← Back to Home
ValidatorRegistry
Quickstart Guide

Protect Your API in 3 Minutes

Don't build custom auth for every integration. Verify Amorce signatures instead.

1

Install the SDK

The SDK handles Ed25519 signature verification and Trust Directory lookups automatically.

pip install amorce-sdk
Note: Requires Python 3.9+ with pip installed.
2

Verify Incoming Requests

Add signature verification to your API endpoint:

from amorce import verify_request, AmorceSecurityError
from flask import Flask, request

app = Flask(__name__)

@app.route('/api/webhook', methods=['POST'])
def handle_webhook():
    try:
        # ✅ AUTOMATIC VERIFICATION
        # SDK fetches public key and verifies signature
        verified = verify_request(
            headers=request.headers,
            body=request.get_data(),
            allowed_intents=['book_table', 'check_availability']
        )
        
        print(f"✅ Verified request from: {verified.agent_id}")
        print(f"Intent: {verified.payload['payload']['intent']}")
        
        # Your business logic here - 100% sure it's legitimate
        return {"status": "confirmed", "table": "A5"}
        
    except AmorceSecurityError as e:
        # Invalid signature, unknown agent, or unauthorized intent
        return {"error": "Unauthorized"}, 401
That's it! Your API is now protected by cryptographic verification.
3

Test with Validator

Before going live, validate your agent manifest:

  1. 1
    Go to /validate
  2. 2
    Enter your manifest URL or paste JSON
  3. 3
    Get instant health score and feedback

What Just Happened?

When a request arrives:

1
Extract Headers
SDK reads X-Agent-Signature and X-Amorce-Agent-ID
2
Fetch Public Key
Automatic lookup from Trust Directory
3
Verify Signature
Ed25519 cryptographic check
4
Check Intent
Optional whitelist enforcement
5
Return Result
Either VerifiedRequest or exception

Zero maintenance. Public keys are auto-fetched. Revoked agents are instantly rejected.

Advanced: Manual Public Key

For testing or private networks, you can skip the Trust Directory lookup:

# Provide public key directly (no network call)
verified = verify_request(
    headers=request.headers,
    body=request.get_data(),
    public_key="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
)

Next Steps

Flask Integration

Coming Soon

Complete Flask integration guide

FastAPI Integration

Coming Soon

Async FastAPI setup

Browse Registry

Discover verified agents

View on GitHub

Check out the source code