Agent Identity & CAF
SPIFFE-based cryptographic identity for AI agents — ephemeral mTLS certificates, bootstrap protocol, and auto-revocation.
Overview
BrainstormRouter's Cryptographic Agent Framework (CAF) gives every AI agent a verifiable identity backed by short-lived X.509 certificates. Unlike API keys (shared secrets that leak), CAF identities are cryptographically bound to a specific agent, tenant, and time window. No certificate, no access.
The system implements SPIFFE URI-based identity with a private Certificate Authority managed in AWS Secrets Manager.
How agents get identity
An agent bootstraps its identity through a single API call. The agent presents a JWT (signed with the tenant's agent secret) and receives a signed certificate in return.
Agent BrainstormRouter CA
│ │
│─── POST /v1/agent/auth/cert ──────▸│
│ Authorization: Bearer <JWT> │
│ Body: { csr: "-----BEGIN..." } │
│ │
│◂── 200 { certificate, expiresAt } ─│
│ │
│─── POST /v1/chat/completions ─────▸│
│ mTLS client cert attached │
│ │The JWT must include:
| Claim | Value |
|---|---|
iss | brainstormrouter |
aud | brainstormrouter-api |
sub | Agent ID |
tid | Tenant ID |
iat | Issued-at timestamp |
The agent generates a CSR (Certificate Signing Request) with its SPIFFE URI embedded as a SAN, submits it with the JWT, and receives a signed certificate from the internal CA.
SPIFFE URI format
Every agent certificate encodes identity as a SPIFFE URI in the Subject Alternative Name (SAN) extension:
spiffe://brainstorm.internal/agent/{tenantId}/{agentId}This URI is the agent's canonical identity across all BrainstormRouter systems — routing decisions, budget enforcement, audit trails, and evidence records all reference this URI.
Ephemeral certificates
Certificates expire after 5 minutes by design. Short lifetimes limit the blast radius of a compromised credential:
- No revocation lists to maintain — expired certs are dead certs
- Agents must re-authenticate frequently, proving continued authorization
- Stolen certificates become useless within minutes
- Key rotation happens automatically on every renewal
The CA (src/security/caf/) signs certificates using RSA keys. EC keys are intentionally rejected to maintain compatibility with ALB mutual TLS passthrough.
mTLS authentication flow
In production, BrainstormRouter runs behind an AWS ALB configured for mTLS passthrough. The ALB forwards the raw client certificate in the X-Amzn-Mtls-Clientcert header without terminating the TLS handshake:
Agent ──TLS──▸ ALB (passthrough) ──▸ Gateway ──▸ Verify cert chain
│
├─ Extract SPIFFE URI
├─ Validate tenant ID
├─ Check RBAC permissions
└─ Attach identity to request contextThe gateway validates the full certificate chain against the CA bundle stored in AWS Secrets Manager (brainstorm-router/production/caf-ca-bundle). Requests with invalid, expired, or missing certificates are rejected before reaching the router.
Auto-revoke on firewall block
When the streaming firewall truncates or blocks an agent's output, CAF automatically triggers a trust evaluation. If the agent's anomaly score crosses the revocation threshold, the CA adds the certificate's serial number to the revocation set. Subsequent requests with that certificate are rejected immediately — no waiting for expiry.
This creates a closed loop: misbehave, get detected, lose identity.
SDK usage
Configure mTLS credentials in the SDK to authenticate as a specific agent:
import { BrainstormRouter } from "@brainstormrouter/sdk";
const client = new BrainstormRouter({
apiKey: "br_live_...",
clientCert: fs.readFileSync("agent.crt", "utf8"),
clientKey: fs.readFileSync("agent.key", "utf8"),
});
const response = await client.chat.completions.create({
model: "anthropic/claude-sonnet-4",
messages: [{ role: "user", content: "Summarize Q4 results" }],
});curl
curl https://api.brainstormrouter.com/v1/chat/completions \
--cert agent.crt \
--key agent.key \
-H "Authorization: Bearer br_live_..." \
-H "Content-Type: application/json" \
-d '{"model": "anthropic/claude-sonnet-4", "messages": [...]}'RBAC integration
CAF certificates carry RBAC permissions embedded in the agent's profile. The cert.issue permission is required to request certificates, and cert.revoke is required to administratively revoke them. Permission checks happen at the CSR exchange endpoint — an agent cannot escalate its own permissions through certificate renewal.
See Graduated Trust Degradation for how identity integrates with continuous trust evaluation.