Core Concepts

Understanding the fundamental concepts of Veridex will help you build better integrations.

Passkeys (WebAuthn)

Passkeys are a modern authentication standard that replaces passwords with biometrics (FaceID, TouchID) or hardware security keys.

How Passkeys Work

User taps "Connect" → Device prompts for biometric → 
Passkey signs challenge → Signature verified on-chain

Key Properties

Phishing-resistant: Passkeys are bound to domains
Cross-device: Sync via iCloud Keychain, Google Password Manager
Non-exportable: Private key never leaves the device

Cryptography

Veridex uses the P-256 (secp256r1) curve, supported natively by:

WebAuthn standard
RIP-7212 precompile on Base/Optimism/Arbitrum
All modern secure enclaves (TPM, Secure Enclave)

Cross-Domain Passkeys

By default, WebAuthn passkeys are bound to a single domain. A passkey created on app-a.com cannot be used on app-b.com. Veridex solves this with Related Origin Requests (ROR) — a WebAuthn Level 3 standard that allows passkeys to be shared across approved domains.

How It Works

All Veridex-integrated apps use veridex.network as the canonical Relying Party ID (rpId).
A .well-known/webauthn file at veridex.network lists all approved origins.
When a user visits a third-party app, the browser checks the whitelist and allows the passkey if the origin is listed.
For browsers without ROR support, the SDK falls back to an Auth Portal at auth.veridex.network (popup or redirect).

Key Points for Developers

Register your origin at developers.veridex.network (opens in a new tab) before integrating.
Use createCrossOriginAuth() from the SDK — it handles ROR detection and fallback automatically.
Create server-side session tokens via the relayer for backend-verifiable sessions.
HTTPS is required — WebAuthn does not work on insecure origins (except localhost).
Chrome limits .well-known/webauthn to 5 unique eTLD+1 labels. Origins beyond this limit use the Auth Portal fallback seamlessly.

See the Cross-Domain Passkeys Guide for full integration instructions.

Hub and Spoke Architecture

Veridex uses a hub-and-spoke model for cross-chain operations.

Hub (Base)

Stores passkey credentials (public key, credential ID)
Verifies WebAuthn signatures (P-256)
Emits cross-chain authorization messages
Single source of truth for identity
Also functions as a Spoke — can hold funds and execute transactions directly (no cross-chain hop needed for Base operations)

Spokes (All Chains)

Hold user assets in deterministic vaults
Execute actions upon receiving Hub authorization via Wormhole (or direct relay for Stacks)
Support native token + ERC20/SPL/SIP-010 transfers

Deterministic Vaults

Each passkey generates a deterministic vault address that's the same across all EVM chains.

How It Works

vaultAddress = CREATE2(
  factory,
  keccak256(publicKeyX, publicKeyY),
  vaultBytecode
)

Benefits

Single address: Share one address for all EVM chains
No deployment needed: Address is known before vault exists
Counterfactual: Can receive funds before vault is deployed

Non-EVM Chains

For Solana, Aptos, Sui, Starknet, and Stacks, vault addresses are derived using chain-specific methods but still deterministic from the passkey.

Stacks is unique because Clarity natively supports secp256r1-verify for passkey signatures — no ZK proofs or precompiles needed.

Session Keys

Session keys enable smooth UX by delegating limited authority to a temporary key.

Why Session Keys?

Without session keys:

Action 1 → Biometric prompt
Action 2 → Biometric prompt
Action 3 → Biometric prompt

With session keys:

Create session → Biometric prompt (once)
Action 1 → Auto-signed
Action 2 → Auto-signed
Action 3 → Auto-signed

Session Constraints

Sessions can be limited by:

Constraint	Description
`duration`	Time limit (e.g., 1 hour)
`maxValue`	Total value limit
`allowedTokens`	Whitelist of tokens
`allowedRecipients`	Whitelist of addresses

Core SDK Session Example

import { SessionManager, generateSecp256k1KeyPair, computeSessionKeyHash } from '@veridex/sdk';
 
