{"id":30839101,"url":"https://github.com/forter/trusted-agentic-commerce-protocol","last_synced_at":"2025-09-06T18:52:33.460Z","repository":{"id":312834510,"uuid":"1042146777","full_name":"forter/trusted-agentic-commerce-protocol","owner":"forter","description":"A secure authentication and data encryption protocol for AI agents, merchants and merchant vendors.","archived":false,"fork":false,"pushed_at":"2025-09-02T08:26:04.000Z","size":85,"stargazers_count":130,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-02T10:18:58.448Z","etag":null,"topics":["team-field-cto-office"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/forter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-08-21T14:54:37.000Z","updated_at":"2025-09-02T10:10:59.000Z","dependencies_parsed_at":"2025-09-02T10:31:52.456Z","dependency_job_id":null,"html_url":"https://github.com/forter/trusted-agentic-commerce-protocol","commit_stats":null,"previous_names":["forter/trusted-agentic-commerce-protocol"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/forter/trusted-agentic-commerce-protocol","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Ftrusted-agentic-commerce-protocol","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Ftrusted-agentic-commerce-protocol/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Ftrusted-agentic-commerce-protocol/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Ftrusted-agentic-commerce-protocol/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/forter","download_url":"https://codeload.github.com/forter/trusted-agentic-commerce-protocol/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/forter%2Ftrusted-agentic-commerce-protocol/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273948862,"owners_count":25196398,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-06T02:00:13.247Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["team-field-cto-office"],"created_at":"2025-09-06T18:52:28.452Z","updated_at":"2025-09-06T18:52:33.444Z","avatar_url":"https://github.com/forter.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Trusted Agentic Commerce Protocol\n\nA secure authentication and data encryption protocol that allows AI agents, merchants and merchant vendors:\n\n- ✅ Authenticate each other: verify the agent's identity and its relationship to the customer behind it\n- ✅ Maintain rich customer data: reduce data losses and increase agents approval rate\n- ✅ Improve user experience: create personalized, secure and frictionless checkout experience\n- ✅ Prevent fraud: differentiates between legitimate agentic activity and fraud attempts\n\n🎉 **[Read the announcement on Forter Blog](https://www.forter.com/blog/trusted-agentic-commerce-protocol/)**\n\n## SDK Libraries\n\n- [JavaScript](sdk/javascript/) - Node.js \u003e=18.0.0\n- [TypeScript](sdk/typescript/) - Node.js \u003e=18.0.0  \n- [Python](sdk/python/) - Python \u003e=3.8\n- More coming soon!\n\n## Key Generation and Publishing\n\nTrusted Agentic Commerce Protocol relies on:\n\n- **JWS+JWE Security**: JWT signatures (JWS) wrapped in JSON Web Encryption (JWE) for both authentication and confidentiality\n- **RSA \u0026 EC Key Support**: Compatible with RSA and Elliptic Curve (P-256/384/521) keys for signing and encryption\n- **JSON Web Key Sets (JWKS)**: Standard key distribution at `.well-known/jwks.json` endpoints\n\n#### Option 1: Generate RSA Keys (Default - Recommended for compatibility)\n\n```bash\n# Generate RSA key pair\nopenssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048\nopenssl rsa -in private.pem -pubout -out public.pem\n\n# Extract values for JWKS publishing:\n# Extract modulus (n) - base64url encoded (single line output)\nopenssl rsa -in public.pem -pubin -modulus -noout | \\\n  cut -d'=' -f2 | xxd -r -p | base64 | tr -d '=\\n' | tr '/+' '_-'\n\n# Generate key ID (kid) - SHA-256 hash of public key\nopenssl rsa -in public.pem -pubin -outform DER 2\u003e/dev/null | \\\n  openssl dgst -sha256 -binary | base64 | tr -d '=' | tr '/+' '_-'\n```\n\n#### Option 2: Generate Elliptic Curve Keys (Faster, smaller keys)\n\n```bash\n# Generate EC key pair (P-256 curve)\nopenssl ecparam -name prime256v1 -genkey -out private.pem\nopenssl ec -in private.pem -pubout -out public.pem\n\n# Extract values for JWKS publishing:\n# Extract x coordinate (base64url encoded)\nopenssl ec -in public.pem -pubin -text -noout 2\u003e/dev/null | \\\n  grep -A 3 'pub:' | tail -3 | tr -d ' \\n:' | xxd -r -p | \\\n  head -c 32 | base64 | tr -d '=' | tr '/+' '_-'\n\n# Extract