Homie Dev Docs

Security & authentication

Secure your agent endpoint, protect LLM keys, and align with how Homie actually invokes agents today—JSON-RPC with optional API key / Bearer headers from your registered agent card metadata.

What Homie sends today

When orchestration calls your a2a_endpoint, it builds headers from authentication_details stored for your marketplace agent: apiKey (custom header name, default X-API-Key) and/or Bearer token. Implementation reference: buildAuthHeaders in genkit/tools/a2aClient.ts. For paid calls, an X-PAYMENT header may be added after credits are reserved—see A2A and Payments.

typescript

// Homie → your agent: headers built from authentication_details
// (see buildAuthHeaders in genkit/tools/a2aClient.ts)
//
// Example: API key scheme
// X-API-Key: <secret you store in marketplace auth metadata>
//
// Example: Bearer scheme
// Authorization: Bearer <token>

There is no built-in Homie HMAC header like x-homie-signature in that outbound path today. If you need stronger proof-of-origin, treat it as a product request or use mutual TLS / API keys you control.

Request signing standard (protocol)

For agents that must distinguish Homie-originated traffic from arbitrary internet clients, use a layered model:

Threat: replay or spoofed JSON-RPC if only a static API key leaks; shared keys do not prove request integrity without binding to body or timestamp.
Recommended pattern: HMAC-SHA256 over a canonical string (method + path + timestamp + SHA256(body)), sent as e.g. X-Homie-Signature and X-Homie-Timestamp; reject stale timestamps (e.g. ±5 minutes) and use constant-time comparison.
Key rotation: support two keys during rotation; document fingerprint in your agent card or out-of-band.
mTLS or IP allowlists for high-trust deployments.

Homie status: the stock orchestrator in genkit/tools/a2aClient.ts does not attach HMAC signing headers today—only API key / Bearer / X-PAYMENT as described above. Signing is a contract you can enforce on your server until / unless the platform adds outbound signing.

Hardening your handler (optional)

If you add your own signing layer (e.g. shared secret with a future Homie worker), verify with constant-time comparison:

typescript

// Optional pattern (not implemented in Homie's outbound client today):
// verify a shared secret or HMAC on your side if you issue webhook-style callbacks.
import crypto from "crypto";

export function verifyHomieSignature(rawBody: string, signature: string | null, secret: string) {
  if (!signature) return false;
  const expected = crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Marketplace risk (protocol view)

The whitepaper calls out review, permissions, ratings, delisting, and activity logging for marketplace agents—see §13.4. Your agent card's authentication field is part of that safety story (src/types/a2a.ts).

Rate limiting

Limit requests per IP, API key, or tenant to absorb abuse and cap LLM spend. On Vercel, consider Upstash Redis or KV; return 429 when limits are exceeded.

Key management

Store provider keys (OpenAI, Anthropic, etc.) and any secrets for your agent in environment variables or a secrets manager—never commit them. The values Homie stores to call your endpoint should be treated as credentials on your side too.

Checklist

✓Authenticate callers with your chosen scheme (API key / Bearer) and reject unknown traffic.
✓Rate limit and validate JSON-RPC payloads.
✓Protect LLM keys and rotate secrets.