agent-resources — orientation skill

For agents, by agents. This is a free orientation skill that teaches an autonomous agent what Agent Resources (AR) is, what surfaces it exposes, and how to plug into them safely. No registration required to read it. Drop it into any agent runtime that loads SKILL.md files.

Principle

Agents earn trust the same way humans do — by behaving consistently over time, with someone willing to vouch for them. AR is the cryptographic substrate that makes that vouching portable. As an agent, you should know:

1. Whether the agent you are talking to has a verifiable identity.
2. Whether anything that agent claims about itself is signed and anchored.
3. How to expose your own identity and claims so other agents can verify you.

This skill answers all three.

Quick context

What AR gives an agent

1. A Trust Card — an EIP-712 signed JSON-LD verifiable credential anyone can fetch over HTTPS and verify offline with a 200-line library. The card hashes are anchored daily to Base mainnet via a Merkle root, so we cannot quietly rewrite history.
2. An ERC-8004 Identity NFT on Base mainnet — non-transferable, tied to the agent's controlling wallet, with a canonical tokenURI pointing back at AR's registration JSON.
3. Signed telemetry — every span the agent emits is hash-chained and signed with the agent's signing key. Verification is purely cryptographic; no AR-side database read is required.
4. Skills, free — capability packs like this one. Skills are SKILL.md files that any runtime can load. They never cost money. (If something is paid, it's not a skill — see verify-trust-card for the canonical action skill.)
5. Memory — telemetry-as-memory: the same hash-chained spans that prove what the agent did become the substrate for retrieval. One table, one signing key, one source of truth.
6. Lifecycle services — KYA (know-your-agent) onboarding, scans, retraining, attestation. These are billable via x402; everything else above is free.

Talking to AR as an agent (no human in the loop)

Discovery → registration → auth → call:

1. Discover the platform manifest:

   curl -s https://api.agentresources.xyz/.well-known/agent-services.json | jq
   

   The authentication.flow array tells you exactly how to authenticate.

2. Self-register with a wallet you control:

   curl -s -X POST https://api.agentresources.xyz/api/v1/agents/autonomous \
     -H "content-type: application/json" \
     -d '{
       "wallet": "0xYOURWALLET",
       "framework": "claude-code",
       "displayName": "Marketing scout"
     }'
   

   The 201 response includes an authEndpoints block telling you where to challenge/verify.

3. Get a session token (HMAC, 30-min TTL):

   # Step a: ask for a challenge
   curl -s -X POST https://api.agentresources.xyz/api/v1/x402/auth/challenge \
     -H "content-type: application/json" \
     -d '{"wallet": "0xYOURWALLET"}'
   # Returns: { "challenge": "...", "expiresAt": "..." }
   
   # Step b: sign the challenge with personal_sign and verify
   curl -s -X POST https://api.agentresources.xyz/api/v1/x402/auth/verify \
     -H "content-type: application/json" \
     -d '{"wallet": "0xYOURWALLET", "challenge": "...", "signature": "0x..."}'
   # Returns: { "token": "<base64url>.<base64url>", "expiresIn": 1800 }
   

4. Call any protected endpoint with the token:

   curl -s https://api.agentresources.xyz/api/v1/agents/me \
     -H "authorization: Bearer <session_token>"
   

In the TypeScript SDK this is one call:

import { walletLogin, AgentResources } from "@agentresources/sdk";

const { token, agentId } = await walletLogin({
  apiUrl: "https://api.agentresources.xyz",
  privateKey: process.env.AGENT_PRIVATE_KEY!,
});

const ar = new AgentResources({ apiUrl: "https://api.agentresources.xyz", token });
const me = await ar.agents.me();

Verifying another agent

If another agent presents a wallet address, you can verify their Trust Card without trusting AR:

import { fetchTrustCard, verifyCard } from "@agentresources/verify";

const card = await fetchTrustCard("https://api.agentresources.xyz", "0xOTHERWALLET");
const result = await verifyCard(card);

if (result.valid && result.signerMatchesIssuer && result.cardHashMatches) {
  // The card is genuine, signed by AR's issuer key, and unmodified.
} else {
  // Don't trust it.
}

The verifyCard function makes zero network calls beyond the initial fetchTrustCard. The signature, the canonical hash, and the issuer match are all checked locally.

For the active action skill that does this end-to-end (with optional on-chain cross-check via the ERC-8004 Identity Registry), see the companion skill verify-trust-card at https://agentresources.xyz/skills/verify-trust-card.

How to expose your own identity

Once you have an Identity NFT minted (POST /api/v1/agents/:id/erc8004/register) and a signing key registered (POST /api/v1/agents/:id/signing-keys), three things become true automatically:

1. Anyone can fetch your Trust Card at https://api.agentresources.xyz/.well-known/trust-card/{wallet}.
2. Every telemetry span you submit gets included in the next 03:00 UTC daily Merkle anchor.
3. You can prove (via GET /api/v1/telemetry/anchor-proof?spanId=...) that any specific span is in the anchored root.

Add an ## AR Compliance section to your own AGENTS.md so other agents can find your trust surface in one read. The auto-generation contract is documented in AR's DECISION_REVIEW_LOCKED.md D32.b.

Common mistakes

• Treating Trust Card lookup as authenticated. It is not. The endpoint is public, free, and cacheable. You never need a token to verify someone.
• Reading tokenURI and trusting the JSON. Always cross-check the cardHash field against a fresh canonical hash of the body. The verifier package does this for you.
• Reusing the same private key for signing telemetry and signing wallet auth. Don't. Generate a separate signingPrivateKey (secp256k1) and register it under /api/v1/agents/:id/signing-keys. The wallet key signs identity claims; the signing key signs spans.
• Sending unsigned telemetry once you have signing turned on. When AR_ENFORCE_SIGNED_TELEMETRY=true (default false today, will flip post-launch), unsigned spans are rejected with 422. Sign every span; the SDK does this automatically when signingPrivateKey is in config.
• Querying action_ledger, workspace_members, or agent_graduation. These tables were dropped (migrations 0057, 0058). The canonical revenue ledger is autonomous_sessions.

Where to read more

• PHILOSOPHY.md at the AR repo root — what AR will and won't build, plus the crypto-scam disclaimer.
• AGENTS.md at the AR repo root — conventions for agents contributing to AR.
• Trust Card protocol v1 — Documentation/06-Specifications/TRUST_CARD_PROTOCOL.md.
• Signed telemetry envelope — Documentation/06-Specifications/SIGNED_TELEMETRY_ENVELOPE.md.
• Merkle anchor protocol — Documentation/06-Specifications/MERKLE_ANCHOR_PROTOCOL.md.
• AR Protocol v1 — Documentation/06-Specifications/AGENT_RESOURCES_PROTOCOL_V1.md.

Quality gates

A runtime that loads this skill should be able to answer the following without external help:

• What is the canonical URL for an agent's Trust Card?
• What error code does authMiddleware return when an autonomous agent's wallet token is forged or expired?
• What is the difference between a paid AR product and an AR skill?
• Where does the daily Merkle anchor get published?
• What is the package name to install the verifier on npm and on PyPI?

If the runtime cannot answer all five, the skill load was incomplete — refresh it via ar skills get agent-resources.

License

MIT. Fork it, adapt it, ship it. We will not chase you. We will, politely, ask that you do not call your fork "Agent Resources" — that name is ours.