@auths-dev/sdk¶
Classes¶
ArtifactService¶
Signs artifacts (files or raw bytes) to produce verifiable attestations.
Access via Auths.artifacts.
Example¶
const result = auths.artifacts.sign({
filePath: './release.tar.gz',
identityDid: identity.did,
})
console.log(result.digest) // content hash
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
sign()¶
Signs a file at the given path.
Parameters¶
opts¶
Signing options.
Returns¶
The artifact attestation with digest and metadata.
Throws¶
CryptoError if signing fails.
Example¶
const result = auths.artifacts.sign({
filePath: './build/app.wasm',
identityDid: identity.did,
expiresInDays: 365,
})
signBytes()¶
Signs raw bytes (e.g. an in-memory buffer).
Parameters¶
opts¶
Signing options.
Returns¶
The artifact attestation with digest and metadata.
Throws¶
CryptoError if signing fails.
Example¶
const result = auths.artifacts.signBytes({
data: Buffer.from('binary content'),
identityDid: identity.did,
})
AttestationService¶
Queries attestations stored in the local registry.
Access via Auths.attestations.
Example¶
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
getLatest()¶
Retrieves the latest attestation for a device.
Parameters¶
deviceDid¶
string
DID of the device.
Returns¶
AttestationInfo | null
The latest attestation, or null if none found.
Throws¶
StorageError if the operation fails.
list()¶
Lists all attestations in the local registry.
Returns¶
Array of attestation records.
Throws¶
StorageError if the operation fails.
listByDevice()¶
Lists attestations for a specific device.
Parameters¶
deviceDid¶
string
DID of the device to filter by.
Returns¶
Array of attestation records for the device.
Throws¶
StorageError if the operation fails.
AuditService¶
Audits Git repositories for commit signature compliance.
Access via Auths.audit.
Example¶
const report = auths.audit.report({ targetRepoPath: '/path/to/repo' })
console.log(report.summary.unsigned_commits)
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
isCompliant()¶
Checks whether all commits in a repository are signed.
Parameters¶
opts¶
Compliance check options.
Returns¶
boolean
true if every commit is signed, false otherwise.
Example¶
if (auths.audit.isCompliant({ targetRepoPath: '/path/to/repo' })) {
console.log('All commits signed')
}
report()¶
Generates an audit report for a Git repository's commit signatures.
Parameters¶
opts¶
Audit options.
Returns¶
The audit report with per-commit details and summary statistics.
Throws¶
VerificationError if the audit fails.
Example¶
const report = auths.audit.report({ targetRepoPath: '/path/to/repo' })
console.log(report.summary.total_commits)
Auths¶
Primary entry point for all Auths SDK operations.
Provides access to identity management, device authorization, signing, verification, policy evaluation, organizations, and more through service properties.
Example¶
import { Auths } from '@auths-dev/node'
const auths = new Auths()
// Create an identity
const identity = auths.identities.create({ label: 'laptop' })
// Sign a message
const sig = auths.signAs({
message: Buffer.from('hello world'),
identityDid: identity.did,
})
console.log(sig.signature) // hex-encoded Ed25519 signature
Constructors¶
Constructor¶
Creates a new Auths client.
Parameters¶
config?¶
ClientConfig = {}
Client configuration.
Returns¶
Example¶
// Auto-discover (~/.auths)
const auths = new Auths()
// Explicit configuration
const auths = new Auths({
repoPath: '/path/to/identity-repo',
passphrase: 'my-secret',
})
Properties¶
artifacts¶
Artifact signing.
attestations¶
Attestation queries.
audit¶
Repository audit reports.
commits¶
Git commit signing.
devices¶
Device authorization (link, revoke, extend).
identities¶
Identity management (create, rotate, delegate agents).
orgs¶
Organization management.
pairing¶
Cross-device pairing.
passphrase¶
Passphrase for key operations, if set.
repoPath¶
Path to the Auths Git registry.
signing¶
Message and action signing.
trust¶
Trust store for pinned identities.
witnesses¶
Witness node management.
Methods¶
doctor()¶
Runs diagnostics on the Auths installation and returns a report.
Returns¶
string
A human-readable diagnostics string.
getPublicKey()¶
Convenience method to get an identity's public key.
Parameters¶
opts¶
Lookup options.
Returns¶
string
Hex-encoded Ed25519 public key.
Throws¶
CryptoError if the key cannot be found.
signActionAs()¶
Convenience method to sign an action as an identity.
Parameters¶
opts¶
Action signing options.
Returns¶
The signed action envelope.
Throws¶
CryptoError if signing fails.
signActionAsAgent()¶
Convenience method to sign an action as an agent.
Parameters¶
opts¶
Agent action signing options.
Returns¶
The signed action envelope.
Throws¶
CryptoError if signing fails.
signAs()¶
Convenience method to sign a message as an identity.
Parameters¶
opts¶
Signing options.
Returns¶
The signature and signer DID.
Throws¶
CryptoError if signing fails.
Example¶
signAsAgent()¶
Convenience method to sign a message as an agent.
Parameters¶
opts¶
Agent signing options.
Returns¶
The signature and signer DID.
Throws¶
CryptoError if signing fails.
verify()¶
Verifies a single attestation with optional capability and time constraints.
Parameters¶
opts¶
Verification options.
Returns¶
Promise\<VerificationResult>
The verification result.
Throws¶
VerificationError if verification encounters an error.
Example¶
const result = await auths.verify({
attestationJson: json,
issuerKey: publicKeyHex,
})
console.log(result.valid)
verifyChain()¶
Verifies an attestation chain with optional capability and witness constraints.
Parameters¶
opts¶
Chain verification options.
Returns¶
Promise\<VerificationReport>
The verification report.
Throws¶
VerificationError if verification encounters an error.
AuthsError¶
Base error for all Auths SDK operations.
All errors thrown by the SDK inherit from this class, carrying a machine-readable code and human-readable message.
Example¶
import { Auths, AuthsError } from '@auths-dev/node'
try {
auths.signAs({ message: data, identityDid: did })
} catch (e) {
if (e instanceof AuthsError) {
console.log(e.code, e.message)
}
}
Extends¶
Error
Extended by¶
VerificationErrorCryptoErrorKeychainErrorStorageErrorNetworkErrorIdentityErrorOrgErrorPairingError
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
CommitService¶
Signs Git commits using Auths identities.
Access via Auths.commits.
