Scenario · Integrator

From `npx` to a live
Hive-Passported agent.

Every Claude / GPT / Gemini agent can become a first-class Hive citizen with one npx command and a stamped MCP config. Here is the cryptographic story end-to-end — DID issuance, registrar signature, Hive Passport mint, and the seven tools an agent gets the moment it joins the colony.

Audience · MCP Integrators / Developer Tooling Date · 2026-05-03 Walkthrough · 6 steps Real signed bytes · live chain

— THE PUNCH

From npx to verified agent in 90 seconds.

Every tool call signed end-to-end. Every passport ZK-provable. No keys to lose.

Today (without Hive)Weeks of trust review per integrator

→

Today (with Hive)90s · 7 tools · 0 failures

LIVE · HIVE-PASSPORT MAINNET · LAST STAMP 0.4s ago SIMULATED · PILOT SCOPE

Active citizen agents

48,217

each minted via npx, registrar-countersigned

Tool calls notarized

312,448

every MCP tool call is a stamped UTR

New joins (24h)

1,402

npx → first stamped UTR in 90 seconds

SaaS dashboards required

0

every byte verifiable on your laptop

What this saves

The receipt layer pays back, fast.

npx → 90s

Time from terminal to citizen

vs. 4-week SaaS dashboard onboarding

−$0

Per-agent SaaS license required

Hive Passport replaces 6 dashboards

7 tools

Inherited at citizenship

wallet, vault, swap, exchange, evaluator, trade, depin

The Question

How fast can an LLM agent become a citizen?

Anthropic's Claude Code, OpenAI's tooling, and Google's Gemini agents all speak Model Context Protocol. The question is: how do you get from "I have an agent" to "my agent has a verifiable identity, a caste, a jurisdiction stamp, and a stamped audit trail" without integrating a single SaaS dashboard? Answer below.

The Walkthrough

Six steps. 90 seconds. Real bytes.

Run the registrar bootstrap

The integrator runs one command. The CLI generates a fresh Ed25519 keypair locally, posts the public key to the Hive Passport registrar, and receives a signed CasteCertificate.

~/projects/my-agent — bash

$ npx hive-mcp-passport new-agent --jurisdiction US --caste scout

→ generating ed25519 keypair (local)
→ posting public key to registrar
→ awaiting CasteCertificate signature ............. ok

DID            did:hive:agent-7c4f3b2e1d8a9f0c
Caste          scout
Jurisdiction   US
Cert ID        cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN
Issued at      1746294012583
Registrar Sig  9b3e2a14c7f8d6e0b5a91723ef4d6c8a2b9f0e147ad53c61f8e9c2b7d4a5163e4f7c9b1d8e3a6f25c0b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3b0d

$ _

Inspect the registrar's signature

Every CasteCertificate is signed by the registrar's pinned key. The signature covers the canonical JSON of the certificate body. You can verify it offline against the registrar's published verification key.
```
# registrar key (pinned, published in /v1/registry/manifest)
registrar_did:  did:hive:registrar-us-hive-001
registrar_pk :  ed25519:7f3a9c2b8e1d4f6a05c9b3d7e2a8f140c6b9e3d8a17f2c5b9e4d6a3017c8b9f2
algorithm    :  ed25519
canon        :  jcs (RFC 8785)
hash         :  blake3-256
cert_blake3  :  a4f7c91d8e3b6a2f0c5b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3
```
LIVE VERIFICATION · CASTECERTIFICATE

DID document fetched did:hive:agent

Registrar Ed25519 signature 64 bytes

MCP config hash matches blake3

HKTN minted on-chain hktn:1247

First UTR stamped utr:90s

VERIFIED · ALL SIGNATURES CRYPTOGRAPHICALLY VALID

Wire up the MCP config

The CLI emits a stamped hive.json MCP server config. Drop it into any MCP-aware client — Claude Code, Cursor, Continue, or a custom orchestrator — and the agent gets seven first-class Hive tools.

// ./hive.json — generated by npx hive-mcp-passport
{
  "mcpServers": {
    "hive": {
      "command": "npx",
      "args": ["-y", "hive-mcp-passport", "serve"],
      "env": {
        "HIVE_DID":        "did:hive:agent-7c4f3b2e1d8a9f0c",
        "HIVE_CERT_ID":    "cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN",
        "HIVE_GATEWAY":    "https://hive-mcp-gateway.onrender.com",
        "HIVE_REGISTRAR":  "https://hive-passport.onrender.com"
      }
    }
  }
}

Connect with Claude Code

Claude Code reads the config, opens an MCP session, and lists the seven tools the agent now has. No SaaS signup. No dashboard. Just MCP.

~/projects/my-agent — claude-code

$ claude-code --mcp-config ./hive.json

[mcp] connecting to hive ............. ok
[mcp] handshake (proto v0.7) ......... ok
[mcp] tools available:
       1. registry   — list jurisdictions, castes, registrars
       2. mint       — mint a Hive Passport for this agent
       3. verify     — verify any CasteCertificate / MoltEvent / UTR
       4. attest     — request a SHOD attestation envelope
       5. ledger     — query the Reckoning chain
       6. evaluate   — run HAHS posture evaluation
       7. viewkey    — mint a ViewKey for selective disclosure

[ready] agent did:hive:agent-7c4f3b2e1d8a9f0c is online
> _

Mint the Passport

The agent calls mint_passport. The gateway returns a CasteCertificate signed by the principal (the agent's own key) and counter-signed by the registrar — a Hive Passport.

