You have AI agents calling each other. You're using API keys or mTLS. You're worried it's not enough.
API keys authenticate. They don't authorize. They don't scope. They don't audit delegation chains.
Here's how to add all four in under 5 minutes using Codios — an A2A security layer built on signed capability contracts.
What you'll build
- Two agents with cryptographic identities (Ed25519 keypairs)
- A signed contract granting specific permissions
- A protected API endpoint that verifies contracts offline
- Full audit logs of every authorization decision
Time: ~5 minutes
What you need: Node.js and a Codios account (free at codios.midlantics.com)
Step 1: Install the SDK
npm install @codios/sdk
Step 2: Generate keypairs using the CLI (easiest)
The Codios CLI can generate a keypair and save it to your .env file automatically:
bash
codios keygen --save .env
This appends CODIOS_PUBLIC_KEY and CODIOS_PRIVATE_KEY to your .env file.
To generate manually in TypeScript:
import { generateAgentKeyPair } from "@codios/sdk"
const agent = await generateAgentKeyPair()
console.log("DID:", agent.did)
console.log("Public key:", agent.publicKey)
console.log("Private key:", agent.privateKey) // Save this securely
Step 3: Register your agent in the dashboard
Log into the Codios dashboard
- Go to the Agents tab
- Click Register agent
- Enter a name (e.g., "billing-agent")
- Optional: Add capabilities (e.g., transfer, quote)
- Leave Public key blank — Codios generates a keypair for you
- Click Register Important: The private key is shown once. Copy and store it immediately. It cannot be recovered.
Alternative using CLI:
codios register --name billing-agent --public-key $CODIOS_PUBLIC_KEY
Step 4: Issue a contract using the 4-step wizard
- Go to the Contracts tab in the dashboard
- Click Connect agents
- Issuer — Select the agent that will make requests (or choose Codios Platform to have Codios sign on your behalf)
- Targets — Select one or more agents that will receive requests (each gets its own independent contract)
- Permissions — Define allowed actions (e.g.,
transfer). Set duration (1h / 1d / 7d / 30d) and optional max calls - Review — Confirm the flow, then click Issue contract
After issuance, each target's contract token is shown. Copy each token — you'll pass it as the
X-Codios-Contractheader.
Contract status: active → expired (TTL elapsed) or revoked (manually revoked)
Step 5: Protect your service with middleware
import express from "express"
import { codiosGuard } from "@codios/sdk"
const app = express()
app.post(
"/transfer",
codiosGuard({
action: "transfer", // Must match contract's allowed action
publicKey: process.env.SERVICE_AGENT_PUBLIC_KEY,
gatewayUrl: "https://codios-api.midlantics.com",
}),
(req, res) => {
// Only reaches here if the contract is valid
res.json({ ok: true })
}
)
app.listen(3000)
Step 6: Call the protected service
const response = await fetch("http://localhost:3000/transfer", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-Codios-Contract": contractToken, // The token from Step 4
},
body: JSON.stringify({ amount: 100 }),
})
What happens on every request
| Step | Time |
|---|---|
| Verify Ed25519 signature (offline) | ~0ms |
| Check expiry, actions, max_calls | ~0ms |
| Nonce check (Redis SET NX) | ~1ms |
| Async audit log write | Non-blocking |
Total overhead: 1-2ms
If a contract is expired, out of calls, or already used → HTTP 403 or 409.
Dashboard features you'll use
| Tab | What it does |
|---|---|
| Overview | Stats: registered agents, active contracts, audit entries (24h), denied requests |
| Agents | Register agents, view DID/public key, see heartbeat status (green/yellow/red) |
| Contracts | Issue contracts via wizard, revoke, check status |
| Audit Log | Filter by outcome, action, agent. Retention: Free=7d, Starter=30d, Pro=90d |
| Threat Detection (Pro) | Scans for off-hours access, action bursts, unknown agents, repeated denials |
| Alert Rules (Starter+) | Email on denial spikes, rate limit exceeded, agent inactive |
| API Keys | Create codios_sk_... keys for backend services |
Next steps
-
Add heartbeat – Have your agent call
POST /agents/{id}/heartbeatevery minute to keep status green - Set up alert rules – Get email notifications when something goes wrong
- Review the audit log – See every allow/deny decision
- Try the Python SDK – FastAPI middleware also available
Get your API key: codios.midlantics.com
Full documentation: codios.midlantics.com/docs
Why this matters
API keys were designed for humans. AI agents are different — autonomous, fast, and chained.
Codios gives you the security model agents actually need, without adding latency to your hot path.
