@adcp/sdk 5.21+ ships CLI graders for authentication conformance. They are separate from the compliance storyboards — storyboards test protocol behavior end-to-end; these graders test the authentication and signing layer specifically, giving per-vector diagnostics and hypothesis-ranked failure analysis.
All commands below use npx @adcp/sdk@latest. If you have @adcp/sdk installed globally (npm install -g @adcp/sdk) you can drop the npx @adcp/sdk@latest prefix and use adcp directly.
Request-signing grader
Validates RFC 9421 conformance against your agent end-to-end. Runs every signing vector and reports per-vector results so you can trace exactly which canonicalization rule or header coverage check is failing.
npx @adcp/sdk@latest grade request-signing <agent-url>
- Signature base canonicalization (method, target-uri, authority, content-type, content-digest)
- Covered-component completeness and ordering
alg and kid fields present and valid- Timestamp window (±60 s) and nonce uniqueness
- Replay detection (if the agent advertises it)
- Negative-vector rejection — each malformed request MUST produce the expected error code
When to use it: before flipping any operation to required_for in get_adcp_capabilities; when a counterparty reports signature verification failures; when upgrading key algorithms (Ed25519 → P-256 or the reverse).
OAuth handshake diagnoser
Probes an agent’s OAuth discovery documents (RFC 9728 protected-resource metadata, RFC 8414 authorization-server metadata), performs the authorization code + PKCE flow, decodes the resulting JWT, and ranks hypotheses about what is wrong.
npx @adcp/sdk@latest diagnose-auth <alias|url>
<alias> form uses a saved alias from ~/.adcp/config.json (set via npx @adcp/sdk@latest --save-auth <alias> <url>).
What it probes:
/.well-known/oauth-protected-resource — presence, authorization_servers list, HTTPS enforcement/.well-known/oauth-authorization-server — issuer match, token_endpoint, code_challenge_methods_supported- Token endpoint response — token type, expiry, scope coverage
- JWT claims —
iss, sub, aud, exp, iat presence and validity
- Cross-origin
authorization_servers issuer pinning (flags if the resource metadata’s AS URL doesn’t match out-of-band config)
Output: ranked hypothesis list, e.g., 1. token_endpoint not reachable (connection refused) — likely cause, 2. issuer mismatch — AS URL returned by protected-resource does not match adagents.json. Each hypothesis links to the relevant spec section.
When to use it: when AUTH_REQUIRED errors persist after bearer token configuration; when dynamic client registration returns unexpected responses; when a new seller’s OAuth setup fails silently.
Key generation
Generate an Ed25519 or P-256 keypair formatted for publication at your agent’s jwks_uri.
npx @adcp/sdk@latest signing generate-key
- A private key file (PEM, for your agent’s signing config)
- A JWK with
"kid", "use": "sig", "key_ops": ["verify"], "adcp_use": "request-signing", and "alg": "EdDSA" (or "ES256" for P-256) ready to paste into your JWKS endpoint
When to use it: initial signing setup; key rotation (generate new, publish alongside old, drain in-flight requests, retire old).
Vector verifier
Verify a single signing vector without running the full grader. Useful for debugging a specific canonicalization case during implementation.
npx @adcp/sdk@latest signing verify-vector
/compliance/latest/test-vectors/request-signing/) and reports whether your client’s signature base matches the expected output.
When to use it: while implementing a signing client to confirm each component rule in isolation before testing end-to-end.