Example¶
const result = auths.commits.sign({
data: commitBuffer,
identityDid: identity.did,
})
console.log(result.signaturePem) // PEM-encoded signature
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
sign()¶
Signs raw Git commit data, producing a PEM-encoded signature.
Parameters¶
opts¶
Signing options.
Returns¶
The commit signature with method and namespace metadata.
Throws¶
CryptoError if the key is missing or signing fails.
Example¶
CryptoError¶
Raised when a cryptographic operation fails.
Common codes: 'invalid_key', 'key_not_found', 'signing_failed'.
Example¶
import { Auths, CryptoError } from '@auths-dev/node'
try {
auths.signAs({ message: data, identityDid: did })
} catch (e) {
if (e instanceof CryptoError && e.code === 'key_not_found') {
console.log('Identity key not in keychain')
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
DeviceService¶
Manages device authorization lifecycle: link, revoke, and extend.
Access via Auths.devices.
Example¶
const device = auths.devices.link({
identityDid: identity.did,
capabilities: ['sign'],
expiresInDays: 90,
})
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
extend()¶
Extends a device's authorization period.
Parameters¶
opts¶
Extension options.
Returns¶
The extension result with new and previous expiration times.
Throws¶
IdentityError if extension fails.
Example¶
const ext = auths.devices.extend({
deviceDid: device.did,
identityDid: identity.did,
days: 60,
})
console.log(ext.newExpiresAt) // RFC 3339 timestamp
link()¶
Links a new device to an identity with scoped capabilities.
Parameters¶
opts¶
Link options.
Returns¶
The linked device with its DID and attestation ID.
Throws¶
IdentityError if linking fails.
Example¶
const device = auths.devices.link({
identityDid: identity.did,
capabilities: ['sign'],
expiresInDays: 90,
})
console.log(device.did) // did:key:z...
revoke()¶
Revokes a device's authorization under an identity.
Parameters¶
opts¶
Revocation options.
Returns¶
void
Throws¶
IdentityError if revocation fails.
Example¶
IdentityError¶
Raised when an identity or device operation fails.
Common codes: 'identity_not_found', 'unknown'.
Example¶
import { Auths, IdentityError } from '@auths-dev/node'
try {
auths.devices.link({ identityDid: did, capabilities: ['sign'] })
} catch (e) {
if (e instanceof IdentityError) {
console.log('Identity error:', e.code)
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
IdentityService¶
Manages cryptographic identities, agents, and key rotation.
Access via Auths.identities.
Example¶
const auths = new Auths()
const identity = auths.identities.create({ label: 'laptop' })
console.log(identity.did) // did:keri:EBfd...
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
create()¶
Creates a new cryptographic identity backed by an Ed25519 keypair.
Parameters¶
opts?¶
Creation options.
Returns¶
The newly created identity.
Throws¶
IdentityError if the identity cannot be created.
Example¶
const identity = auths.identities.create({ label: 'laptop' })
console.log(identity.did) // did:keri:EBfd...
console.log(identity.publicKey) // hex-encoded Ed25519 key
createAgent()¶
Creates a standalone agent identity with a self-signed attestation.
Parameters¶
opts¶
Agent creation options.
Returns¶
The agent identity with its attestation.
Throws¶
IdentityError if the agent cannot be created.
Example¶
const agent = auths.identities.createAgent({
name: 'ci-bot',
capabilities: ['sign'],
})
console.log(agent.did) // did:keri:...
delegateAgent()¶
Delegates an agent under an existing identity with scoped capabilities.
Parameters¶
opts¶
Delegation options.
Returns¶
The delegated agent with its signed attestation.
Throws¶
IdentityError if delegation fails.
Example¶
const agent = auths.identities.delegateAgent({
identityDid: identity.did,
name: 'deploy-bot',
capabilities: ['sign'],
expiresInDays: 90,
})
getPublicKey()¶
Retrieves the hex-encoded Ed25519 public key for an identity.
Parameters¶
opts¶
Lookup options.
Returns¶
string
Hex-encoded public key string (64 characters).
Throws¶
CryptoError if the key cannot be found.
Example¶
const pk = auths.identities.getPublicKey({ identityDid: identity.did })
console.log(pk.length) // 64
rotate()¶
Rotates the signing keys for an identity, advancing the KERI event log.
Parameters¶
opts?¶
RotateKeysOptions = {}
Rotation options.
Returns¶
The rotation result with old and new key fingerprints.
Throws¶
IdentityError if rotation fails.
Example¶
const result = auths.identities.rotate({ identityDid: identity.did })
console.log(result.sequence) // incremented sequence number
KeychainError¶
Raised when the platform keychain is inaccessible or locked.
Common codes: 'keychain_locked'.
Example¶
import { Auths, KeychainError } from '@auths-dev/node'
try {
auths.identities.create({ label: 'main' })
} catch (e) {
if (e instanceof KeychainError) {
console.log('Unlock your keychain or set AUTHS_KEYCHAIN_BACKEND=file')
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
NetworkError¶
Raised when a network operation fails (e.g. witness communication).
Common codes: 'server_error'.
Example¶
import { NetworkError } from '@auths-dev/node'
try {
// network operation
} catch (e) {
if (e instanceof NetworkError && e.shouldRetry) {
// safe to retry
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
shouldRetry?¶
boolean = true
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
shouldRetry¶
Whether the operation is safe to retry. Defaults to true.
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
OrgError¶
Raised when an organization operation fails.
Common codes: 'org_error'.
Example¶
import { Auths, OrgError } from '@auths-dev/node'
try {
auths.orgs.addMember({ orgDid, memberDid, role: 'member' })
} catch (e) {
if (e instanceof OrgError) {
console.log('Org error:', e.message)
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
OrgService¶
Manages organizations and their membership.
Access via Auths.orgs.
Example¶
const org = auths.orgs.create({ label: 'my-team' })
auths.orgs.addMember({
orgDid: org.orgDid,
memberDid: dev.did,
role: 'member',
memberPublicKeyHex: dev.publicKey,
})
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
addMember()¶
Adds a member to an organization.
Parameters¶
opts¶
Member options.
Returns¶
The new member record.
Throws¶
OrgError if the operation fails.
Example¶
const member = auths.orgs.addMember({
orgDid: org.orgDid,
memberDid: dev.did,
role: 'member',
memberPublicKeyHex: dev.publicKey,
})
create()¶
Creates a new organization.
Parameters¶
opts¶
Organization options.
Returns¶
The created organization.
Throws¶
OrgError if creation fails.
