THE CONSENT LAYER FOR AI AGENTS

AI agents are learning to act.Make them ask first.

An agent proves a verifiable credential from the user's wallet before a consequential action completes. Identity leads; payments is one application.

Agents can check out a cart, unlock age-restricted content, grant access. Should they — without proof?

Try it live

A complete MCP storefront — no setup required.

credentagent-storefront is a ready-to-run MCP server: nine shopping tools, a product widget, and a gated checkout. Add the hosted connector and order the whiskey — the age gate fires automatically.

Hosted connector — add to any client
https://mcp-apps-nine.vercel.app/mcp
Claude ChatGPT Goose

📱 To prove credentials on your device, install Multipaz Wallet (Android & iOS).

1
Add the connector — paste the URL above into Claude, ChatGPT, or Goose as an MCP connector.
2
Order the whiskey — ask your agent to browse, add the whiskey, and check out.
3
Age gate fires — the checkout tool returns an age_over_21 requirement. Prove it on your device; order completes.

Want to customize it? Run locally: node examples/storefront.mjs — inject your catalog, own the code.

Demo Consent flow — end to end
Demo app
credentagent-storefront

Run & customize

Nine MCP tools, product widget, gated checkout. Inject your catalog, own the code.

Gate library
credentagent-gate

Gate any app

Mount on any Express app. required() / optional() over any credential.

How it works

One handoff. The agent orchestrates; it never holds the credential.

01

The tool mints a link

Your MCP tool reports what the action requires — no phone in the loop.

02

The user proves it

One browser/wallet session: WebAuthn passkey or an OpenID4VP presentation.

03

The action completes

The agent polls, then proceeds — enforced server-side, not a hidden button.

Quickstart

Mount it on any app in ten lines.

import { createStorefront } from "@openmobilehub/credentagent-storefront/server"; import { CredentAgent, age, membership, payment, required, optional } from "@openmobilehub/credentagent-gate"; const store = createStorefront(); const credentagent = new CredentAgent(); credentagent.mount(store.app); // wires the /credentagent/* wallet rails store.gate((order) => credentagent.requirements(order, [ required(age.over(21)), optional(membership.discount(10)), required(payment.in("usd")), ]));
Gate any credential

Age, membership, a prescription, payment — all just credentials in one policy.

The built-ins are pre-defined credentials. defineCredential() gates any consequential action with any credential — identity leads, payment settles last.

Honest by design

What binds cryptographically today — and what's on the roadmap.

passkey — real WebAuthn, origin/RP-ID-bound, replay-protected
✓ real crypto
credential / dc-payment — OpenID4VP JWE + nonce + HPKE + mdoc parse
presence-only-demo
additional credentials — residency, license, eligibility: any issuer credential, completable end-to-end
roadmap
issuer-verified trust — mdoc issuer/device signatures (Multipaz)
v0.2 — roadmap

The wire crypto is real; the issuer trust anchor is not yet. A presence-only gate is never sold as a real safety control.

Built on open standards
OpenWallet FoundationOpenMobileHubMultipazOpenID4VPWebAuthnISO mdocAP2
For developers

Two packages. Apache-2.0. Ships its own types.

@openmobilehub/credentagent-gate@openmobilehub/credentagent-storefront· Docs · Examples · Reference demo →