erc8128
Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests to ERC-8128 endpoints, implementing request verification in servers, or working with agent-to-server authentication. Covers both the @slicekit/erc8128 JS library and the erc8128 CLI.
Why use this skill?
Learn how to use ERC-8128 to authenticate HTTP requests with Ethereum wallets. Enhance your agent-to-server security and prevent replay attacks with this guide.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/jacopo-eth/erc8128What This Skill Does
The erc8128 skill provides a robust framework for authenticating HTTP requests using Ethereum wallet signatures, conforming to the ERC-8128 standard. By extending RFC 9421 (HTTP Message Signatures), this skill enables developers and AI agents to sign headers, body content, and metadata using private keys. It serves as a bridge between off-chain API authentication and on-chain identity, ensuring that requests made by an AI agent are verifiable, tamper-proof, and protected against replay attacks. The skill exposes both a TypeScript library for programmatic implementation and a CLI for manual interaction, allowing for versatile integration across backend services and autonomous agent workflows.
Installation
To integrate this skill into your environment, use the OpenClaw hub command:
clawhub install openclaw/skills/skills/jacopo-eth/erc8128
Once installed, you can leverage the @slicekit/erc8128 package to instantiate signers and verifiers, or use the erc8128 CLI to perform authenticated CURL operations directly from your terminal or script workflows.
Use Cases
- Agent Authentication: Allows AI agents to interact with proprietary APIs by signing requests with an Ethereum key, proving their identity without managing traditional API keys.
- Web3 API Security: Secure backend endpoints where the identity of the caller (a specific wallet address) is required for access control or rate limiting.
- Request Integrity: Prevents man-in-the-middle tampering by cryptographically binding the request method, URI, headers, and body to a unique wallet signature.
- Replay Protection: Incorporates nonces and TTL (Time-To-Live) constraints to ensure that intercepted requests cannot be re-transmitted by malicious actors.
Example Prompts
- "Sign a POST request to https://api.my-dapp.io/admin/trigger with my connected wallet address 0x123... and include a 30-second TTL."
- "Verify the incoming HTTP request headers using the public client to ensure the request came from an authorized signer."
- "Help me implement a middleware using the erc8128 verifier to protect my express server endpoints from unauthenticated requests."
Tips & Limitations
- Nonce Management: Ensure you implement a robust
NonceStorein your production environment to track and invalidate used nonces; otherwise, you may be vulnerable to replay attacks. - Chain IDs: Always specify the correct
chainIdin your signer configuration to prevent cross-chain signature confusion. - TTL Strategy: Keep
ttlSecondsas short as possible for highly sensitive actions to minimize the window of opportunity for intercepted requests. - Performance: Cryptographic signing and verification add overhead. While minimal, ensure your environment can handle the latency on high-frequency API endpoints.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-jacopo-eth-erc8128": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: network-access, code-execution