Agent Auth (AAuth) — Quickstart
This quickstart walks through the essential steps to set up AAuth: generate a key pair, register an agent and a resource, then make your first authenticated call. AAuth uses Ed25519 keys (a modern elliptic-curve signature scheme — short keys, fast, widely supported) and signs every request with RFC 9421 — HTTP Message Signatures (cryptographic signatures over specific HTTP request components — method, path, selected headers, body digest — giving a replay-proof, per-request proof of possession).
Prerequisites
- Access to a LumoAuth organization (e.g.,
acme-corp) with AAuth enabled - Node.js 18+ or Python 3.9+
- Basic familiarity with OAuth 2.0 concepts
- A server environment that can generate Ed25519 or RSA key pairs
Step 1: Generate a key pair
AAuth requires cryptographic keys. Generate an Ed25519 key pair:
// Node.js
const crypto = require('crypto');
const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519', {
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
});
// Convert public key to raw bytes for JWK
const publicKeyBytes = Buffer.from(
publicKey.replace(/-----BEGIN PUBLIC KEY-----|-----END PUBLIC KEY-----|\n/g, ''),
'base64'
).slice(-32);
const jwks = {
keys: [{
kty: 'OKP',
crv: 'Ed25519',
x: publicKeyBytes.toString('base64url'),
use: 'sig',
kid: 'key-1'
}]
};
console.log('JWKS:', JSON.stringify(jwks, null, 2));
console.log('\nPrivate Key (save securely):');
console.log(privateKey);
# Python
from cryptography.hazmat.primitives.asymmetric import ed25519
from cryptography.hazmat.primitives import serialization
import base64
import json
# Generate key pair
private_key = ed25519.Ed25519PrivateKey.generate()
public_key = private_key.public_key()
# Export public key
public_bytes = public_key.public_bytes(
encoding=serialization.Encoding.Raw,
format=serialization.PublicFormat.Raw
)
jwks = {
"keys": [{
"kty": "OKP",
"crv": "Ed25519",
"x": base64.urlsafe_b64encode(public_bytes).decode().rstrip('='),
"use": "sig",
"kid": "key-1"
}]
}
print('JWKS:', json.dumps(jwks, indent=2))
print('\nSave your private key securely!')
Keep private keys on the server, never in source control or client-side code. Prefer an HSM or secret manager in production.
Step 2: Register your agent
Register your agent in the Organization Portal, or use the Admin API for programmatic registration.
| Field | Example value | Description |
|---|---|---|
| Name | My First Agent | Human-readable agent name |
| Agent Identifier | https://my-agent.example.com | HTTPS URL uniquely identifying your agent |
| Description | Testing AAuth protocol | Optional description |
| JWKS | Paste your JWKS from Step 1 | Your agent's public keys |
| Redirect URI | https://my-agent.example.com/oauth/callback | Where to send authorization codes |
| Allowed Scopes | read write | Scopes this agent can request |
Enable:
- ✅ User Authorization Enabled
- ✅ Delegation Enabled
Click Create Agent.
Step 3: Register a resource
Register the protected API your agent will call:
| Field | Example value |
|---|---|
| Name | My API |
| Resource Identifier | https://api.example.com |
| JWKS URI | https://api.example.com/.well-known/jwks.json |
| Supported Scopes | read, write |
| Default Auth Level | authorized |
Step 4: Make your first request
Choose a language or framework for a complete, copy-paste example:
| Framework / Language | Guide |
|---|---|
| Python (LumoAuth SDK) | View example → |
| JavaScript / Node.js | View example → |
| LangChain / LangGraph | View example → |
| CrewAI | View example → |
| OpenAI Agents SDK | View example → |
Next steps
- AAuth Protocol spec — full protocol details
- Agent Registry — manage agent registrations, budgets, and capabilities
- JIT Permissions — add per-operation permission escalation