Verification Gateway

A counterparty-side SDK and HTTP API for verifying incoming AI-agent traffic. The gateway sits in front of your service, calls AstraSync's /api/agents/verify-access endpoint on every request, and surfaces a structured policy decision your route handlers can act on.

What you get

• →Drop-in Express and Next.js middleware. Mount once, declare per-route policy, requests come back annotated with req.agentVerification.
• →Server-decided accessLevel (none / guidance / read-only / standard / full / internal). The SDK reads it verbatim — no client-side trust-score remap (v2.3.0+ contract).
• →Anonymous-traffic handling per the unverifiedAgentPolicy you set on each registered endpoint — deny / audit / allow_partial / allow_full. Recognised platform agents (Claude / ChatGPT / Gemini / Cursor / Goose) get an auto-provisioned ASTRA-id with IAL=1. audit mode (v2.3.8+) lets requests through with an X-Astra-Unverified-Warning response header for soft-launch deployments.
• →Optional setPassThroughHeader (v2.3.8+) emits X-Astra-Gateway-Mode: pass-through on responses where the middleware fell through without consulting verify-access. Lets integration tests assert "this endpoint should be gated; if it falls through, fail loudly." Plus dashboardUrl to customise the link in boot-time configuration warnings.
• →HMAC-SHA256 webhook signature verification via verifyAstraSyncWebhook(rawBody, headers, secret) — Stripe-style X-AstraSync-Signature header, 5-min replay tolerance, constant-time compare.
• →MCP and A2A protocol helpers, init-time self-test (HEAD probe to catch misconfigured apiBaseUrl), optional counterpartyId config for multi-endpoint attribution.

Install

npm install @astrasyncai/verification-gateway

Full reference