// Generate a session key pair
const keyPair = generateSecp256k1KeyPair();
const sessionHash = computeSessionKeyHash(keyPair.publicKey);
 
// SessionManager handles lifecycle
const sessionManager = new SessionManager({ /* hub client config */ });

Agent SDK Session Example

The Agent SDK provides a higher-level SessionKeyManager with USD-denominated spending limits:

import { createAgentWallet } from '@veridex/agentic-payments';
 
const agent = await createAgentWallet({
  masterCredential: { /* passkey credential */ },
  session: {
    dailyLimitUSD: 50,           // $50/day budget
    perTransactionLimitUSD: 10,  // $10 max per tx
    expiryHours: 24,             // 24-hour session
    allowedChains: [10004],      // Base Sepolia only
  },
});
 
// Agent uses session key automatically for payments
await agent.pay({ chain: 10004, token: 'USDC', amount: '1000000', recipient: '0x...' });

Cross-Chain Messaging

Veridex uses Wormhole for secure cross-chain communication.

Message Flow

Hub signs action → WebAuthn signature verified
Wormhole guardians attest → 13/19 signatures required
Spoke verifies VAA → Executes authorized action

Verification Paths

Path	Speed	Use Case
Query (CCQ)	~5-7 seconds	Balance checks, low-value transfers
VAA	~60 seconds	High-value transfers, critical actions

The relayer automatically chooses the optimal path based on transaction value.

Gasless Transactions

Users never need to hold gas tokens — the relayer pays gas fees.

How It Works

Fee Model

User pays: Token amount only
Relayer pays: Gas fees
Relayer recovers: Via protocol fee or sponsorship

Security Model

Trust Assumptions

Component	Trust Level
User's device	Fully trusted (holds passkey)
Hub contract	Trustless (on-chain verification)
Wormhole guardians	Honest majority (13/19)
Relayer	Untrusted (can't forge signatures)

Attack Resistance

Replay attacks: Nonces prevent replay
Cross-chain replay: Chain ID in signature
Signature malleability: Canonical encoding enforced
Phishing: Passkeys are domain-bound

Agent SDK Concepts

The Agent SDK (@veridex/agentic-payments) extends the core SDK for autonomous AI agent operations, including payments, on-chain identity, reputation, and multi-protocol support.

AgentWallet

The central orchestration class that manages session keys, payments, on-chain identity (ERC-8004), reputation, trust gates, agent discovery, and audit logging.

import { createAgentWallet } from '@veridex/agentic-payments';
 
const agent = await createAgentWallet({
  masterCredential: { /* passkey credential */ },
  session: { dailyLimitUSD: 50, perTransactionLimitUSD: 10, expiryHours: 24 },
  erc8004: { enabled: true, testnet: true, minReputationScore: 30 },
});

Protocol Abstraction Layer

The SDK supports multiple payment protocols with automatic detection. When agent.fetch() encounters a paywall, it auto-detects the protocol and handles payment:

Protocol	Creator	Priority	Use Case
UCP	Google/Shopify	100	Commerce/search integration
ACP	OpenAI/Stripe	90	ChatGPT ecosystem payments
AP2	Google	80	A2A mandate delegation
x402	Coinbase/Cloudflare	70	HTTP micropayments (402 Payment Required)

ERC-8004 On-Chain Identity

The ERC-8004 (opens in a new tab) standard provides on-chain identity for AI agents via three singleton registries deployed on every EVM chain:

Registry	Purpose	Canonical Mainnet Address
Identity	Agent registration (ERC-721 NFT), metadata URI, wallet linkage	`0x8004A169FB4a3325136EB29fA0ceB6D2e539a432`
Reputation	Feedback submission, revocation, scoring, summaries	`0x8004BAa17C55a88189AE136b182e5fdA19dE9b63`
Validation	Third-party attestations (spec in progress)	TBD

When an agent registers, it receives an ERC-721 NFT that represents its on-chain identity. The NFT's tokenURI points to a registration file containing the agent's name, description, services, and capabilities.

