How does the Guard work?

The Guard validates every agent request in real-time before it reaches your application. Invalid agents are blocked immediately with detailed error responses. Valid agents pass through with added trust context for your business logic.

What checks does the Guard enforce?

The Guard enforces three core security properties: Identity (verifying the sender's cryptographic signature), Integrity (ensuring the payload hasn't been tampered with), and Freshness (preventing replay attacks via timestamps).

Yes! The Python SDK and Go sidecar are free and open source. Use them for any number of requests in development or production. We offer optional paid Platform features for advanced analytics and team collaboration.

Does the Guard add latency?

Minimal latency—typically <1ms per request for the Go sidecar. Validation is highly optimized with caching for repeated agents. For most applications, this overhead is negligible compared to the protection against invalid agents causing production incidents.

Can I use custom validation logic?

Yes! The Guard supports custom validators, conditional rules based on your business logic, and policy-based routing. For example: require high trust scores for payment agents, but allow lower scores for read-only agents.

What happens when an invalid agent is detected?

The Guard blocks the request and returns a structured error response with the reason for rejection and validation details. You can customize error handling—log to your monitoring system, send alerts, or return custom error messages to users.

Open source. Self-hostable. Apache 2.0.

Open Source

SimpleGuard Standard

Stop Trusting. Start Verifying.

Guard is middleware that verifies every agent request: identity, integrity, freshness.

No more "trust me, I'm billing-agent." Prove it. Ed25519 signatures, SHA-256 body hashing, 60s replay window. <1ms verification.

Ed25519 Signatures|SHA-256 Body Hash|60s Replay Window|<1ms Verification

Get Started View on GitHub

pip install capiscio-sdk

Agent Identity (Who)

Ed25519 signature verification. Not user login: agent-to-agent caller authenticity.

Blocked when: attacker impersonates billing-agent

Request Integrity (What)

SHA-256 body hash bound to signature. Any modification fails.

Blocked when: proxy modifies transfer amount

Replay Protection (When)

Strict iat/exp validation. 60s window, 5s skew tolerance.

Blocked when: captured request replayed 100x

How Guard Verifies Every Request

Step-by-step verification flow and failure modes

Verification Flow

Extract Badge

Read X-Capiscio-Badge header (compact JWS)

Resolve Key

Look up public key by kid claim in trust store

Verify Signature

Ed25519 signature check against resolved key

Check Freshness

Validate iat/exp within 60s window

Verify Integrity

Hash body (SHA-256), compare to bh claim

All pass → Forward to handler

Failure Modes (Fail-Closed)

✗ Missing Header

No X-Capiscio-Badge → 401 Unauthorized

✗ Invalid Signature

Ed25519 verification fails → 403 Forbidden

✗ Unknown Key ID

kid not in trust store → 403 Forbidden

✗ Token Expired

Outside 60s window → 403 Forbidden (reason: token_expired)

✗ Clock Skew

iat in future beyond 5s tolerance → 403 Forbidden

✗ Body Hash Mismatch

SHA-256 doesn't match bh → 403 Forbidden (reason: integrity_failed)

All failures are logged with reason codes for debugging and SIEM integration.

Configuration Options

Time Window

max_token_age: 60s

How long tokens remain valid

Clock Skew

clock_skew: 5s

Tolerance for clock differences

Dev Mode

dev_mode: true

Auto-generate keys, self-trust

Trust Store

trusted_dir: ./capiscio_keys/trusted

Directory of allowed public keys

View full configuration reference →

Real-World Threats Blocked

How agent failures actually happen, and how Guard stops them

🎭

Spoofed Agent Call

Scenario: Attacker claims to be 'billing-agent' to trigger unauthorized refund.

✓ Blocked by Identity Verification

Signature check fails. Only the holder of billing-agent's private key can produce a valid signature.

🔄

Tool Router Tampering

Scenario: Prompt injection causes tool call parameters to drift. Transfer amount changed in transit.

✓ Blocked by Integrity Check

Body hash mismatch. The signature covers SHA-256(body). Any change invalidates it.

🔁

Retry Storm / Replay

Scenario: Valid request captured by attacker, replayed 100 times to drain budget.

✓ Blocked by Freshness

60s window. First request succeeds, replays after window closes are rejected.

Drop-in Protection in Two Lines

Simple integration for any stack

pip install capiscio-sdk-pythonv0.3.0

from fastapi import FastAPI
from capiscio.guard import SimpleGuard

app = FastAPI()

# Zero config: auto-discovers agent-card.json and key material
guard = SimpleGuard(app, dev_mode=True)

@app.post("/agent/message")
async def handle_message():
    # Only reached if agent identity, integrity, and freshness checks pass
    return {"status": "verified"}

Need explicit keys, trust stores, or environment-based secrets? Check the advanced configuration docs.

