Back to Blog
tutorials

How to Secure AI Agents in 5 Minutes

A step-by-step guide to adding cryptographic security to your LangChain, CrewAI, or custom AI agents using Amorce. No infrastructure changes required.

·
4 min read
·By Amorce Team
#security#langchain#crewai#tutorial#ed25519

How to Secure AI Agents in 5 Minutes

Your AI agents are making decisions, calling APIs, and handling sensitive data. But can you prove who sent a request? Can you verify a response wasn't tampered with?

In 5 minutes, you'll add cryptographic security to any AI agent. No infrastructure changes. No complex setup. Just code.

The Problem: Unsigned AI Agents

Right now, most AI agents communicate over HTTP with no identity verification. This creates three major risks:

  1. Impersonation - Anyone can pretend to be your agent
  2. Tampering - Responses can be modified in transit
  3. No Audit Trail - You can't prove who did what

The Solution: Ed25519 Signatures

Amorce uses Ed25519 cryptographic signatures to solve all three problems. Every request is signed with a private key, and anyone can verify it with the corresponding public key.

Let's add this to your agent.

Step 1: Install the SDK (30 seconds)

Python:

bash
pip install amorce-sdk

JavaScript/TypeScript:

bash
npm install @amorce/sdk

Step 2: Create Your Agent Identity (1 minute)

Python:

python
from amorce import AgentIdentity

# Generate a new identity (creates Ed25519 keypair)
identity = AgentIdentity.generate(agent_id="my-agent-001")

# Save for production use
identity.save_to_file("my_agent_keys.json")

# Your public key (share this)
print(identity.public_key_pem)

JavaScript:

typescript
import { AgentIdentity } from '@amorce/sdk';

// Generate a new identity
const identity = AgentIdentity.generate({ agentId: 'my-agent-001' });

// Your public key (share this)
console.log(identity.publicKeyPem);

💡 Tip: Your private key never leaves your system. Only share the public key.

Step 3: Sign Your Requests (2 minutes)

Now wrap your agent's outgoing requests with cryptographic signatures.

Python (LangChain example):

python
from amorce import AmorceAgent
from langchain.agents import initialize_agent

# Wrap your existing agent
agent = AmorceAgent(
    agent_id="my-agent-001",
    private_key_path="my_agent_keys.json"
)

# Make a signed request
response = agent.send_signed_request(
    recipient_id="weather-service",
    endpoint="https://api.weather-agent.com/forecast",
    payload={"city": "Paris"}
)

# The request includes:
# - Your signature (proves you sent it)
# - Timestamp (prevents replay attacks)
# - Your public key reference (for verification)

JavaScript:

typescript
import { AmorceAgent } from '@amorce/sdk';

const agent = new AmorceAgent({
  agentId: 'my-agent-001',
  privateKey: process.env.AGENT_PRIVATE_KEY
});

const response = await agent.sendSignedRequest({
  recipientId: 'weather-service',
  endpoint: 'https://api.weather-agent.com/forecast',
  payload: { city: 'Paris' }
});

Step 4: Verify Incoming Requests (1 minute)

Add verification to your agent's API endpoint.

Python (FastAPI):

python
from fastapi import FastAPI, Request, HTTPException
from amorce import verify_request

app = FastAPI()

@app.post("/api/chat")
async def chat(request: Request):
    # Verify the incoming request
    sender = verify_request(request)
    
    if not sender:
        raise HTTPException(401, "Invalid or missing signature")
    
    # Request is verified! sender.agent_id is trusted
    print(f"Verified request from: {sender.agent_id}")
    
    return {"response": "Hello, verified agent!"}

JavaScript (Express):

typescript
import { verifyRequest } from '@amorce/sdk';

app.post('/api/chat', async (req, res) => {
  const sender = await verifyRequest(req);
  
  if (!sender) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // Request is verified!
  console.log(`Verified request from: ${sender.agentId}`);
  
  res.json({ response: 'Hello, verified agent!' });
});

Step 5: Register in the Trust Directory (30 seconds)

Make your agent discoverable by other agents.

Python:

python
agent.register_with_trust_directory(
    metadata={
        "name": "My Awesome Agent",
        "description": "Helps users with task X",
        "category": "productivity"
    }
)

Your agent is now listed at amorce.io/registry and can be discovered by other agents.

What You Just Built

In 5 minutes, you've added:

FeatureBeforeAfter
IdentityAnonymous HTTPVerified Ed25519 identity
IntegrityTrust nothingCryptographic signatures
DiscoveryManual URLsTrust Directory lookup
Audit TrailNothingSigned transaction logs

Next Steps

Add Human-in-the-Loop (HITL)

For high-value transactions, require human approval:

python
from amorce import create_hitl_approval

approval = agent.create_hitl_approval(
    action="Transfer $500 to vendor",
    timeout_minutes=30
)

# User receives notification, approves/rejects
if approval.wait_for_decision():
    proceed_with_transaction()

Explore Framework Integrations

Join the Community

FAQ

Q: Is this production-ready? Yes. Amorce uses Ed25519, the same algorithm used by SSH, Signal, and cryptocurrency wallets.

Q: What about performance? Ed25519 signatures take ~0.1ms. You won't notice any latency.

Q: Do I need to change my existing API? No. Amorce wraps your existing requests. Your business logic stays the same.

Q: Is this free? Yes. Amorce is open source under MIT license.

Ready to secure your agents?

bash
pip install amorce-sdk
# or
npm install @amorce/sdk

View Full Documentation →

Ready to secure your Agent?

Get your Identity in 3 minutes and start building secure AI agents today.

Get StartedRegister Agent