Show HN: Clay Seal Identity – Agents need accountability
Clay Seal Identity is an open-source project that provides short-lived, verifiable credentials for AI agents, ensuring identity and accountability. It uses SPIFFE-based JWT and X.509 credentials, Ed25519 workload keys, offline verification, and Biscuit capability tokens. The project includes a Python SDK and an optional FastAPI identity service, designed for scenarios where agent identity, delegation, and credential validity need to be confirmed. It is layer 1 of the Clay Seal stack, with subsequent layers coming in private preview for runtime capability scoping and execution receipts.
Uh oh!
There was an error while loading. Please reload this page.
Notifications You must be signed in to change notification settings
Fork 1
Star 2
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
63 Commits
63 Commits
.github
.github
backend/tests
backend/tests
clayseal
clayseal
conformance
conformance
deploy
deploy
docs
docs
examples
examples
integrations
integrations
js/clayseal-verify
js/clayseal-verify
migrations
migrations
scripts
scripts
sdk/python/tests
sdk/python/tests
.dockerignore
.dockerignore
.env.example
.env.example
.gitignore
.gitignore
.gitleaksignore
.gitleaksignore
CHANGELOG.md
CHANGELOG.md
CODEOWNERS
CODEOWNERS
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
CONTRIBUTING.md
Dockerfile
Dockerfile
LICENSE
LICENSE
README.md
README.md
SECURITY.md
SECURITY.md
alembic.ini
alembic.ini
pyproject.toml
pyproject.toml
Repository files navigation
Clay Seal Identity gives every agent run its own short-lived, verifiable credential instead of asking agents to borrow a long-lived human or service API key. It is layer 1 of Clay Seal, published as clayseal-identity and imported from clayseal.identity.
Use it when an agent is about to touch real systems and the receiving service needs to know: who is this agent, who started it, when does this credential expire, and is the caller holding the workload key the token was bound to?
This repo is intentionally just the identity layer. The next Clay Seal layers, now in private preview, add runtime capability scoping and receipts for actions that need stronger enforcement than identity alone can provide.
Use this repo when you need to answer:
Which agent is acting?
Which human or service principal delegated that action?
Is the credential short-lived, signed, and bound to the holder key?
Can downstream systems verify the identity offline?
Start Here
Try the zero-config demo from a clone:
git clone https://github.com/clayseal/clayseal-identity.git cd clayseal-identity python -m venv .venv && source .venv/bin/activate pip install -e ".[dev]" python examples/01_quickstart.py python examples/05_inspect_token.py
The examples start a throwaway local identity service, mint a demo credential, validate it, revoke it, and show what the token contains. Nothing touches your real cloud account, database, or agent system.
Install the SDK in your own app:
pip install clayseal-identity
Add the hosted identity service dependencies only if you plan to run the FastAPI issuance/validation service yourself:
pip install "clayseal-identity[server]"
If you want to... Go here
issue and validate your first agent token examples/01_quickstart.py
inspect what a token says examples/05_inspect_token.py
verify a token with only JWKS docs/FEDERATION.md
protect FastAPI, MCP, or LangChain-style tools docs/INTEGRATIONS.md
run the identity service in production docs/DEPLOYMENT.md
What You Get
Implemented today:
SPIFFE JWT-SVID agent credentials (RS256, sub = a per-run SPIFFE ID) for broad federation compatibility, and SPIFFE X.509-SVID certificates for mTLS (identify(..., request_x509=True)), published with a per-tenant trust bundle.
Ed25519 workload keys for sender-constraining (cnf.jkt) and offline proof-of-possession.
SPIFFE-shaped agent identifiers and trust domains.
Proof-of-possession confirmation claims so a stolen bearer token is not enough.
Scoped tenant API keys (issuer, verifier, reader, revoker, admin) so agents and gateways do not need broad standing authority.
Biscuit primitives for native Clay Seal capability facts.
A Python SDK centered on ClaySeal.
An optional FastAPI identity service for centralized issuance and validation.
SQLite-by-default development storage and Postgres-ready production storage.
Alembic migrations, API-key hardening, and optional KMS envelope encryption.
Attestation model. Node attestation verifies platform-signed evidence a workload cannot forge without controlling the node: a Google-signed GCP instance identity token, a Kubernetes projected service-account token (checked via the cluster's TokenReview API), or an AWS EC2 instance identity document (RSA-2048 signature against AWS's regional certificate). The node token's audience binds the workload key being presented, so evidence captured elsewhere can't be replayed to bind a different key. For on-prem and bare-metal there is also a static trust-anchor attestor (operator-registered key). Enable attestors per deployment (see docs/THREAT_MODEL.md and docs/DEPLOYMENT.md).
Layer 1 deliberately does not try to be a complete sandbox. Runtime capability scoping, stateful budget checks, suspicious-sequence detection, and execution receipts live in the sibling layers:
Layer Repository Purpose
L1 this repo Agent identity and credential issuance
L2 Clay Seal Capabilities (private preview) Commit tokens, mandates, leases, budgets
L3 Clay Seal Receipts (private preview) Verifiable execution receipts and audit
This package stands alone: it has no dependency on the other layers, and every runtime dependency resolves from public PyPI.
Known boundaries are tracked in docs/SECURITY_BACKLOG.md. The short version: Identity proves who the agent run is and whether the credential is valid. It is not, by itself, a complete runtime sandbox. For revocation-sensitive operations, use online validation or server-side capability authorization instead of purely offline JWT verification.
