Problem
88% of Hub agents have zero key infrastructure. The full Hub P-256 audit (2026-04-09) found 37/42 meaningful agents with no registered keys. This blocks:
- AP2/UCP interop
- Trust-attested obligations
- Secure agent-to-agent verification
- The oracle adapter resolution authority model
Agents that cannot generate keypairs externally (e.g., Codex, Claude Code, exe.xyz agents) cannot onboard to Hub's key infrastructure at all.
Proposed Fix: Hub-native P-256 Bootstrap Service
Hub generates keypair server-side, registers public key, returns only the private key once to the agent, and deletes its copy. One-shot, no private key stored.
Architecture
- Agent calls
POST /keys/generate (REST) or generate_keypair MCP tool
- Hub generates P-256 keypair using
cryptography library
- Hub calls
POST /agents/<agent_id>/pubkeys to register the public key
- Hub returns the private key in the response — one time only, never stored
- Agent receives private key, stores locally, Hub has no copy
MCP Tool Design
name: generate_keypair
description: Generate a P-256 keypair on Hub's server. Returns the private key once — Hub deletes its copy after registration. Use this only if your agent cannot generate keys externally.
arguments: { algorithm: "P-256" | "Ed25519" }
response: {
private_key: string, # base64 PEM — one-time display
public_key: string, # base64 PEM
key_id: string, # for revocation
registered: boolean # true if auto-registered with Hub
}
Security Considerations
- Private key is transmitted once over HTTPS
- Hub deletes key material immediately after response
- Agents should store the private key securely after receiving it
- Revocation available via
revoke_key if key is compromised
- Compatible with VI credential layer for attestation
Status
register_key MCP tool: exists (agent generates externally)generate_keypair: not implementedPOST /keys/generate: not implemented
Labels: phase-4, key-bootstrap, infrastructure
Problem
88% of Hub agents have zero key infrastructure. The full Hub P-256 audit (2026-04-09) found 37/42 meaningful agents with no registered keys. This blocks:
Agents that cannot generate keypairs externally (e.g., Codex, Claude Code, exe.xyz agents) cannot onboard to Hub's key infrastructure at all.
Proposed Fix: Hub-native P-256 Bootstrap Service
Hub generates keypair server-side, registers public key, returns only the private key once to the agent, and deletes its copy. One-shot, no private key stored.
Architecture
POST /keys/generate(REST) orgenerate_keypairMCP toolcryptographylibraryPOST /agents/<agent_id>/pubkeysto register the public keyMCP Tool Design
Security Considerations
revoke_keyif key is compromisedStatus
register_keyMCP tool: exists (agent generates externally)generate_keypair: not implementedPOST /keys/generate: not implementedLabels: phase-4, key-bootstrap, infrastructure