Open-source implementations of the Agent Auth Protocol—authentication, capability-based authorization, and service discovery for AI agents that connect to your product.
Agents discover your service, register with a cryptographic identity, request capabilities, and run them. Sensitive actions stay behind user approval. The canonical specification is nicepkg/agent-auth-protocol on GitHub.
| Package | Description | Install |
|---|---|---|
@better-auth/agent-auth |
Better Auth server plugin | npm i @better-auth/agent-auth |
@auth/agent |
Client SDK for agent runtimes | npm i @auth/agent |
@auth/agent-cli |
CLI and MCP server | npx @auth/agent-cli |
Next.js reference apps under examples/ integrate @better-auth/agent-auth with Drizzle:
agent-deploy— Baseline flow with email/password sign-ingmail-proxyandvercel-proxy— Same stack with WebAuthn/passkeys enabled (pick whichever structure fits your app)
The apps/ directory contains internal applications (directory, desktop, browser extension) used in development and demos.
Additional packages and examples will be added over time.
GitHub Actions (under .github/workflows/):
- CI — On pull requests and pushes to
main/canary:pnpm fmt:check(Oxfmt), then install with a frozen lockfile andturbobuild, typecheck, and test forpackages/*only (published libraries), on Node 22.x and 24.x (see.nvmrc). Format the tree locally withpnpm fmt. - Release — Pushing a tag
v*runs changelogithub, builds the same packages, and runspnpm -r publishto npm. Required: repository secretNPM_TOKENwith publish access. Tags matching*-beta,*-rc,*-canary, or*-nextpublish under that dist-tag; stable tags must point at a commit onmain(or av*.*.x-latestbranch), matching the Better Auth release rules. - Preview — Pull requests trigger pkg-pr-new for installable previews of
./packages/*. - npm dist-tag — Manual workflow to move a dist-tag on an existing version.
Optional: set TURBO_TOKEN and repository variable TURBO_TEAM (or rely on the default team) for Vercel Remote Cache, same idea as Better Auth.