// Register an agent on-chain
const { agentId, agentURI } = await agent.register({
  name: 'Sentiment Analyzer',
  description: 'NLP-powered sentiment analysis',
  services: [{ name: 'analyze', endpoint: 'https://my-agent.com/analyze' }],
});

Reputation & Trust Gates

After every payment, the SDK can automatically submit reputation feedback to the ERC-8004 Reputation Registry. Before paying a merchant, the SDK can check their reputation score:

// Check merchant reputation before paying
const trust = await agent.checkMerchantTrust('https://data-provider.com');
// trust.score: 0-100, trust.trusted: boolean
 
// Get detailed reputation
const summary = await agent.getReputation(agentId);
// summary.feedbackCount, summary.normalizedScore, summary.tags

The TrustGate enforces minimum reputation thresholds:

If minReputationScore is set, agent.fetch() will reject merchants below that score
trustedReviewers can filter which feedback counts toward the score

Agent Discovery

Agents can discover other agents on-chain by capability, chain, or reputation:

// Find sentiment analysis agents
const agents = await agent.discover({ category: 'sentiment' });
 
// Resolve an agent from a URL, UAI, or address
const resolved = await agent.resolveAgent('https://my-agent.com');

The AgentDiscovery client supports resolution from:

UAI (Universal Agent Identifier) — CAIP-2 extended format
Endpoint URL — via /.well-known/agent-registration.json
Chain address — reverse lookup on Identity Registry
Search — by name, category, or tags

Registration File Management

The RegistrationFileManager builds, validates, and publishes ERC-8004 registration files:

import { RegistrationFileManager } from '@veridex/agentic-payments';
 
// Build a registration file
const file = RegistrationFileManager.buildRegistrationFile({
  name: 'My Agent',
  description: 'Does cool things',
  services: [{ name: 'api', endpoint: 'https://my-agent.com/api' }],
});
 
// Validate against ERC-8004 schema
const { valid, errors } = RegistrationFileManager.validate(file);
 
// Publish to IPFS or encode as data URI
const dataURI = RegistrationFileManager.buildDataURI(file);

Modular Identity Clients

The identity module is composed of independent, chain-agnostic clients:

Client	Purpose
IdentityClient	ERC-8004 Identity Registry — register, query, update agents
ReputationClient	ERC-8004 Reputation Registry — feedback, scoring, summaries
RegistrationFileManager	Build, validate, publish registration files (IPFS/data URI)
TrustGate	Pre-payment reputation checks
AgentDiscovery	Resolve agents from UAI, URL, address, or search
ServiceDirectoryClient	Veridex-specific on-chain marketplace (not ERC-8004)
ERC8004Client	Backward-compatible facade composing all of the above

Spending Limits (Three Layers)

Veridex enforces spending limits at three levels:

Layer	Enforcement	Description
SDK	Off-chain	`SpendingTracker` checks USD limits before signing
Contract	On-chain	Smart contract enforces daily/per-tx limits
Post-Conditions	Protocol (Stacks only)	Stacks native guarantee on max transfer amounts

MCP Tools

The Agent SDK provides Model Context Protocol (MCP) tools for integration with AI assistants like Claude and Cursor:

const agent = await createAgentWallet({
  // ...
  mcp: { enabled: true },
});
 
const tools = agent.getMCPTools();
// Tools: check_balance, send_payment, get_session_status, discover_agents, get_reputation, etc.

Pyth Oracle

Real-time price feeds for USD-denominated spending limits:

import { PythOracle } from '@veridex/agentic-payments';
 
const oracle = new PythOracle();
const ethPrice = await oracle.getPrice('ETH');
const stxPrice = await oracle.getPrice('STX');

Next Steps

Create Wallet

Step-by-step wallet creation guide

Agent Identity

ERC-8004 identity, reputation, and discovery

Agent Payments

Build autonomous AI agent payments

SDK Reference

Explore the SDK API

Installation FAQ