Show HN: I'm building a "work visa" API for AI agents
I’m Chris, a solo dev in Melbourne AU. For the past month I've been spending my after work hours building AgentVisa. I'm both excited (and admittedly nervous) to be sharing it with you all today.
I've been spending a lot of time thinking about the future of AI agents and the more I experimented, the more I realized I was building on a fragile foundation. How do we build trust into these systems? How do we know what our agents are doing, and who gave them permission?
My long-term vision is to give developers an "Agent Atlas" - a clear map of their agentic workforce, showing where they're going and what they're authorized to do. The MVP I'm launching today is that first step.
The core idea is simple: stop giving agents a permanent "passport" (a static API key) and start giving them a temporary "work visa" for each specific task. AgentVisa is a simple API that issues secure, short-lived credentials, linking an agent's task back to a specific user and a set of permissions.
To make this more concrete, I've put together a demo you can run locally showing how an agentic customer service bot uses AgentVisa to access an internal API. You can see it here: https://github.com/AgentVisa/agentvisa-customer-support-demo
Under the hood it’s JWTs for now. But the product isn't the token - it's the simple, secure workflow for delegating authority. It's a pattern I needed for my own projects and I'm hoping it's useful to you too.
I know there's a "two-sided problem" here - this is most useful when the server an agent connects to can also verify the agent's authenticity. Right now it's ideal for securing your own internal services, which is where I started. My hope is that over time this can be built into a standard that more services adopt.
I'm keen for feedback from fellow devs working with AI agents. Does this problem of agent identity and auditability resonate with you? Is the "visa vs. passport" concept clear? What would you want to see on that "Agent Atlas" I mentioned?
The Python SDK is open and on GitHub, and there's a generous free tier so you can build with it right away. I'll be here to answer as best I can any questions you have. Thanks for checking it out!
SDK: https://github.com/AgentVisa/agentvisa-python Demo: https://github.com/AgentVisa/agentvisa-customer-support-demo
Note: for us down under it’s getting late! So if I miss your comment while asleep, I’ll reply first thing in the morning AEST.
- Simple online verification: the easiest way is to use the public POST /v1/verify endpoint. Any of your services can call this with the agent's credential. It's a stateless check that returns a JSON object confirming if the token is valid and crucially what scopes and user_identifier it was issued for.
- Decentralized/offline verification: for more advanced use cases or high-throughput services that want to avoid a network call you can also verify the credentials offline. The tokens are standard JWTs signed with RS256, and I expose the public keys via a standard /.well-known/jwks.json endpoint on the main domain. You can fetch the keys, cache them and then verify the token signatures locally.
The goal is to make it easy for a developer to get started with the online endpoint, while still providing the standard, scalable method for more mature systems. Thanks for checking it out!