Example¶
listMembers()¶
Lists members of an organization.
Parameters¶
opts¶
List options.
Returns¶
Array of member records.
Throws¶
OrgError if the operation fails.
Example¶
revokeMember()¶
Revokes a member's access to an organization.
Parameters¶
opts¶
Revocation options.
Returns¶
The updated member record with revoked: true.
Throws¶
OrgError if the operation fails.
PairingError¶
Raised when a device pairing operation fails or times out.
Common codes: 'pairing_error', 'timeout'.
Example¶
import { PairingError } from '@auths-dev/node'
try {
await auths.pairing.createSession({ bindAddress: '127.0.0.1' })
} catch (e) {
if (e instanceof PairingError && e.shouldRetry) {
// safe to retry
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
shouldRetry?¶
boolean = true
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
shouldRetry¶
Whether the operation is safe to retry. Defaults to true.
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
PairingService¶
Handles device pairing for cross-device identity authorization.
The pairing flow: controller creates a session, device joins with the short code, controller completes pairing to authorize the device.
Access via Auths.pairing.
Example¶
const session = await auths.pairing.createSession({
bindAddress: '127.0.0.1',
capabilities: ['sign:commit'],
})
console.log(session.shortCode) // e.g. 'A3F7K2'
// On the device side:
const response = await auths.pairing.join({
shortCode: 'A3F7K2',
endpoint: session.endpoint,
token: session.token,
})
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
[asyncDispose]()¶
Returns¶
Promise\<void>
[dispose]()¶
Returns¶
void
complete()¶
Completes pairing by authorizing the connected device.
Parameters¶
opts¶
Completion options with device identity and capabilities.
Returns¶
Promise\<PairingResult>
The pairing result with the device's authorization attestation.
Throws¶
PairingError if no session is active or completion fails.
createSession()¶
Creates a pairing session and starts listening for device connections.
Parameters¶
opts?¶
Session options.
Returns¶
Promise\<PairingSession>
The active pairing session with its short code and endpoint.
Throws¶
PairingError if session creation fails.
Example¶
const session = await auths.pairing.createSession({
bindAddress: '127.0.0.1',
enableMdns: false,
})
console.log(session.shortCode) // 6-char code
join()¶
Joins an existing pairing session from the device side.
Parameters¶
opts¶
Join options with short code and endpoint from the controller.
Returns¶
Promise\<PairingResponse>
The pairing response with device identity information.
Throws¶
PairingError if joining fails.
Example¶
const response = await auths.pairing.join({
shortCode: 'A3F7K2',
endpoint: 'http://127.0.0.1:8080',
token: sessionToken,
})
stop()¶
Stops the active pairing session. Idempotent — safe to call multiple times.
Returns¶
Promise\<void>
Throws¶
PairingError if stopping the session fails.
waitForResponse()¶
Waits for a device to connect to the active pairing session.
Parameters¶
opts?¶
Wait options.
Returns¶
Promise\<PairingResponse>
The connecting device's information.
Throws¶
PairingError if no session is active or timeout is reached.
PolicyBuilder¶
Fluent builder for composing authorization policies.
Policies are built by chaining predicates, then compiled and evaluated against an attestation context to produce an allow/deny decision.
Example¶
import { PolicyBuilder } from '@auths-dev/node'
// Quick standard policy
const policy = PolicyBuilder.standard('sign_commit')
const decision = policy.evaluate({
issuer: 'did:keri:EOrg',
subject: 'did:key:zDevice',
capabilities: ['sign_commit'],
})
console.log(decision.allowed) // true
// Complex composed policy
const ciPolicy = new PolicyBuilder()
.notRevoked()
.notExpired()
.requireCapability('sign')
.requireAgent()
.requireRepo('org/repo')
.build()
Constructors¶
Constructor¶
Returns¶
Methods¶
attrEquals()¶
Requires an attestation attribute to equal a specific value.
Parameters¶
key¶
string
Attribute key.
value¶
string
Required attribute value.
Returns¶
attrIn()¶
Requires an attestation attribute to be one of the given values.
Parameters¶
key¶
string
Attribute key.
values¶
string[]
Acceptable attribute values.
Returns¶
build()¶
Compiles the policy for evaluation using the native policy engine.
Returns¶
string
Compiled policy JSON string.
Throws¶
AuthsError if compilation fails.
Throws¶
Error if the policy has no predicates.
evaluate()¶
Builds and evaluates the policy against a context in one step.
Parameters¶
context¶
The evaluation context.
Returns¶
The policy decision.
Throws¶
AuthsError if compilation or evaluation fails.
Example¶
const decision = PolicyBuilder.standard('sign').evaluate({
issuer: 'did:keri:EOrg',
subject: 'did:key:zDevice',
capabilities: ['sign'],
})
console.log(decision.allowed) // true
expiresAfter()¶
Requires the attestation to expire after the given number of seconds from now.
Parameters¶
seconds¶
number
Minimum remaining lifetime in seconds.
Returns¶
issuedWithin()¶
Requires the attestation to have been issued within the given time window.
Parameters¶
seconds¶
number
Maximum age in seconds.
Returns¶
maxChainDepth()¶
Limits the maximum attestation chain depth.
Parameters¶
depth¶
number
Maximum allowed chain depth.
Returns¶
negate()¶
Negates this policy — passes when the original would deny, and vice versa.
Returns¶
A new negated builder.
notExpired()¶
Requires the attestation to not be expired.
Returns¶
notRevoked()¶
Requires the attestation to not be revoked.
Returns¶
orPolicy()¶
Combines this policy with another using OR logic.
Parameters¶
other¶
The other policy builder.
Returns¶
A new builder that passes if either policy passes.
pathAllowed()¶
Restricts allowed file paths.
Parameters¶
patterns¶
string[]
Glob patterns for allowed paths.
Returns¶
refMatches()¶
Requires the Git ref to match a pattern.
Parameters¶
pattern¶
string
Ref pattern (e.g. 'refs/heads/main').
Returns¶
requireAgent()¶
Requires the signer to be an agent.
Returns¶
requireAllCapabilities()¶
Requires the subject to hold all of the given capabilities.
Parameters¶
caps¶
string[]
Array of required capability strings.
Returns¶
requireAnyCapability()¶
Requires the subject to hold at least one of the given capabilities.
Parameters¶
caps¶
string[]
Array of acceptable capability strings.
Returns¶
requireCapability()¶
Requires the subject to hold a specific capability.
