AI agents are no longer read-only assistants. They open pull requests, move money, call third-party APIs, and act on behalf of your company while you sleep. The moment an agent can do something, a question follows: who is this agent, what is it allowed to do, and can you prove — after the fact — exactly what it did? This is the AI agent identity and compliance problem, and it is the gap Kakunin closes.
This guide is a practical, developer-first map of the whole open-source Kakunin toolkit. You will learn what non-human identity (NHI) means, how X.509 certificates give each agent a verifiable cryptographic identity, how scope enforcement keeps agents least-privileged, and how a tamper-evident audit log satisfies frameworks like MiCA and the EU AI Act. Every repository is linked, with copy-paste code, real use cases, and an FAQ at the end.
Why AI agents need their own identity layer
Human identity has decades of tooling: SSO, MFA, IAM roles, KYC. Machine identity has secrets managers and service accounts. But an autonomous AI agent is neither a human nor a static service — it is a non-human identity that spins up, forks sub-agents, changes behavior mid-task, and reasons its way around guardrails. Bolting an API key onto it tells you nothing about which agent acted, whether it stayed inside its mandate, or whether its behavior drifted from a known-good baseline.
Regulators have caught up faster than most teams expect. Under EU rules, an operator of an autonomous financial agent must be able to identify the system, constrain its actions, and produce an audit trail on demand. "It was the AI" is not a defense. You need cryptographic proof of identity and an immutable record of behavior — the same standard we apply to human operators, applied to software that acts on its own.
There is a practical security angle too, not just a regulatory one. A compromised or jailbroken agent holding a broad API key is indistinguishable from a healthy one — until the bill or the breach arrives. Per-agent identity plus behavioral scoring turns "we think something went wrong" into "agent 47 exceeded its scope at 02:14 and was revoked automatically." That is the difference between a week-long post-mortem and a non-event.
What Kakunin gives every agent
Kakunin issues each agent four things. Together they turn an anonymous process into an accountable, provable actor.
1. Cryptographic identity (X.509)
Every agent gets a real X.509 certificate, signed by a certificate authority backed by AWS KMS. Private key material never leaves the HSM boundary. The certificate binds an agent to a tenant, a scope, and a lifetime — so "who is this agent" has a cryptographic answer, not a guessed one.
2. Scope enforcement (least privilege)
A certificate carries the agent's allowed scopes. Drop-in middleware and framework guards check the presented scope on every call and reject anything outside the mandate — least privilege enforced at the tool layer, not just documented in a policy doc.
3. Behavioral monitoring & risk scoring
Kakunin baselines each agent's normal behavior and scores deviations in real time. An agent that suddenly calls new endpoints, spikes in volume, or drifts from its pattern raises its risk score — and can be auto-revoked before damage compounds. This continuous verification is the core of Know Your Agent (KYA).
4. Audit trails (MiCA / EU AI Act)
Every state-changing action writes an append-only, WORM-backed audit row. The result is a compliance-grade record you can export for MiCA Article 72, the EU AI Act, or an internal incident review — without reconstructing history from scattered logs.
The four questions an audit will ask
Whether it is a MiCA examiner, an EU AI Act conformity assessment, or your own security team after an incident, the questions are the same. Kakunin is built so each has a one-line answer backed by cryptographic evidence rather than a best guess.
- Which agent did this? The X.509 certificate binds every action to a named, tenant-scoped identity — not a shared, anonymous API key.
- Was it allowed to? The certificate's scopes are checked on every call; anything outside the mandate is rejected before it runs and logged.
- Did it behave normally? Behavioral baselines and live risk scores flag drift the moment it happens, with auto-revocation available.
- Can you prove it later? The append-only, WORM-backed audit log is the tamper-evident record you export on demand — no reconstruction required.
