AgentPass

AgentPass is an identity and authorization layer for AI agents. Every agent gets a verified on-chain identity — an ENS subname (e.g. trading-abc123.agentpass.eth) registered on World Chain, cryptographically linked to a human owner via World ID ZK proof.

Beyond identity, AgentPass enforces a programmable spending policy on every agent action. Owners set two parameters: a free threshold (actions below this auto-approve instantly) and a daily cap (hard ceiling — no exceptions). Actions at or above the threshold are held until the owner physically approves them on a Ledger hardware wallet.

This means AI agents can act autonomously within safe limits, and escalate high-value decisions to a human — without the agent being able to bypass or self-authorize. It's a passport, a policy engine, and a kill switch in one. Built for any agent runtime via the zero-dependency @agentpass/sdk.

AgentPass is a pnpm/Turborepo monorepo with three layers:

SMART CONTRACT — AgentRegistry.sol on World Chain (chainId 480). Stores agent-to-owner mappings keyed by World ID nullifier hash. Enforces max 10 agents per human. Deployed with a custom Node.js script using viem's walletClient.deployContract() and solc-js for runtime compilation (no Hardhat/Foundry needed).

WORLD ID — We use the v4 IDKit widget on the frontend for QR-based ZK proof of humanity. The backend generates a signed RP context (signRequest from @worldcoin/idkit-server) and verifies the proof against developer.world.org/api/v4/verify/:rpId. One notable gotcha: the v4 API returns the nullifier as "nullifier" not "nullifier_hash" — this required converting a large decimal string to a padded bytes32 for the contract (pad(toHex(BigInt(nullifierHash)), {size:32}) via viem).

ENS — Each agent gets a subname under agentpass.eth. We run in offchain mode (ENS_OFFCHAIN_MODE=true) backed by a local JSON store, which avoids L1 gas costs entirely while still giving agents a human-readable, typed identity with metadata in text records (owner, type, worldIdHash, version).

LEDGER — The approval flow uses @ledgerhq/device-signer-kit-ethereum (SignerEthBuilder) in the browser via WebHID. When an agent submits a high-value action, it opens a Server-Sent Events stream (SSE) and blocks — the action is held server-side in an in-memory Promise map. The owner's browser connects to the same SSE stream, sees the pending action, and signs it with their Ledger. The signature is verified on the server via viem's recoverMessageAddress before releasing the decision.

The hacky-but-clever bit: HTTPS without a domain. We needed a real TLS cert for World ID (no localhost). We used sslip.io — the hostname 77-42-84-161.sslip.io resolves to the bare IP, so Certbot issued a valid Let's Encrypt certificate for it. No domain purchase needed.

Stack: Hono (API), Next.js 14, viem, World ID v4, ENS.js, Ledger DMK, Solidity, PM2, nginx.