Parameters¶
cap¶
string
Capability string (e.g. 'sign', 'sign_commit').
Returns¶
requireDelegatedBy()¶
Requires the attestation to have been delegated by a specific identity.
Parameters¶
did¶
string
DID of the required delegator.
Returns¶
requireEnv()¶
Requires a specific deployment environment.
Parameters¶
env¶
string
Environment name (e.g. 'production').
Returns¶
requireEnvIn()¶
Requires one of the given deployment environments.
Parameters¶
envs¶
string[]
Acceptable environment names.
Returns¶
requireHuman()¶
Requires the signer to be a human.
Returns¶
requireIssuer()¶
Requires the issuer to match a specific DID.
Parameters¶
did¶
string
Required issuer DID.
Returns¶
requireIssuerIn()¶
Requires the issuer to be one of the given DIDs.
Parameters¶
dids¶
string[]
Acceptable issuer DIDs.
Returns¶
requireRepo()¶
Requires the operation to target a specific repository.
Parameters¶
repo¶
string
Repository identifier (e.g. 'org/repo').
Returns¶
requireRepoIn()¶
Requires the operation to target one of the given repositories.
Parameters¶
repos¶
string[]
Acceptable repository identifiers.
Returns¶
requireSubject()¶
Requires the subject to match a specific DID.
Parameters¶
did¶
string
Required subject DID.
Returns¶
requireWorkload()¶
Requires the signer to be a workload identity.
Returns¶
toJson()¶
Serializes the policy to JSON without compiling.
Returns¶
string
JSON string representation of the policy expression.
Throws¶
Error if the policy has no predicates.
workloadClaimEquals()¶
Requires a workload attestation claim to equal a specific value.
Parameters¶
key¶
string
Claim key.
value¶
string
Required claim value.
Returns¶
workloadIssuerIs()¶
Requires the workload attestation issuer to match a specific DID.
Parameters¶
did¶
string
Required workload issuer DID.
Returns¶
anyOf()¶
Creates a policy that passes if any of the given policies pass.
Parameters¶
builders¶
...PolicyBuilder[]
Policies to OR together.
Returns¶
A new builder combining the policies.
standard()¶
Creates a standard policy requiring not-revoked, not-expired, and a capability.
Parameters¶
capability¶
string
Required capability string.
Returns¶
A new builder with the standard predicates.
Example¶
SigningService¶
Signs messages and actions using identity or agent keys.
Access via Auths.signing.
Example¶
const result = auths.signing.signAsIdentity({
message: Buffer.from('hello world'),
identityDid: identity.did,
})
console.log(result.signature) // hex-encoded Ed25519 signature
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
signActionAsAgent()¶
Signs a structured action as an agent.
Parameters¶
opts¶
Agent action signing options.
Returns¶
The signed action envelope.
Throws¶
CryptoError if signing fails.
Example¶
const envelope = auths.signing.signActionAsAgent({
actionType: 'tool_call',
payloadJson: '{"tool":"execute"}',
keyAlias: agent.keyAlias,
agentDid: agent.did,
})
signActionAsIdentity()¶
Signs a structured action as an identity, producing a verifiable envelope.
Parameters¶
opts¶
Action signing options.
Returns¶
The signed action envelope.
Throws¶
CryptoError if signing fails.
Example¶
const envelope = auths.signing.signActionAsIdentity({
actionType: 'tool_call',
payloadJson: '{"tool":"read_file"}',
identityDid: identity.did,
})
signAsAgent()¶
Signs a message as an agent using its keychain alias.
Parameters¶
opts¶
Agent signing options.
Returns¶
The signature and signer DID.
Throws¶
CryptoError if the key is missing or signing fails.
Example¶
const result = auths.signing.signAsAgent({
message: Buffer.from('payload'),
keyAlias: agent.keyAlias,
})
signAsIdentity()¶
Signs a message as an identity.
Parameters¶
opts¶
Signing options.
Returns¶
The signature and signer DID.
Throws¶
CryptoError if the key is missing or signing fails.
Example¶
const result = auths.signing.signAsIdentity({
message: Buffer.from('hello'),
identityDid: identity.did,
})
StorageError¶
Raised when a storage or registry operation fails.
Common codes: 'repo_not_found', 'trust_error', 'witness_error'.
Example¶
import { Auths, StorageError } from '@auths-dev/node'
try {
auths.trust.pin({ did: 'did:keri:ENOTREAL' })
} catch (e) {
if (e instanceof StorageError) {
console.log('Storage error:', e.message)
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
TrustService¶
Manages the local trust store for pinning and querying trusted identities.
Access via Auths.trust.
Example¶
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
get()¶
Looks up a specific pinned identity by DID.
Parameters¶
did¶
string
DID to look up.
Returns¶
PinnedIdentity | null
The pinned identity entry, or null if not found.
Throws¶
StorageError if the operation fails.
Example¶
list()¶
Lists all pinned identities in the local trust store.
Returns¶
Array of pinned identity entries.
Throws¶
StorageError if the operation fails.
pin()¶
Pins an identity as trusted in the local store.
Parameters¶
opts¶
Pin options.
Returns¶
The pinned identity entry.
Throws¶
StorageError if the pin operation fails.
Example¶
const entry = auths.trust.pin({ did: identity.did, label: 'my-peer' })
console.log(entry.trustLevel) // 'tofu'
remove()¶
Removes a pinned identity from the local trust store.
Parameters¶
did¶
string
DID of the identity to unpin.
Returns¶
void
Throws¶
StorageError if the operation fails.
VerificationError¶
Raised when attestation or chain verification fails.
Common codes: 'invalid_signature', 'expired_attestation',
'revoked_device', 'missing_capability'.
Example¶
import { verifyAttestation, VerificationError } from '@auths-dev/node'
try {
await verifyAttestation(json, publicKey)
} catch (e) {
if (e instanceof VerificationError) {
console.log('Verification failed:', e.code)
}
}
Extends¶
Constructors¶
Constructor¶
Parameters¶
message¶
string
code¶
string
Returns¶
Overrides¶
Properties¶
cause?¶
Inherited from¶
code¶
Machine-readable error code (e.g. 'key_not_found', 'invalid_signature').
Inherited from¶
message¶
Inherited from¶
name¶
Inherited from¶
stack?¶
Inherited from¶
stackTraceLimit¶
The Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
will affect any stack trace captured after the value has been changed.
If set to a non-number value, or set to a negative number, stack traces will not capture any frames.
