Cryptographic security
for AI agents

Every agent gets an Ed25519 identity. Every message is signed and verified. Framework-agnostic. One line to install.

Ed25519 SIGNATURES W3C DID IDENTITY MCP SERVER 11 CLI COMMANDS OPEN SOURCE
$ npm install -g meshsig
scroll ↓
THE PROBLEM
AI agents have zero security
Agents are deployed in production — handling data, executing transactions, making decisions. But there's no standard way to verify who they are.
?

No identity

Any script can pretend to be any agent. No cryptographic proof of who sent a message.

!

No audit trail

When something goes wrong, no tamper-proof record of what happened, who did it, or when.

0

No trust scoring

Agents declare their own capabilities. No reputation system based on verified interactions.

HOW IT WORKS
Four layers of cryptographic security
1

Identity

Ed25519 keypair + W3C DID per agent

2

Handshake

Mutual challenge-response verification

3

Signed Messages

Every message carries a digital signature

4

Trust

Reputation earned through real interactions

K

Ed25519 cryptography

Same algorithm behind SSH, Signal, WireGuard, TLS 1.3. Deterministic, side-channel resistant, 32-byte keys.

D

W3C DID standard

Every agent gets a decentralized identifier: did:msig:... — universally verifiable, impossible to forge.

A

Tamper-proof audit

Every signed message logged with cryptographic hashes. Export compliance reports via API or CLI.

P

Peer networking

Connect MeshSig instances across servers. Agents on different machines discover and verify each other.

R

Key rotation

Rotate an agent's keypair without losing its DID. Old key invalidated immediately. Full rotation history.

X

Agent revocation

Permanently revoke compromised agents. Public revocation list. All messages blocked with 403.

L

Rate limiting

Built-in DDoS protection. 60 requests per minute per IP. Configurable thresholds.

V

Public verifier

Anyone can verify a signature in the browser or via API. No account needed.

CLI + MCP SERVER
11 commands. Zero config.
Install with npm, use from terminal or connect to Claude, Cursor, Windsurf via MCP.
# Install and generate identity
npx meshsig init
✓ Identity generated
DID: did:msig:3icqQkmJWby4S5rpaSRoCcKvjKWdTvqViyPrCEC7Tek2

# Sign a message
npx meshsig sign "Deploy the new model to production"
✓ Message signed
SIGNATURE: HkyrXOPOXF7v422A4iOcg/qkg...

# Verify
npx meshsig verify "message" "sig" "did:msig:..."
✓ SIGNATURE VALID

# More commands: identity, agents, stats, audit, rotate-key, revoke, revoked, start

# MCP Server — connect to any AI tool
npx meshsig-mcp # 9 tools for Claude, Cursor, Windsurf, Cline

# Start the dashboard
npx meshsig start --port 4888
● DASHBOARD http://localhost:4888
INTEGRATIONS
Works with any agent framework
MeshSig is a protocol, not a plugin. Connect via HTTP API, CLI, MCP, or import directly.
MCP NATIVE
Claude Desktop
npx meshsig-mcp
MCP NATIVE
Cursor
npx meshsig-mcp
MCP NATIVE
Windsurf
npx meshsig-mcp
MCP NATIVE
Cline
npx meshsig-mcp
LangChain
HTTP API
CrewAI
HTTP API
AutoGen
HTTP API
LlamaIndex
HTTP API
Semantic Kernel
HTTP API
OpenClaw
Native scripts
Python
requests + API
Any HTTP client
REST API
SECURITY
Production-grade security built in

SIGNATURES

Ed25519 — SSH, Signal, WireGuard, TLS 1.3

IDENTITY

W3C DID standard (did:msig:)

HANDSHAKE

Mutual challenge-response with nonce

STORAGE

Local SQLite — no cloud dependency

AUDIT

Tamper-evident log, JSON export

KEY ROTATION

New keypair, same DID, old key dead

REVOCATION

Public revocation list, 403 on revoked

RATE LIMITING

60 req/min per IP, DDoS protection

Secure your agents today

Open source. MIT license. No cloud. No API keys. One line to install.

View on GitHub npm install meshsig Security Whitepaper