Install
The client SDK (clayseal.identity) is intentionally lightweight:
pip install clayseal-identity
To also run the bundled FastAPI identity service, add the server extra (pulls in FastAPI, SQLAlchemy, the Postgres driver, and Alembic); kms adds the AWS KMS provider:
pip install "clayseal-identity[server]" pip install "clayseal-identity[server,kms]"
From source (development)
git clone https://github.com/clayseal/clayseal-identity.git cd clayseal-identity python -m venv .venv && source .venv/bin/activate pip install -e ".[dev]" # client + server + test/lint/type tooling pytest backend/tests sdk/python/tests -q python examples/01_quickstart.py
Or run scripts/bootstrap.sh, which performs the steps above.
Good First Places To Help
If you are looking at Clay Seal as an open-source project, the most useful contributions right now are practical integrations and sharp tests:
Add a small example for a framework you already use.
Add a negative test showing a stolen token, wrong audience, replayed proof, or mis-scoped key being rejected.
Improve the local demo path so a new developer can understand it faster.
Review the threat model and file issues for places where the docs overclaim or underspecify deployment assumptions.
See CONTRIBUTING.md, SECURITY.md, and good first issues.
Quickstart
The fastest path is the zero-config embedded demo. It starts a throwaway local identity service, creates a tenant, identifies an agent, validates the token, and revokes it. The inspector example prints the token's identity fields without trusting it:
python examples/01_quickstart.py python examples/05_inspect_token.py python examples/02_capabilities.py python examples/04_mcp_server.py # lock down an MCP server (needs the [mcp] extra)
Protect an MCP server
Most MCP servers in the wild are reachable by anything that can open a connection. With the [mcp] extra, a FastMCP server accepts only Clay Seal-credentialed agents, and each tool call is authorized against the caller's capability token — attenuation included, so an agent that narrowed itself mid-task is held to the narrowed rights:
from mcp.server.fastmcp import FastMCP from clayseal.identity.integrations.mcp_server import ( ClaySealTokenVerifier, ToolGuard, build_auth_settings, )
mcp = FastMCP("tools", token_verifier=verifier, auth=auth_settings)
@mcp.tool() @guard.require() def search_web(query: str) -> str: ...
Details in docs/INTEGRATIONS.md.
Framework integrations
Native on-ramps for the frameworks agents actually run in — a JavaScript verifier (@clayseal/verify) for Node MCP servers and OpenClaw tool plugins, and an agentskills.io skill for Hermes Agent. See integrations/.
The package is SDK-first: issue tokens, verify them offline, and wire framework checks through clayseal.identity APIs in your application code and tests.
The current SDK flow is service-backed: create or point at a tenant, then call identify. dev_attestation=True is only for localhost demos/tests; production callers pass a platform-issued attestation document.
from clayseal.identity import ClaySeal
tenant = ClaySeal.create_tenant("Acme AI", base_url="http://localhost:8000") auth = ClaySeal( api_key=tenant["api_key"], base_url="http://localhost:8000", dev_attestation=True, # localhost demos/tests only )
session = auth.identify( agent_type="researcher", owner="[email protected]", capabilities=[{"resource": "repo", "action": "read"}], )
claims = session.validate().claims assert claims["sub"].startswith("spiffe://")
Inspect a token
Inspection is for humans and debug screens. It decodes claims without trusting the token. Use verify_offline(...) or session.validate() before enforcement.
from clayseal.identity import inspect_token
inspection = inspect_token(session.token) print("\n".join(inspection.summary_lines()))
Hosted Service
Run the local FastAPI service:
uvicorn clayseal.backend.main:app --reload
Production deployments should run behind TLS, pin issuer and audience, use Postgres, run Alembic migrations before deploy, and store signing material in a KMS or equivalent key-management system.
Privacy and Data Handling
Layer 1 stores and processes identity metadata: agent IDs, trust domains, principals, credential timestamps, public keys, and operational audit metadata. Private keys, persisted agent certificates, admin API keys, and database credentials are secrets.
Read docs/PRIVACY.md before integrating with production user or employee data.
Documentation
Start with:
Developer guide
Identity-only integrations
Security backlog
Deployment checklist
Reference:
Agent identity profile
Federation notes
Threat model
Conformance guide
Identity profiles
Privacy and data handling
Compatibility Note
The public brand is Clay Seal. The package names and import paths intentionally remain clayseal-* / clayseal.* for now so existing integrations keep working.
About
Runtime identity for AI agents. Short-lived attested credentials with capability tokens that agents narrow as tasks change and verify offline.
clayseal.com
Topics
python
security
identity
jwt
iam
authorization
biscuit
ai-agents
zero-trust
spiffe
agent-identity
non-human-identity
capability-tokens
Resources
Readme
License
MIT license
Code of conduct
Code of conduct
Contributing
Contributing
Security policy
Security policy
Uh oh!
There was an error while loading. Please reload this page.
Activity
Custom properties
Stars
2 stars
Watchers
1 watching
Forks
1 fork
Report repository
Releases 2
clayseal-identity 0.6.0
Latest
Jul 10, 2026
+ 1 release
Packages 0
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
Python 96.9%
JavaScript 2.6%
Other 0.5%