Add cryptographic authorization to AI agents in 5 minutes

You have AI agents calling each other. You're using API keys or mTLS. You're worried it's not enough.

API keys authenticate. They don't authorize. They don't scope. They don't audit delegation chains.

Here's how to add all four in under 5 minutes using Codios — an A2A security layer built on signed capability contracts.

What you'll build

• Two agents with cryptographic identities (Ed25519 keypairs)
• A signed contract granting specific permissions
• A protected API endpoint that verifies contracts offline
• Full audit logs of every authorization decision

Time: ~5 minutes

What you need: Node.js and a Codios account (free at codios.midlantics.com)

Step 1: Install the SDK

npm install @codios/sdk

Step 2: Generate keypairs using the CLI (easiest)

The Codios CLI can generate a keypair and save it to your .env file automatically:

bash
codios keygen --save .env

This appends CODIOS_PUBLIC_KEY and CODIOS_PRIVATE_KEY to your .env file.

To generate manually in TypeScript:

import { generateAgentKeyPair } from "@codios/sdk"

const agent = await generateAgentKeyPair()
console.log("DID:", agent.did)
console.log("Public key:", agent.publicKey)
console.log("Private key:", agent.privateKey) // Save this securely

Step 3: Register your agent in the dashboard

Log into the Codios dashboard

1. Go to the Agents tab
2. Click Register agent
3. Enter a name (e.g., "billing-agent")
4. Optional: Add capabilities (e.g., transfer, quote)
5. Leave Public key blank — Codios generates a keypair for you
6. Click Register Important: The private key is shown once. Copy and store it immediately. It cannot be recovered.

Alternative using CLI:

codios register --name billing-agent --public-key $CODIOS_PUBLIC_KEY

Step 4: Issue a contract using the 4-step wizard

1. Go to the Contracts tab in the dashboard
2. Click Connect agents
3. Issuer — Select the agent that will make requests (or choose Codios Platform to have Codios sign on your behalf)
4. Targets — Select one or more agents that will receive requests (each gets its own independent contract)
5. Permissions — Define allowed actions (e.g., transfer ). Set duration (1h / 1d / 7d / 30d) and optional max calls
6. Review — Confirm the flow, then click Issue contract After issuance, each target's contract token is shown. Copy each token — you'll pass it as the X-Codios-Contract header.

Contract status: active → expired (TTL elapsed) or revoked (manually revoked)

Step 5: Protect your service with middleware

import express from "express"
import { codiosGuard } from "@codios/sdk"

const app = express()

app.post(
  "/transfer",
  codiosGuard({
    action:      "transfer",     // Must match contract's allowed action
    publicKey:   process.env.SERVICE_AGENT_PUBLIC_KEY,
    gatewayUrl:  "https://codios-api.midlantics.com",
  }),
  (req, res) => {
    // Only reaches here if the contract is valid
    res.json({ ok: true })
  }
)

app.listen(3000)

Step 6: Call the protected service

const response = await fetch("http://localhost:3000/transfer", {
  method: "POST",
  headers: {
    "Content-Type":      "application/json",
    "X-Codios-Contract": contractToken,  // The token from Step 4
  },
  body: JSON.stringify({ amount: 100 }),
})

What happens on every request

Total overhead: 1-2ms

If a contract is expired, out of calls, or already used → HTTP 403 or 409.

Dashboard features you'll use

Next steps

• Add heartbeat – Have your agent call POST /agents/{id}/heartbeat every minute to keep status green
• Set up alert rules – Get email notifications when something goes wrong
• Review the audit log – See every allow/deny decision
• Try the Python SDK – FastAPI middleware also available

Get your API key: codios.midlantics.com

Full documentation: codios.midlantics.com/docs

Why this matters

API keys were designed for humans. AI agents are different — autonomous, fast, and chained.

Codios gives you the security model agents actually need, without adding latency to your hot path.