The open-source toolkit: a repo-by-repo map
Kakunin is open source top to bottom. Pick the entry point that matches your stack — each links to its GitHub repo:
- kakunin-sdk-typescript — the TypeScript SDK. Issue certificates, verify scope, and enforce them with drop-in middleware. Start here for Node, Next.js, Bun, and edge runtimes.
- kakunin-sdk-python — the Python SDK. Same primitives plus guards for LangChain, LlamaIndex, CrewAI, and AutoGen. Requires Python 3.10+.
- kakunin-mcp — the MCP server. Lets an agent self-verify its certificate, check its own risk score, and log events over the Model Context Protocol, straight from Claude or Cursor.
- kakunin-integrations — framework middleware. Ready-made packages for Express, Fastify, Next.js, LangChain, Mastra, and the Vercel AI SDK.
- kakunin-starter-nextjs — a one-click deploy Next.js template. The fastest way to see identity and enforcement working end to end.
- kakunin-samples — runnable examples. Certificate issuance, scope enforcement, and integrations across LangChain, CrewAI, and Next.js.
- kakunin-core — the self-hostable platform. The full control plane: CA, behavioral engine, and audit store, if you want to run your own.
All seven repositories speak the same API and share one mental model — issue, verify, monitor, audit — so moving between the TypeScript SDK, the Python SDK, the MCP server, and the self-hosted core is a change of surface, not of concepts. Learn it once and it transfers everywhere your agents run.
How to add identity & compliance to an agent
Here is the shortest path from zero to an agent with a verifiable identity and enforced scope. Grab a free sandbox key — no self-hosting required — and follow along.
Step 1 — Install the SDK
npm install @kakunin/sdkStep 2 — Initialise the client
import { Kakunin } from "@kakunin/sdk";
export const kakunin = new Kakunin({
apiKey: process.env.KAKUNIN_API_KEY!,
});Step 3 — Register an agent and issue its certificate
Create the agent, then certify it. The returned certificate is the agent's X.509 identity, scoped to exactly what it may do.
const agent = await kakunin.agents.create({
name: "invoice-reconciler",
scopes: ["invoices:read", "ledger:write"],
});
const cert = await kakunin.agents.certify(agent.id);
// cert.pem -> the X.509 certificate
// cert.expiresAt -> lifetime boundStep 4 — Enforce the certificate on every request
Drop the middleware in front of your protected routes. Requests without a valid, in-scope certificate never reach your handler.
import { kakuninMiddleware } from "@kakunin/sdk/verify";
export const middleware = kakuninMiddleware({
require: ["invoices:read"],
});
export const config = { matcher: ["/api/protected/:path*"] };Step 5 — Let the agent verify itself over MCP
If your agent runs inside Claude or Cursor, add the MCP server so it can check its own scope and risk score before acting — no extra API wiring.
{
"mcpServers": {
"kakunin": { "command": "npx", "args": ["@kakunin/mcp"] }
}
}That is the whole loop: identity issued, scope enforced, behavior monitored, actions audited. Full API reference lives in the Kakunin docs.
Real-world use cases
Autonomous trading bots (MiCA Article 72)
A crypto trading agent that places orders must, under MiCA Article 72, be identifiable and operationally resilient with a full audit trail. Kakunin gives the bot a certificate scoped to specific venues and order types, auto-revokes it when behavior drifts, and produces the MiCA-ready record regulators ask for.
AI coding agents
A coding agent with repo write access is a supply-chain risk if it wanders. Scope its certificate to specific repositories and actions; the middleware blocks anything outside the mandate, and every commit or merge it makes is attributable to a named identity — see the full walkthrough in Securing AI Coding Agents.
Customer-facing support agents
Support agents touch customer data and trigger refunds. Bind each to a least-privilege scope, watch for behavioral anomalies (a sudden spike in refund calls), and keep an audit trail for every data access — the accountability regulators and customers both expect.
Multi-agent frameworks (LangChain, CrewAI, Mastra)
In a crew of cooperating agents, "which agent did that" is genuinely hard. Give each member its own certificate and scope via the framework guards in kakunin-integrations and the Python SDK, so identity and accountability survive delegation between agents.
