How does Agent Guard work?

Agent Guard validates every A2A agent request in real-time before it reaches your application. Invalid agents are blocked immediately with detailed error responses. Valid agents pass through with added trust context for your business logic.

What checks does Agent Guard enforce?

Agent Guard enforces three core security properties: Identity (verifying the sender's cryptographic signature), Integrity (ensuring the payload hasn't been tampered with), and Freshness (preventing replay attacks via timestamps).

Yes! The Python SDK (capiscio-sdk) and Go sidecar are free and open source. Use them for any number of requests in development or production. We offer optional paid Platform features for advanced analytics and team collaboration.

Does Agent Guard add latency?

Minimal latency—typically <1ms per request for the Go sidecar. Validation is highly optimized with caching for repeated agents. For most applications, this overhead is negligible compared to the protection against invalid agents causing production incidents.

Can I use custom validation logic?

Yes! Agent Guard supports custom validators, conditional rules based on your business logic, and policy-based routing. For example: require high trust scores for payment agents, but allow lower scores for read-only agents.

What happens when an invalid agent is detected?

Agent Guard blocks the request and returns a structured error response with the reason for rejection and validation details. You can customize error handling—log to your monitoring system, send alerts, or return custom error messages to users.

Open source. Self-hostable. Apache 2.0.

Open Source

SimpleGuard Standard

Stop Trusting. Start Verifying.

Agent Guard is middleware that verifies every A2A agent request: identity, integrity, freshness.

No more "trust me, I'm billing-agent." Prove it. Ed25519 signatures, SHA-256 body hashing, 60s freshness window. Sub-millisecond verification.

Ed25519 Signatures|SHA-256 Body Hash|60s Freshness Window|Sub-ms Verification

Get Started View on GitHub

pip install capiscio-sdk

Agent Identity (Who)

Ed25519 signature verification. Not user login: agent-to-agent caller authenticity.

Blocked when: attacker impersonates billing-agent

Request Integrity (What)

SHA-256 body hash bound to signature. Any modification fails.

Blocked when: proxy modifies transfer amount

Freshness (When)

Strict iat/exp validation. 60s window, 5s skew tolerance.

Blocked when: stale request replayed after window expires

How Agent Guard Verifies Every Request

Step-by-step verification flow and failure modes

Verification Flow

Extract Badge

Read X-Capiscio-Badge header (compact JWS)

Resolve Key

Look up public key by kid claim in trust store

Verify Signature

Ed25519 signature check against resolved key

Check Freshness

Validate iat/exp within 60s window

Verify Integrity

Hash body (SHA-256), compare to bh claim

All pass → Forward to handler

Failure Modes (Fail-Closed)

✗ Missing Header

No X-Capiscio-Badge → 401 Unauthorized

✗ Invalid Signature

Ed25519 verification fails → 403 Forbidden

✗ Unknown Key ID

kid not in trust store → 403 Forbidden

✗ Token Expired

Outside 60s window → 403 Forbidden

✗ Clock Skew

iat in future beyond 5s tolerance → 403 Forbidden

✗ Body Hash Mismatch

SHA-256 doesn't match bh → 403 Forbidden

Detailed failure reasons are logged server-side for debugging and SIEM integration.

Verification Defaults

These are the default verification parameters. SDK constructors accept dev_mode and base_dir options.

Freshness Window

60 seconds

How long tokens remain valid

Clock Skew

5 seconds

Tolerance for clock differences

Dev Mode

dev_mode=True

Auto-generate keys, self-trust

Trust Store

./capiscio_keys/trusted/

Directory of allowed public keys

View full configuration reference →

Real-World Threats Blocked

How agent security failures actually happen, and how Agent Guard stops them

🎭

Spoofed Agent Call

Scenario: Attacker claims to be 'billing-agent' to trigger unauthorized refund.

✓ Blocked by Identity Verification

Signature check fails. Only the holder of billing-agent's private key can produce a valid signature.

🔄

Tool Router Tampering

Scenario: Prompt injection causes tool call parameters to drift. Transfer amount changed in transit.

✓ Blocked by Integrity Check

Body hash mismatch. The signature covers SHA-256(body). Any change invalidates it.

🔁

Stale Request Replay

Scenario: Valid request captured by attacker, replayed after freshness window expires.

✓ Blocked by Freshness Check

60s window. Requests older than the window are rejected. For idempotency within the window, use jti claims.

Drop-in Protection in Two Lines

Simple integration for any stack

pip install capiscio-sdkv2.3.1

from fastapi import FastAPI
from capiscio_sdk.simple_guard import SimpleGuard
from capiscio_sdk.integrations.fastapi import CapiscioMiddleware

app = FastAPI()

# Zero config: auto-discovers agent-card.json and key material
guard = SimpleGuard(dev_mode=True)
app.add_middleware(CapiscioMiddleware, guard=guard)

@app.post("/agent/message")
async def handle_message():
    # Only reached if agent identity, integrity, and freshness checks pass
    return {"status": "verified"}

Need explicit keys, trust stores, or environment-based secrets? Check the advanced configuration docs.