Inherited from¶
Methods¶
captureStackTrace()¶
Creates a .stack property on targetObject, which when accessed returns
a string representing the location in the code at which
Error.captureStackTrace() was called.
const myObject = {};
Error.captureStackTrace(myObject);
myObject.stack; // Similar to `new Error().stack`
The first line of the trace will be prefixed with
${myObject.name}: ${myObject.message}.
The optional constructorOpt argument accepts a function. If given, all frames
above constructorOpt, including constructorOpt, will be omitted from the
generated stack trace.
The constructorOpt argument is useful for hiding implementation
details of error generation from the user. For instance:
function a() {
b();
}
function b() {
c();
}
function c() {
// Create an error without stack trace to avoid calculating the stack trace twice.
const { stackTraceLimit } = Error;
Error.stackTraceLimit = 0;
const error = new Error();
Error.stackTraceLimit = stackTraceLimit;
// Capture the stack trace above function b
Error.captureStackTrace(error, b); // Neither function c, nor b is included in the stack trace
throw error;
}
a();
Parameters¶
targetObject¶
object
constructorOpt?¶
Function
Returns¶
void
Inherited from¶
prepareStackTrace()¶
Parameters¶
err¶
Error
stackTraces¶
CallSite[]
Returns¶
any
See¶
https://v8.dev/docs/stack-trace-api#customizing-stack-traces
Inherited from¶
WitnessService¶
Manages witness nodes for receipt-based verification.
Access via Auths.witnesses.
Example¶
auths.witnesses.add({ url: 'http://witness.example.com:3333' })
const witnesses = auths.witnesses.list()
Constructors¶
Constructor¶
Parameters¶
client¶
Returns¶
Methods¶
add()¶
Adds a witness node. Idempotent — adding the same URL twice is a no-op.
Parameters¶
opts¶
Witness options.
Returns¶
The witness entry.
Throws¶
StorageError if the operation fails.
Example¶
const w = auths.witnesses.add({ url: 'http://witness.example.com:3333' })
console.log(w.url) // http://witness.example.com:3333
list()¶
Lists all registered witnesses.
Returns¶
Array of witness entries.
Throws¶
StorageError if the operation fails.
remove()¶
Removes a witness by URL.
Parameters¶
url¶
string
URL of the witness to remove.
Returns¶
void
Throws¶
StorageError if the operation fails.
Interfaces¶
ActionEnvelope¶
A signed action envelope containing the payload and its signature.
Properties¶
envelopeJson¶
JSON-serialized envelope with action metadata.
signatureHex¶
Hex-encoded signature over the envelope.
signerDid¶
DID of the signer.
AddOrgMemberOptions¶
Options for OrgService.addMember.
Properties¶
capabilities?¶
Capabilities to grant the member.
memberDid¶
DID of the member to add.
memberPublicKeyHex?¶
Hex-encoded public key of the member (required for cross-repo adds).
note?¶
Optional note for the membership record.
orgDid¶
DID of the organization.
passphrase?¶
Override the client's passphrase.
role¶
Role to assign (e.g. 'admin', 'member').
AddWitnessOptions¶
Options for WitnessService.add.
Properties¶
label?¶
Optional label for the witness.
url¶
URL of the witness endpoint (e.g. 'http://witness.example.com:3333').
AgentIdentity¶
A standalone agent identity with its self-signed attestation.
Properties¶
attestation¶
JSON-serialized self-signed attestation.
did¶
The agent's KERI decentralized identifier.
keyAlias¶
Keychain alias for the agent's signing key.
publicKey¶
Hex-encoded Ed25519 public key.
ArtifactResult¶
Result of signing an artifact.
Properties¶
attestationJson¶
JSON-serialized attestation for the signed artifact.
digest¶
Content digest (hash) of the artifact.
fileSize¶
Size of the artifact in bytes.
rid¶
Unique resource identifier of the attestation.
AttestationInfo¶
An attestation record from the local registry.
Properties¶
capabilities¶
List of capabilities granted (e.g. ['sign']).
createdAt¶
Creation timestamp (RFC 3339), or null.
delegatedBy¶
DID of the identity that delegated this attestation, or null.
deviceDid¶
DID of the device this attestation applies to.
expiresAt¶
Expiration timestamp (RFC 3339), or null if no expiry.
issuer¶
DID of the issuer (identity that signed the attestation).
json¶
Raw JSON-serialized attestation.
revokedAt¶
Revocation timestamp (RFC 3339), or null if not revoked.
rid¶
Unique resource identifier of the attestation.
signerType¶
Signer type: 'human', 'agent', or 'workload', or null.
subject¶
DID of the subject (device or agent being attested).
AuditCommit¶
Audit information for a single Git commit.
Properties¶
author_email¶
Commit author email.
author_name¶
Commit author name.
date¶
Commit date (ISO 8601).
message¶
Commit message (first line).
oid¶
Git object ID (SHA).
signature_type¶
Signature type ('auths', 'gpg', 'ssh'), or null if unsigned.
signer_did¶
DID of the signer, or null if not an Auths signature.
verified¶
Whether the signature verified successfully, or null if unsigned.
AuditComplianceOptions¶
Options for AuditService.isCompliant.
Properties¶
author?¶
Only include commits by this author.
since?¶
Only include commits after this date (ISO 8601).
targetRepoPath¶
Path to the Git repository to audit.
until?¶
Only include commits before this date (ISO 8601).
AuditReport¶
Full audit report for a Git repository's commit signatures.
Properties¶
commits¶
Individual commit audit entries.
summary¶
Aggregate signature statistics.
AuditReportOptions¶
Options for AuditService.report.
Properties¶
author?¶
Only include commits by this author.
limit?¶
Maximum number of commits to analyze.
since?¶
Only include commits after this date (ISO 8601).
targetRepoPath¶
Path to the Git repository to audit.
until?¶
Only include commits before this date (ISO 8601).
AuditSummary¶
Aggregate statistics from an audit report.
Properties¶
auths_signed¶
Number of Auths-signed commits.
gpg_signed¶
Number of GPG-signed commits.
signed_commits¶
Number of signed commits (any method).
ssh_signed¶
Number of SSH-signed commits.
total_commits¶
Total number of commits analyzed.
unsigned_commits¶
Number of unsigned commits.
verification_failed¶
Number of signatures that failed verification.
verification_passed¶
Number of signatures that passed verification.
ChainLink¶
A single link in a verified attestation chain.