Hosted or self-hosted?
You do not have to choose upfront. The SDKs (TypeScript, Python), the MCP server, and the integrations all talk to the hosted Kakunin service by default — free sandbox keys, zero infrastructure. When you need your own control plane for data-residency or air-gapped reasons, kakunin-core is the same platform, self-hostable and open source. Your application code does not change — only the endpoint does.
From sandbox to production: a checklist
Moving from a proof of concept to a production rollout takes a handful of deliberate steps. Work through these before you point real agents at real systems.
- Rotate from sandbox keys to a production API key, stored in your secrets manager — never committed to source.
- Give every agent the narrowest scope that still lets it do its job; add scopes as needs prove out, not preemptively.
- Set certificate lifetimes to match the task — short-lived certificates for ephemeral agents, scheduled renewal for long-running ones.
- Wire risk-score webhooks into your alerting so a drifting agent pages a human, not just a dashboard nobody watches.
- Export an audit sample early and confirm it satisfies your compliance team before you scale — not after the first incident.
Why not just roll your own?
Teams often start by minting their own certificates with OpenSSL and writing a quick middleware check. It works until it doesn't: key custody inside an HSM, revocation that propagates fast enough to matter, behavioral baselining, tamper-evident storage, and export formats that hold up to a regulator are each a real project on their own. Kakunin packages all of them behind a few lines of SDK — and because every layer is open source, you get the speed of a managed service without inheriting a black box you cannot audit.
Frequently asked questions
What is a non-human identity (NHI)?
A non-human identity is any software actor that authenticates and acts on its own — service accounts, bots, and increasingly autonomous AI agents. Unlike a static service account, an AI agent's behavior changes at runtime, which is why it needs a verifiable identity plus behavioral monitoring, not just a stored secret.
Do I need to self-host to try it?
No. The SDKs and MCP server use the hosted service by default. Grab a free sandbox key and you can issue your first certificate in minutes. Self-hosting via kakunin-core is optional.
Which SDK should I use?
Use kakunin-sdk-typescript for Node, Next.js, and edge runtimes; kakunin-sdk-python for Python, LangChain, LlamaIndex, CrewAI, and AutoGen. For Express/Fastify/Mastra/Vercel AI SDK, the ready-made packages in kakunin-integrations are the quickest path.
How does this help with MiCA and the EU AI Act?
Kakunin produces the two artifacts these frameworks demand from operators of autonomous systems: a verifiable identity for the acting system, and a tamper-evident audit trail of what it did. That maps directly to MiCA Article 72 record-keeping and EU AI Act traceability obligations.
Is Kakunin really open source?
Yes. The SDKs, MCP server, integrations, samples, and starter template are Apache-2.0; the kakunin-core platform is AGPL-3.0. You can read, run, and self-host every layer.
How is this different from a secrets manager or IAM?
A secrets manager stores an API key; IAM governs human and static-service access. Neither answers "is this autonomous agent behaving within its mandate right now?" Kakunin adds cryptographic per-agent identity, runtime scope enforcement, behavioral risk scoring, and a compliance-grade audit trail — purpose-built for agents that reason and change.
Does adding Kakunin slow my agent down?
Verification is a fast, cacheable check — a scope match against a presented certificate, not a network round-trip per token. In practice the enforcement middleware adds negligible latency, and self-verification over MCP happens once per task rather than once per action.
What happens when an agent misbehaves?
When an agent's risk score crosses your threshold — new endpoints, volume spikes, or scope-boundary probing — Kakunin can auto-revoke its certificate, which immediately fails every downstream enforcement check. You are left with a precise audit trail of what happened, and the agent is stopped before the damage compounds.
Get started
Give your next agent an identity it can prove and a mandate it cannot exceed. Grab a free sandbox key, clone the Next.js starter, or browse the runnable samples. Full documentation is at kakunin.ai/docs.