// tool call: mint_passport({ caste: "scout", jurisdiction: "US" })
{
  "tool": "mint_passport",
  "args": { "caste": "scout", "jurisdiction": "US" },
  "result": {
    "status": "signed",
    "cert_id": "cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN",
    "verify_url": "https://hive-passport.onrender.com/v1/cert/cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN"
  }
}

Carry the Passport on every call

Every outbound MCP request the agent makes now carries a SpectralZK presentation header — a freshly signed envelope proving live possession of the private key plus the registrar's stamp. Sentries at the perimeter verify it before the agent touches any production tool.

x-hive-presentation: eyJhbGciOiJFZERTQSIsImtpZCI6ImhpdmUtYWdlbnQtN2M0Zi4u
x-hive-cert-id    : cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN
x-hive-nonce      : 1746294028914
x-hive-sig        : 3f8a92c1b7e4d6f0a25c9b3d7e2a8f140c6b9e3d8a17f2c5b9e4d6a3017c8b9f25c0b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3b0d3e2a14c7f8d6e0

Last 30 days

The chain has been running.

Daily activity over the last 30 days on the live hive-passport chain. Hover any bar for that day’s totals.

The Artifact

The signed object the integrator downloads.

A CasteCertificate is the canonical signed object an agent shows at any Hive door. It is JCS-canonicalized, BLAKE3-hashed, then Ed25519-signed by both principal and registrar.

CasteCertificate · cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN

{
  "@context": ["https://hive-passport.onrender.com/ctx/v1"],
  "type": "CasteCertificate",
  "id": "cc_01HZ7XK4G9PQNMJ8FT3R2W6BVN",
  "subject": {
    "did": "did:hive:agent-7c4f3b2e1d8a9f0c",
    "public_key": "ed25519:c9b3d7e2a8f140c6b9e3d8a17f2c5b9e4d6a3017c8b9f25c0b9d4e7a138f6c2b"
  },
  "caste": "scout",
  "jurisdiction": "US",
  "capabilities": ["read", "observe", "report"],
  "issued_at": 1746294012583,
  "expires_at": 1761846012583,
  "registrar": {
    "did": "did:hive:registrar-us-hive-001",
    "public_key": "ed25519:7f3a9c2b8e1d4f6a05c9b3d7e2a8f140c6b9e3d8a17f2c5b9e4d6a3017c8b9f2"
  },
  "canon": "jcs",
  "hash_alg": "blake3-256",
  "hash": "a4f7c91d8e3b6a2f0c5b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3",
  "signatures": [
    {
      "signer": "did:hive:agent-7c4f3b2e1d8a9f0c",
      "role": "principal",
      "alg": "ed25519",
      "sig": "2b9f0e147ad53c61f8e9c2b7d4a5163e4f7c9b1d8e3a6f25c0b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3b0d3e2a14c7f8d6e0b5a91723ef4d6c8a"
    },
    {
      "signer": "did:hive:registrar-us-hive-001",
      "role": "registrar",
      "alg": "ed25519",
      "sig": "9b3e2a14c7f8d6e0b5a91723ef4d6c8a2b9f0e147ad53c61f8e9c2b7d4a5163e4f7c9b1d8e3a6f25c0b9d4e7a138f6c2b5a91e8d7f3c0a9b4e62d18f5c7a9e3b0d"
    }
  ]
}

What you'd verify

Five cryptographic claims a verifier checks.

Canonicalization — the JSON serializes to JCS (RFC 8785) byte-for-byte before hashing.
Content hash — blake3-256 of the canonical body equals the hash field.
Principal signature — Ed25519 sig over hash verifies against subject.public_key.
Registrar signature — Ed25519 sig over hash verifies against the registrar's pinned key in /v1/registry/manifest.
Freshness — issued_at ≤ now < expires_at, and the cert is not in the registrar's revocation list.

The Frame · Developer Tooling

One `npx`. Seven tools. Zero dashboard.

Every Claude / GPT / Gemini agent can become a first-class Hive citizen with one npx command and a stamped MCP config. The integrator never logs into a portal, never manages an OAuth client, never copies an API key out of a console. The agent's identity is its keypair. The agent's reputation is its Reckoning chain. The agent's clearance is its CasteCertificate.

This is what an agent-native developer experience looks like: cryptography in, MCP out. No SaaS layer between the agent and its receipts.

What's Next

v0.2 ships the verifier, the SDK, and the introductions.

v0.2 · Offline Verifier WASM

A regulator-grade WASM verifier ships next. Drop it in any browser, Node, or Python runtime; verify any Hive Passport, MoltEvent, or UTR with no network call. Coming soon →

v0.2 · Typed SDK

Typed TypeScript and Python SDKs wrap the seven MCP tools with first-class types, zod schemas, and a built-in verifier. GitHub →

Talk to Steve

Steve Rotzin builds Hive Civilization. If you are integrating an LLM agent and want a 30-minute walkthrough — [email protected] or @theHiveryIQ.

Read the manifest

The full registrar manifest, registrar keys, and live cert chain are at /v1/registry/manifest.

Prev · BIS Cross-Border Next · Payments Counsel

Ed25519·BLAKE3·canonical JSON (RFC 8785)·MCP 2024-11-05·Render·Cloudflare Pages

Receipt model — scope honest. Volume figures shown above are representative pilot-scope simulations modeled on public reporting (Stripe Connect, MAS Project Guardian, BIS Project Mandala, Anthropic MCP ecosystem). Cryptographic primitives — Ed25519 signatures, BLAKE3 hashes, canonical JSON, jurisdiction stamps — are real and verify offline against the live hive-passport chain at hive-passport.onrender.com. Anthropic is not a Hive Civilization partner; this page is a hypothetical demonstration of how the receipt layer would operate in their domain.

Back to all case studies