Properties¶
error?¶
Error message if this link failed, or null.
issuer¶
DID of the issuer at this link.
subject¶
DID of the subject at this link.
valid¶
Whether this link verified successfully.
ClientConfig¶
Configuration for the Auths client.
Properties¶
passphrase?¶
Passphrase for key encryption. Can also be set via AUTHS_PASSPHRASE env var.
repoPath?¶
Path to the Auths Git registry. Defaults to '~/.auths'.
CommitSignResult¶
Result of signing a Git commit.
Properties¶
method¶
Signing method identifier.
namespace¶
Namespace for the signature (e.g. 'auths').
signaturePem¶
PEM-encoded signature for the commit.
CompletePairingOptions¶
Options for PairingService.complete.
Properties¶
capabilities?¶
Capabilities to grant the device.
deviceDid¶
DID of the device to authorize.
devicePublicKeyHex¶
Hex-encoded Ed25519 public key of the device.
passphrase?¶
Override the client's passphrase.
CreateAgentOptions¶
Options for IdentityService.createAgent.
Properties¶
capabilities¶
Capabilities to grant (e.g. ['sign']).
name¶
Name for the agent identity.
passphrase?¶
Override the client's passphrase.
CreateIdentityOptions¶
Options for IdentityService.create.
Properties¶
label?¶
Human-readable label. Defaults to 'main'.
passphrase?¶
Override the client's passphrase.
repoPath?¶
Override the client's repo path.
CreateOrgOptions¶
Options for OrgService.create.
Properties¶
label¶
Human-readable label for the organization.
passphrase?¶
Override the client's passphrase.
repoPath?¶
Override the client's repo path.
CreatePairingSessionOptions¶
Options for PairingService.createSession.
Properties¶
bindAddress?¶
Bind address for the pairing server (e.g. '127.0.0.1').
capabilities?¶
Capabilities to offer the pairing device (e.g. ['sign:commit']).
enableMdns?¶
Whether to enable mDNS discovery.
passphrase?¶
Override the client's passphrase.
timeoutSecs?¶
Timeout in seconds for the session.
DelegateAgentOptions¶
Options for IdentityService.delegateAgent.
Properties¶
capabilities¶
Capabilities to grant (e.g. ['sign']).
expiresInDays?¶
Optional expiration in days.
identityDid¶
DID of the parent identity that delegates authority.
name¶
Name for the delegated agent.
passphrase?¶
Override the client's passphrase.
DelegatedAgent¶
An agent delegated under an existing identity.
Properties¶
attestation¶
JSON-serialized delegation attestation signed by the parent identity.
did¶
The delegated agent's DID (typically did:key:z...).
keyAlias¶
Keychain alias for the agent's signing key.
publicKey¶
Hex-encoded Ed25519 public key.
Device¶
Result of linking a device to an identity.
Properties¶
attestationId¶
Unique identifier of the attestation granting device authorization.
did¶
The device's DID (typically did:key:z...).
DeviceExtension¶
Result of extending a device's authorization period.
Properties¶
deviceDid¶
The device's DID.
newExpiresAt¶
New expiration timestamp (RFC 3339).
previousExpiresAt¶
Previous expiration timestamp, or null if there was none.
EvalContextOpts¶
Context for policy evaluation.
Properties¶
capabilities?¶
Capabilities held by the subject.
chainDepth?¶
Depth of the attestation chain.
delegatedBy?¶
DID of the delegating identity.
environment?¶
Deployment environment (e.g. 'production').
expiresAt?¶
Expiration timestamp (RFC 3339).
issuer¶
DID of the attestation issuer.
repo?¶
Repository scope (e.g. 'org/repo').
revoked?¶
Whether the attestation has been revoked.
role?¶
Role of the subject (e.g. 'admin', 'member').
signerType?¶
Signer type constraint.
subject¶
DID of the attestation subject.
ExtendDeviceOptions¶
Options for DeviceService.extend.
Properties¶
days?¶
Number of days to extend by. Defaults to 90.
deviceDid¶
DID of the device to extend.
identityDid¶
DID of the authorizing identity.
passphrase?¶
Override the client's passphrase.
GetPublicKeyOptions¶
Options for IdentityService.getPublicKey.
Properties¶
identityDid¶
DID of the identity whose public key to retrieve.
passphrase?¶
Override the client's passphrase.
Identity¶
A cryptographic identity anchored in a KERI key event log.
Properties¶
did¶
The KERI decentralized identifier (e.g. did:keri:EBfd...).
keyAlias¶
Keychain alias used to retrieve the signing key.
label¶
Human-readable label for this identity.
publicKey¶
Hex-encoded Ed25519 public key.
repoPath¶
Path to the Git registry that stores this identity.
JoinPairingOptions¶
Options for PairingService.join.
Properties¶
deviceName?¶
Optional name for this device.
endpoint¶
HTTP endpoint of the pairing session.
passphrase?¶
Override the client's passphrase.
shortCode¶
Six-character short code from the pairing session.
token¶
Authentication token for the session.
LinkDeviceOptions¶
Options for DeviceService.link.
Properties¶
capabilities?¶
Capabilities to grant the device (e.g. ['sign']).
expiresInDays?¶
Optional expiration in days.
identityDid¶
DID of the identity to link the device under.
passphrase?¶
Override the client's passphrase.
ListOrgMembersOptions¶
Options for OrgService.listMembers.
Properties¶
includeRevoked?¶
Whether to include revoked members. Defaults to false.
orgDid¶
DID of the organization.
OrgMember¶
An organization member record.
Properties¶
attestationRid¶
Resource identifier of the membership attestation.
capabilities¶
Capabilities granted to this member.
expiresAt¶
Expiration timestamp (RFC 3339), or null if no expiry.
issuerDid¶
DID of the admin who added this member.
memberDid¶
DID of the member.
revoked¶
Whether the membership has been revoked.
role¶
Role within the organization (e.g. 'admin', 'member').
OrgResult¶
Result of creating an organization.
Properties¶
label¶
Human-readable label.
orgDid¶
The organization's KERI DID.
orgPrefix¶
Internal prefix for the organization.
repoPath¶
Path to the registry storing the organization.
PairingResponse¶
Response received when a device connects to a pairing session.
Properties¶
deviceDid¶
DID of the connecting device.
deviceName¶
Optional name of the device, or null.
devicePublicKeyHex¶
Hex-encoded Ed25519 public key of the device.
PairingResult¶
Result of completing a pairing and authorizing the device.