y coordinate (base64url encoded)\nopenssl ec -in public.pem -pubin -text -noout 2\u003e/dev/null | \\\n  grep -A 3 'pub:' | tail -3 | tr -d ' \\n:' | xxd -r -p | \\\n  tail -c 32 | base64 | tr -d '=' | tr '/+' '_-'\n\n# Generate key ID (kid) - SHA-256 hash of public key\nopenssl ec -in public.pem -pubin -outform DER 2\u003e/dev/null | \\\n  openssl dgst -sha256 -binary | base64 | tr -d '=' | tr '/+' '_-'\n```\n\n### Publishing Keys\n\nPublish your public keys at `https://your-domain.com/.well-known/jwks.json`:\n\n**For RSA keys:**\n```json\n{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"n\": \"\u003coutput from n extraction\u003e\",\n      \"e\": \"AQAB\",\n      \"alg\": \"RS256\",\n      \"kid\": \"\u003coutput from kid generation\u003e\"\n    }\n  ]\n}\n```\n\n**For EC keys (P-256):**\n```json\n{\n  \"keys\": [\n    {\n      \"kty\": \"EC\",\n      \"crv\": \"P-256\",\n      \"x\": \"\u003coutput from x extraction\u003e\",\n      \"y\": \"\u003coutput from y extraction\u003e\",\n      \"alg\": \"ES256\",\n      \"kid\": \"\u003coutput from kid generation\u003e\"\n    }\n  ]\n}\n```\n\n## Protocol Participants\n\n### Sender\n\nTypically AI agent:\n\n- Makes requests on behalf of users\n- Signs JWTs to prove identity\n- Encrypts sensitive user data for specific recipients\n- Publishes public signing keys via JWKS\n\n### Recipient\n\nTypically Merchant and/or Merchant Vendor:\n\n- Receives authenticated requests\n- Verifies JWT signatures from senders\n- Decrypts user data encrypted for them\n- Publishes public encryption keys via JWKS\n\n## Protocol Flow\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.forter.com/wp-content/uploads/2025/08/forter-trusted-agentic-commerce-protocol.png\" target=\"_blank\"\u003e\n    \u003cimg src=\"https://www.forter.com/wp-content/uploads/2025/08/forter-trusted-agentic-commerce-protocol.png\" alt=\"Trusted Agentic Commerce Protocol Diagram\" width=\"600\"/\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n## Key Benefits\n\n|         | **Without the protocol**                                                                                                                                         | **With the protocol**                                                                                                                                           |\n|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| **Agent Developers**   | Your legitimate agent is blocked by aggressive merchant filters or fraudulent usage by other users, leading to failed tasks and frustrated users             | Your agent is recognized and trusted by merchant sites, leading to near-100% success rates for login and checkout and higher user satisfaction              |\n| **Merchants**          | You block all bot traffic to protect your site because you’re unsure what is good or bad, losing out on potential sales and the potential of agentic commerce| You can distinguish between trusted agents and bot threats, enabling you to process more sales and offer personalized experiences based on verified user data|\n| **Merchant vendors**   | You struggle to evaluate agent-driven transactions because you can’t distinguish legitimate agents from malicious bots, leading to missed revenue opportunities and strained merchant relationships | You receive verifiable identity and intent data from recognized agents, enabling precise risk assessments, fewer false declines, and stronger merchant trust in your services |\n| **End-users**          | Your personal assistant fails to book a flight because it can’t complete a login, gets hit with a CAPTCHA or is blocked as \"suspicious\"                      | Your agent acts as a true extension of yourself, recognized and accepted by merchants, with your data and preferences respected                             |\n\n## Security Best Practices\n\n1. **Key Management**\n   - Store private keys securely\n   - Rotate keys regularly\n   - Never commit keys to version control\n\n2. **HTTPS Only**\n   - Always use HTTPS in production\n   - Verify SSL certificates\n\n3. **JWT Validation**\n   - Check JWT expiry\n   - Verify issuer claims\n   - Validate signing algorithm\n\n## License\n\nMIT License","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforter%2Ftrusted-agentic-commerce-protocol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fforter%2Ftrusted-agentic-commerce-protocol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fforter%2Ftrusted-agentic-commerce-protocol/lists"}