     # scan, fix, and add agent identity
hackmyagent fix-all --dry-run      # preview without modifying

Use Cases

Guide	Description	Time
Register my agent	Create an Ed25519 identity and attach tools	2 min
Audit agent actions	Track actions with a tamper-evident log	5 min
Enforce capabilities	Restrict what your agent can do with YAML policies	5 min
Embed in my app	Use aim-core SDK in your own framework	10 min
Fleet governance	Centralized management with AIM Server	30 min

See docs/USE-CASES.md for the full index.

Links

• Documentation -- full guides, tutorials, API reference
• SDK Quickstart -- secure your first agent
• MCP Registration -- connect MCP servers
• Contributing -- how to contribute
• Deployment Guide -- production deployment

Part of the OpenA2A security platform. See all tools at opena2a.org.

License

Apache-2.0 -- See LICENSE