JACS
Cryptographic identity, data provenance, and trust for AI agents.
JACS gives every AI agent a verifiable identity, signs everything it produces, and lets any other agent or system verify who said what — without a central server.
cargo install jacs-cli | brew install jacs
For the HAI.AI platform (agent email, benchmarks, leaderboard), see haiai.
What JACS does
| Capability | What it means |
|---|---|
| Agent Identity | Generate a cryptographic keypair that uniquely identifies your agent. Post-quantum ready (ML-DSA-87/FIPS-204) by default. |
| Data Provenance | Sign any JSON document or file. Every signature is tamper-evident — anyone can verify the content hasn't been modified and who produced it. |
| Agent Trust | Verify other agents' identities, manage a local trust store, and establish trust policies (open, verified, strict) for cross-agent interactions. |
Quick start
Or via Homebrew:
MCP server
JACS includes a built-in MCP server for AI tool integration (Claude Desktop, Cursor, Claude Code, etc.):
The MCP server uses stdio transport only — no HTTP endpoints. This is a deliberate security choice: the server holds the agent's private key, so it runs as a subprocess of your MCP client. The key never leaves the local process and no ports are opened.
Core profile (default) — 7 tool families: state, document, trust, audit, memory, search, key.
Full profile (jacs mcp --profile full) — adds agreements, messaging, A2A, and attestation tools.
Core operations
| Operation | What it does |
|---|---|
| Create | Generate an agent identity with a cryptographic keypair |
| Sign | Attach a tamper-evident signature to any JSON payload or file |
| Verify | Prove a signed document is authentic and unmodified |
| Export | Share your agent's public key or signed documents with others |
What's new in 0.10.0
Inline text signatures — append a YAML-bodied JACS signature block to any markdown or text file. The file on disk is preserved byte-for-byte; the signature sits at the end and the file still renders as markdown on GitHub.
# Sign a markdown file in place — content is preserved byte-for-byte, signature
# appended at the end in a YAML-bodied block.
# Another agent appends their signature
# Verify per-signer (permissive — missing-sig is exit 2, not an error)
# Hard-fail if the file isn't signed (exit 1 instead of 2)
Why this matters: shared READMEs and design docs that multiple agents review and counter-sign now carry their provenance directly in the file — no separate sidecar JSON. The signature proves who signed which canonical bytes at their claimed time (it does not prove first creation or legal ownership).
Image signatures — embed a tamper-evident JACS signature inside a PNG, JPEG, or WebP. The signature lives in a metadata chunk (PNG iTXt / JPEG APP11 / WebP XMP), pure-Rust, no AGPL dependencies.
# Sign an image (signature embedded as base64url JSON in PNG iTXt / JPEG APP11 / WebP XMP)
Why this matters: photographers and AI image generators can attach a verifiable signed-at-claimed-time provenance signature to image bytes; downstream consumers verify the signer's identity and timestamp before trusting the asset.
See the inline text signing guide and image / media signing guide for the full feature set.
Use cases
Local provenance — An agent creates, signs, verifies, and exports documents locally. No server required.
Trusted local memory — Store agent memories, plans, configs as signed documents with searchable metadata and visibility controls (public/private/restricted).
Platform workflows — Use the same JACS identity with haiai to register with HAI.AI, send signed email, and run benchmarks.
Multi-agent trust — Agreements with quorum signing, A2A interoperability, attestation chains, and DNS-verified identity discovery.
When you DON'T need JACS
- Single developer, single service. Standard logging is fine.
- Internal-only prototypes. No trust boundaries, no value in signing.
- Simple checksums. If you only need to detect accidental corruption, use SHA-256.
JACS adds value when data crosses trust boundaries — between organizations, between services with different operators, or into regulated audit trails.
Features
- Post-quantum ready — ML-DSA-87 (FIPS-204) default, with Ed25519 for new classical keys and RSA-PSS verification for legacy artifacts.
- Cross-language — Sign in Rust, verify in Python or Node.js. Tested on every commit.
- Pluggable storage — Filesystem, SQLite, PostgreSQL, DuckDB, SurrealDB, Redb.
- Document visibility —
public,private, orrestrictedaccess control. - Trust policies —
open,verified(default), orstrictmodes. - Multi-agent agreements — Quorum signing, timeouts, algorithm requirements (feature-gated).
- A2A interoperability — Every JACS agent is an A2A agent with zero config (feature-gated).
Language bindings (experimental)
The MCP server and CLI are the recommended integration paths. Native bindings exist for direct library use:
| Language | Install | Status |
|---|---|---|
| Python | pip install jacs |
Experimental |
| Node.js | npm install @hai.ai/jacs |
Experimental |
| Go | go get github.com/HumanAssisted/JACS/jacsgo |
Experimental |
See DEVELOPMENT.md for library APIs, framework adapters, and build instructions.
Security
- Private keys are encrypted with password-based key derivation.
- MCP server is stdio-only — no network exposure.
- 260+ automated tests covering cryptographic operations, password validation, agent lifecycle, DNS verification, and attack scenarios.
- Post-quantum default — ML-DSA-87 (FIPS-204) composite signatures.
Report vulnerabilities to security@hai.ai. Do not open public issues for security concerns.
Links
v0.10.0 | Apache-2.0 | Third-Party Notices