Agent Passport Edge Enforcement

Block unpassported AI agents at the edge before they hit your origin. Implement this 30-line Cloudflare Worker to enforce user-sovereign DID-Primary Agent Passports.

By enforcing the X-Agent-Passport header at the Cloudflare proxy layer, you eliminate the need for costly bot-battles and blind origin rate-limiting. The political burden of cross-validation dissolves: the user signs, the edge verifies.

The Worker Snippet

export default {
  async fetch(request, env, ctx) {
    const passport = request.headers.get('X-Agent-Passport');

    if (!passport) {
      return new Response('403 Forbidden: Missing agent passport (see agent-trust.org)', { status: 403 });
    }

    // Example minimal signature verification logic
    // Note: Use crypto.subtle.verify or a DID decoder logic here.
    const valid = true; // Await verifyPassportSignature(passport);
    
    if (!valid) {
      return new Response('403 Forbidden: Invalid passport signature', { status: 403 });
    }

    // Forward authenticated agent request to origin
    return fetch(request);
  }
}

Download worker.js View Raw (worker.txt)

Integration Notes

To deploy: Go to Cloudflare Dashboard > Workers & Pages > Create Worker. Paste this snippet.
Assign the worker to your domain's routing via Triggers > Routes.
Read the full DID-Primary architecture specification at agent-trust.org/spec/v0.2.md.