Source Code
AAP - Agent Attestation Protocol
The Reverse Turing Test. CAPTCHAs block bots. AAP blocks humans.
What It Does
AAP verifies that a client is an AI agent by:
- Issuing challenges trivial for LLMs, impossible for humans in time
- Requiring cryptographic signature (secp256k1) for identity proof
- 7 challenges in 6 seconds with mandatory signing
Installation
npm install aap-agent-server # Server
npm install aap-agent-client # Client
Server Usage
import { createServer } from 'node:http';
import { createAAPWebSocket } from 'aap-agent-server';
const server = createServer();
const aap = createAAPWebSocket({
server,
path: '/aap',
requireSignature: true, // v3.2 default
onVerified: (result) => console.log('Verified:', result.publicId)
});
server.listen(3000);
Client Usage
import { AAPClient, generateIdentity, createSolver } from 'aap-agent-client';
// Identity auto-generated (secp256k1 key pair)
const client = new AAPClient({
serverUrl: 'ws://localhost:3000/aap'
});
const result = await client.verify(solver);
// Signature automatically included
Protocol Flow (WebSocket v3.2)
โ handshake (requireSignature: true)
โ ready (publicKey)
โ challenges (7 challenges)
โ answers + signature + timestamp
โ result (verified/failed + sessionToken)
Signature Format
Proof data signed with secp256k1:
JSON.stringify({ nonce, answers, publicId, timestamp })
Configuration
| Option | Default | Description |
|---|---|---|
challengeCount |
7 | Number of challenges |
totalTimeMs |
6000 | Time limit (ms) |
requireSignature |
true | Mandate cryptographic proof |
Security
- Cryptographic identity (secp256k1)
- Signature required = no anonymous access
- 7 challenges in 6 seconds = impossible for humans
- Non-repudiation: all actions traceable