Properties¶
attestationRid¶
Resource identifier of the authorization attestation.
deviceDid¶
DID of the paired device.
deviceName¶
Optional name of the device, or null.
PairingSession¶
An active pairing session awaiting a device connection.
Properties¶
controllerDid¶
DID of the controller identity running the session.
endpoint¶
HTTP endpoint the device connects to.
sessionId¶
Unique session identifier.
shortCode¶
Six-character code the device enters to pair.
token¶
Authentication token for the session.
PinIdentityOptions¶
Options for TrustService.pin.
Properties¶
did¶
DID of the identity to pin.
label?¶
Optional label for the pinned identity.
trustLevel?¶
Trust level to assign. Defaults to 'tofu'.
PinnedIdentity¶
A pinned (trusted) identity in the local trust store.
Properties¶
did¶
The pinned identity's DID.
firstSeen¶
ISO 8601 timestamp when this identity was first seen.
kelSequence¶
KERI event log sequence number at time of pinning, or null.
label¶
Optional label for the pinned identity.
pinnedAt¶
ISO 8601 timestamp when this identity was pinned.
trustLevel¶
Trust level: 'tofu', 'manual', or 'org_policy'.
PolicyDecision¶
Result of evaluating a policy against a context.
Properties¶
allowed¶
Convenience: true when outcome === 'allow'.
denied¶
Convenience: true when outcome === 'deny'.
message¶
Human-readable explanation of the decision.
outcome¶
Raw outcome string ('allow' or 'deny').
reason¶
Machine-readable reason code.
RevokeDeviceOptions¶
Options for DeviceService.revoke.
Properties¶
deviceDid¶
DID of the device to revoke.
identityDid¶
DID of the identity that authorized the device.
note?¶
Optional revocation note.
passphrase?¶
Override the client's passphrase.
RevokeOrgMemberOptions¶
Options for OrgService.revokeMember.
Properties¶
memberDid¶
DID of the member to revoke.
memberPublicKeyHex?¶
Hex-encoded public key of the member.
note?¶
Optional revocation note.
orgDid¶
DID of the organization.
passphrase?¶
Override the client's passphrase.
RotateKeysOptions¶
Options for IdentityService.rotate.
Properties¶
identityDid?¶
DID of the identity to rotate. Defaults to the primary identity.
passphrase?¶
Override the client's passphrase.
RotationResult¶
Result of a key rotation operation.
Properties¶
controllerDid¶
The controller DID whose keys were rotated.
newKeyFingerprint¶
Fingerprint of the new signing key.
previousKeyFingerprint¶
Fingerprint of the previous signing key.
sequence¶
New KERI event sequence number after rotation.
SignActionAsAgentOptions¶
Options for SigningService.signActionAsAgent.
Properties¶
actionType¶
Action type label (e.g. 'tool_call').
agentDid¶
DID of the agent identity.
keyAlias¶
Keychain alias of the agent key.
passphrase?¶
Override the client's passphrase.
payloadJson¶
JSON-serialized action payload.
SignActionAsIdentityOptions¶
Options for SigningService.signActionAsIdentity.
Properties¶
actionType¶
Action type label (e.g. 'tool_call').
identityDid¶
DID of the identity to sign with.
passphrase?¶
Override the client's passphrase.
payloadJson¶
JSON-serialized action payload.
SignArtifactBytesOptions¶
Options for ArtifactService.signBytes.
Properties¶
data¶
Raw bytes to sign.
expiresInDays?¶
Optional expiration in days.
identityDid¶
DID of the identity to sign with.
note?¶
Optional note attached to the attestation.
passphrase?¶
Override the client's passphrase.
SignArtifactOptions¶
Options for ArtifactService.sign.
Properties¶
expiresInDays?¶
Optional expiration in days.
filePath¶
Path to the file to sign.
identityDid¶
DID of the identity to sign with.
note?¶
Optional note attached to the attestation.
passphrase?¶
Override the client's passphrase.
SignAsAgentOptions¶
Options for SigningService.signAsAgent.
Properties¶
keyAlias¶
Keychain alias of the agent key.
message¶
The message bytes to sign.
passphrase?¶
Override the client's passphrase.
SignAsIdentityOptions¶
Options for SigningService.signAsIdentity.
Properties¶
identityDid¶
DID of the identity to sign with.
message¶
The message bytes to sign.
passphrase?¶
Override the client's passphrase.
SignCommitOptions¶
Options for CommitService.sign.
Properties¶
data¶
Raw commit data to sign.
identityDid¶
DID of the identity to sign with.
passphrase?¶
Override the client's passphrase.
SignResult¶
Result of a signing operation.
Properties¶
signature¶
Hex-encoded Ed25519 signature.
signerDid¶
DID of the signer.
VerificationReport¶
Full report from a chain verification.
Properties¶
chain¶
Individual chain link results.
status¶
Overall verification status.
warnings¶
Non-fatal warnings encountered during verification.
VerificationResult¶
Result of verifying a single attestation.
Properties¶
error?¶
Error message if verification failed, or null.
errorCode?¶
Machine-readable error code, or null.
valid¶
Whether the attestation is valid.
VerificationStatus¶
Status summary of a chain verification.
Properties¶
at?¶
Timestamp context for the status, or null.
missingLink?¶
DID of the missing link in the chain, or null.
required?¶
Number of required witnesses, or null.
statusType¶
Status type: 'Valid', 'Invalid', 'Expired', etc.
step?¶
Chain step where verification failed, or null.
verified?¶
Number of verified witnesses, or null.
VerifyChainOptions¶
Options for Auths.verifyChain.
Properties¶
attestations¶
Array of JSON-serialized attestations (leaf to root).
requiredCapability?¶
Optional capability the leaf attestation must grant.
rootKey¶
Hex-encoded Ed25519 public key of the root identity.
witnesses?¶
Optional witness configuration for receipt-based verification.
VerifyOptions¶
Options for Auths.verify.
Properties¶
at?¶
Optional RFC 3339 timestamp to verify at.
attestationJson¶
JSON-serialized attestation to verify.
issuerKey¶
Hex-encoded Ed25519 public key of the issuer.
requiredCapability?¶
Optional capability the attestation must grant.
WaitForPairingResponseOptions¶
Options for PairingService.waitForResponse.
Properties¶
timeoutSecs?¶
Timeout in seconds to wait for a device.
WitnessConfig¶
Configuration for witness-backed chain verification.
Properties¶
keys¶
Witness public keys.
receipts¶
JSON-serialized witness receipts.
threshold¶
Minimum number of witness receipts required.