⚡

Minimal Latency Overhead

Optimized for high-throughput agent traffic. Built for production workloads.

🔒

Fail-Closed Design

Invalid signatures, expired timestamps, or tampered payloads are rejected immediately.

The SimpleGuard Standard

Cryptographic enforcement details for security engineers

Agent Identity

Ed25519 (Edwards-curve Digital Signature Algorithm).

Trust Badge in X-Capiscio-Badge header. Proves which agent signed.

Integrity

SHA-256 body hash.

Bound to the JWS as bh claim to prevent tampering.

Freshness

Strict iat and exp checks.

Default 60s window with 5s clock skew tolerance.

Fail Closed

Immediate rejection.

Returns 401 Unauthorized or 403 Forbidden on any failure.

What Guard Doesn't Do

Honest boundaries. No false promises.

✗

Not a prompt filter

Guard doesn't inspect or sanitize prompt content. It verifies the caller, not the message semantics.

✗

Not rate limiting

Guard doesn't throttle requests. Pair with your existing API gateway or rate limiter.

✗

Not authorization

Guard proves who is calling, not what they're allowed to do. Authorization is your business logic.

✗

Not content moderation

Guard doesn't block toxic content or policy violations. Use appropriate content filters upstream.

Guard does one thing well: cryptographic identity verification with tamper detection and replay protection.

"Why not just use API keys?"

The question every developer asks. Here's the honest answer.

Capability	API Keys	mTLS	CapiscIO Guard
Proves caller identity	Shared secret	✓ Certificate	✓ Ed25519 signature
Detects payload tampering	✗	Transport only	✓ SHA-256 body hash
Prevents replay attacks	✗	✗	✓ 60s window
Works through proxies/gateways	✓	✗ TLS terminates	✓ Application-layer
Survives key leak	✗ Full compromise	Revocation lag	✓ Per-request signing
Audit trail per request	Key ID only	Cert CN only	✓ Full agent identity

API Keys are fine when...

You control both ends, trust the network, and don't need per-request attestation.

mTLS is fine when...

You have PKI infrastructure and don't route through load balancers that terminate TLS.

Guard when you need...

Per-request identity proof, tamper detection, and replay protection, especially across trust boundaries.

Bottom line: API keys prove you have a secret. Guard proves which agent signed this specific request at this specific time.

Flexible Deployment

Choose the integration that fits your architecture

Library Mode

Direct integration for Python services

Zero infrastructure dependency
Native framework support (FastAPI, Flask, Django)
Ideal for monolithic agent services

Sidecar Mode

Language-agnostic protection via Go proxy

Protect any service (Node, Rust, Ruby)
Deploy as Kubernetes sidecar
Offload crypto operations

How CapiscIO fits with your existing stack

We don't issue identities; we enforce them at the agent boundary.

Works with your IAM (Okta, AWS IAM). Doesn't replace it. Guard handles agent-to-agent identity, not user identity.
Sits next to your API gateway, enforcing per-message agent identity and payload integrity. Not a replacement for Kong or Envoy.
Focused on agent-to-agent and agent-to-tool calls, not generic network traffic or user sessions.

Example scenario:

payment-agent on Vercel calling ledger-agent on AWS. Guard ensures the request is signed, untampered, and fresh regardless of where each agent runs.

The Capiscio Stack

Use Case

Tool

Validate agent cards & endpoints

CLI

Block bad traffic (Python)

Guard SDK

Block bad traffic (Any HTTP Service)

Go Sidecar (Core)

Pre-Deployment Validation

Catch issues before you deploy

The Guard protects you at runtime, but the CapiscIO CLI helps you validate agent cards and test endpoints during development and CI/CD.

Validate locally - Check A2A agent cards and signatures before commit
CI/CD Gates - Use the capiscio CLI and GitHub Action to block invalid or non-responsive agents before deployment

Explore CLI

# Validate before deploy

$ capiscio validate ./agent.json

✓ Agent card: ./agent.json

✓ A2A schema: valid

✓ Signature: valid (Ed25519)

✓ Endpoint: 200 OK (optional --test-live)

All checks passed.

Ready to Secure Your Agents?

Start with the open source guard and CLI today. Contact us if you need help hardening multi-agent or cross-cloud environments.

View Pricing Star on GitHub

Frequently Asked Questions

Everything you need to know