⚡

Minimal Latency Overhead

Optimized for high-throughput agent traffic. Built for production workloads.

🔒

Fail-Closed Design

Invalid signatures, expired timestamps, or tampered payloads are rejected immediately.

The SimpleGuard Standard

Cryptographic enforcement details for security engineers

Agent Identity

Ed25519 (Edwards-curve Digital Signature Algorithm).

Trust Badge in X-Capiscio-Badge header. Proves which agent signed.

Integrity

SHA-256 body hash.

Bound to the JWS as bh claim to prevent tampering.

Freshness

Strict iat and exp checks.

Default 60s window with 5s clock skew tolerance.

Fail Closed

Immediate rejection.

Returns 401 Unauthorized or 403 Forbidden on any failure.

What Agent Guard Doesn't Do

Honest boundaries. No false promises.

✗

Not a prompt filter

Agent Guard doesn't inspect or sanitize prompt content. It verifies the caller, not the message semantics.

✗

Not rate limiting

Agent Guard doesn't throttle requests. Pair with your existing API gateway or rate limiter.

✗

Not authorization

Agent Guard proves who is calling, not what they're allowed to do. Authorization is your business logic.

✗

Not content moderation

Agent Guard doesn't block toxic content or policy violations. Use appropriate content filters upstream.

Agent Guard does one thing well: cryptographic identity verification with tamper detection and replay protection for A2A protocol traffic.

"Why not just use API keys?"

The question every developer asks. Here's the honest answer.

Capability	API Keys	mTLS	Agent Guard
Proves caller identity	Shared secret	✓ Certificate	✓ Ed25519 signature
Detects payload tampering	✗	Transport only	✓ SHA-256 body hash
Prevents replay attacks	✗	✗	✓ 60s window
Works through proxies/gateways	✓	✗ TLS terminates	✓ Application-layer
Survives key leak	✗ Full compromise	Revocation lag	✓ Per-request signing
Audit trail per request	Key ID only	Cert CN only	✓ Full agent identity

API Keys are fine when...

You control both ends, trust the network, and don't need per-request attestation.

mTLS is fine when...

You have PKI infrastructure and don't route through load balancers that terminate TLS.

Agent Guard when you need...

Per-request identity proof, tamper detection, and replay protection for A2A agent-to-agent traffic, especially across trust boundaries.

Bottom line: API keys prove you have a secret. Agent Guard proves which agent signed this specific request at this specific time.

Flexible Deployment

Choose the integration that fits your architecture

Library Mode

Direct integration for Python services

Zero infrastructure dependency
Native framework support (FastAPI, Flask, Django)
Ideal for monolithic agent services

Sidecar Mode

Language-agnostic protection via Go proxy

Protect any service (Node, Rust, Ruby)
Deploy as Kubernetes sidecar
Offload crypto operations

How CapiscIO Agent Guard fits with your existing stack

We don't issue identities; we verify them at every agent call—internal or external.

Works with your IAM (Okta, AWS IAM). Doesn't replace it. Guard handles agent-to-agent identity, not user identity.
Sits next to your API gateway, enforcing per-message agent identity and payload integrity. Not a replacement for Kong or Envoy.
Focused on agent-to-agent and agent-to-tool calls, not generic network traffic or user sessions.

Example scenario:

payment-agent on Vercel calling ledger-agent on AWS. Guard ensures the request is signed, untampered, and fresh regardless of where each agent runs.

The CapiscIO Stack

Use Case

Tool

Validate agent cards & endpoints

CLI

Block bad A2A traffic (Python)

Agent Guard SDK

Block bad A2A traffic (Any HTTP Service)

Go Sidecar (Core)

Protect MCP tool servers

MCP Guard

Pre-Deployment Validation

Catch issues before you deploy

Agent Guard protects you at runtime, but the CapiscIO CLI helps you validate agent cards and test endpoints during development and CI/CD.

Validate locally - Check A2A agent cards and signatures before commit
CI/CD Gates - Use the capiscio CLI and GitHub Action to block invalid or non-responsive agents before deployment

Explore CLI

# Validate before deploy

$ capiscio validate ./agent.json

✓ Agent card: ./agent.json

✓ A2A schema: valid

✓ Signature: valid (Ed25519)

✓ Endpoint: 200 OK (optional --test-live)

All checks passed.

Ready to Secure Your A2A Agents?

Start with the open source Agent Guard and CLI today. Need MCP server protection? Check out MCP Guard.

View Pricing Star on GitHub

Frequently Asked Questions

Everything you need to know