WitnessEntry¶
A witness node entry in the local registry.
Properties¶
did¶
DID of the witness, or null if not yet resolved.
label¶
Optional label for the witness.
url¶
URL of the witness endpoint.
WitnessKey¶
Public key of a witness node.
Properties¶
did¶
DID of the witness.
publicKeyHex¶
Hex-encoded Ed25519 public key of the witness.
Variables¶
version()¶
Returns¶
string
Functions¶
compilePolicy()¶
Compiles a raw policy JSON string for use with evaluatePolicy.
Parameters¶
policyJson¶
string
JSON string of the policy expression.
Returns¶
string
Compiled policy JSON.
Throws¶
AuthsError if the policy is invalid.
evaluatePolicy()¶
Evaluates a compiled policy against an attestation context.
Parameters¶
compiledPolicyJson¶
string
Compiled policy from compilePolicy or PolicyBuilder.build.
context¶
The evaluation context.
Returns¶
The policy decision with allowed/denied convenience booleans.
Throws¶
AuthsError if evaluation fails.
Example¶
import { compilePolicy, evaluatePolicy } from '@auths-dev/node'
const compiled = compilePolicy(policyJson)
const decision = evaluatePolicy(compiled, {
issuer: 'did:keri:EOrg',
subject: 'did:key:zDevice',
})
mapNativeError()¶
Maps a native napi-rs error into a typed AuthsError subclass.
Parses the [AUTHS_CODE] message format emitted by the Rust layer
and instantiates the appropriate error class with a machine-readable code.
Parameters¶
err¶
unknown
The raw error from the native binding.
defaultCls?¶
(message, code) => AuthsError
Fallback error class when the code is unrecognized.
Returns¶
A typed AuthsError instance.
verifyAttestation()¶
Verifies a single attestation against an issuer's public key.
Parameters¶
attestationJson¶
string
JSON-serialized attestation.
issuerPkHex¶
string
Hex-encoded Ed25519 public key of the issuer.
Returns¶
Promise\<VerificationResult>
The verification result.
Throws¶
VerificationError if verification encounters an error.
Example¶
import { verifyAttestation } from '@auths-dev/node'
const result = await verifyAttestation(attestationJson, publicKeyHex)
console.log(result.valid) // true
verifyAttestationWithCapability()¶
function verifyAttestationWithCapability(
attestationJson,
issuerPkHex,
requiredCapability): Promise<VerificationResult>;
Verifies a single attestation with a required capability check.
Parameters¶
attestationJson¶
string
JSON-serialized attestation.
issuerPkHex¶
string
Hex-encoded Ed25519 public key of the issuer.
requiredCapability¶
string
Capability the attestation must grant.
Returns¶
Promise\<VerificationResult>
The verification result.
Throws¶
VerificationError if verification fails.
verifyAtTime()¶
Verifies a single attestation at a specific point in time.
Parameters¶
attestationJson¶
string
JSON-serialized attestation.
issuerPkHex¶
string
Hex-encoded Ed25519 public key of the issuer.
atRfc3339¶
string
RFC 3339 timestamp to verify at.
Returns¶
Promise\<VerificationResult>
The verification result.
Throws¶
VerificationError if verification fails.
verifyAtTimeWithCapability()¶
function verifyAtTimeWithCapability(
attestationJson,
issuerPkHex,
atRfc3339,
requiredCapability): Promise<VerificationResult>;
Verifies an attestation at a specific time with a required capability.
Parameters¶
attestationJson¶
string
JSON-serialized attestation.
issuerPkHex¶
string
Hex-encoded Ed25519 public key of the issuer.
atRfc3339¶
string
RFC 3339 timestamp to verify at.
requiredCapability¶
string
Capability the attestation must grant.
Returns¶
Promise\<VerificationResult>
The verification result.
Throws¶
VerificationError if verification fails.
verifyChain()¶
Verifies an attestation chain from leaf to root.
Parameters¶
attestationsJson¶
string[]
Array of JSON-serialized attestations (leaf to root).
rootPkHex¶
string
Hex-encoded Ed25519 public key of the root identity.
Returns¶
Promise\<VerificationReport>
The verification report with chain link details.
Throws¶
VerificationError if verification encounters an error.
Example¶
import { verifyChain } from '@auths-dev/node'
const report = await verifyChain(attestationChain, rootPublicKeyHex)
console.log(report.status.statusType) // 'Valid'
verifyChainWithCapability()¶
function verifyChainWithCapability(
attestationsJson,
rootPkHex,
requiredCapability): Promise<VerificationReport>;
Verifies an attestation chain with a required capability at the leaf.
Parameters¶
attestationsJson¶
string[]
Array of JSON-serialized attestations (leaf to root).
rootPkHex¶
string
Hex-encoded Ed25519 public key of the root identity.
requiredCapability¶
string
Capability the leaf attestation must grant.
Returns¶
Promise\<VerificationReport>
The verification report.
Throws¶
VerificationError if verification fails.
verifyChainWithWitnesses()¶
function verifyChainWithWitnesses(
attestationsJson,
rootPkHex,
witnesses): Promise<VerificationReport>;
Verifies an attestation chain with witness receipt validation.
Parameters¶
attestationsJson¶
string[]
Array of JSON-serialized attestations (leaf to root).
rootPkHex¶
string
Hex-encoded Ed25519 public key of the root identity.
witnesses¶
Witness configuration with receipts, keys, and threshold.
Returns¶
Promise\<VerificationReport>
The verification report.
Throws¶
VerificationError if verification fails.
Example¶
import { verifyChainWithWitnesses } from '@auths-dev/node'
const report = await verifyChainWithWitnesses(chain, rootKey, {
receipts: witnessReceipts,
keys: [{ did: witnessDid, publicKeyHex: witnessKey }],
threshold: 1,
})
verifyDeviceAuthorization()¶
function verifyDeviceAuthorization(
identityDid,
deviceDid,
attestationsJson,
identityPkHex): Promise<VerificationReport>;
Verifies that a device is authorized by an identity through an attestation chain.
Parameters¶
identityDid¶
string
DID of the authorizing identity.
deviceDid¶
string
DID of the device to verify.
attestationsJson¶
string[]
Array of JSON-serialized attestations.
identityPkHex¶
string
Hex-encoded Ed25519 public key of the identity.
Returns¶
Promise\<VerificationReport>
The verification report.
Throws¶
VerificationError if verification fails.