← Back to Skills Marketplace
537
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install erc8128
Description
Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests...
README (SKILL.md)
ERC-8128: Ethereum HTTP Signatures
ERC-8128 extends RFC 9421 (HTTP Message Signatures) with Ethereum wallet signing. It enables HTTP authentication using existing Ethereum keys—no new credentials needed.
📚 Full documentation: erc8128.slice.so
When to Use
- API authentication — Wallets already onchain can authenticate to your backend
- Agent auth — Bots and agents sign requests with their operational keys
- Replay protection — Signatures include nonces and expiration
- Request integrity — Sign URL, method, headers, and body
Packages
| Package | Purpose |
|---|---|
@slicekit/erc8128 |
JS library for signing and verifying |
@slicekit/erc8128-cli |
CLI for signed requests (erc8128 curl) |
Library: @slicekit/erc8128
Sign requests
import { createSignerClient } from '@slicekit/erc8128'
import type { EthHttpSigner } from '@slicekit/erc8128'
import { privateKeyToAccount } from 'viem/accounts'
const account = privateKeyToAccount('0x...')
const signer: EthHttpSigner = {
chainId: 1,
address: account.address,
signMessage: async (msg) => account.signMessage({ message: { raw: msg } }),
}
const client = createSignerClient(signer)
// Sign and send
const response = await client.fetch('https://api.example.com/orders', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ amount: '100' }),
})
// Sign only (returns new Request with signature headers)
const signedRequest = await client.signRequest('https://api.example.com/orders')
Verify requests
import { createVerifierClient } from '@slicekit/erc8128'
import type { NonceStore } from '@slicekit/erc8128'
import { createPublicClient, http } from 'viem'
import { mainnet } from 'viem/chains'
// NonceStore interface for replay protection
const nonceStore: NonceStore = {
consume: async (key: string, ttlSeconds: number): Promise\x3Cboolean> => {
// Return true if nonce was successfully consumed (first use)
// Return false if nonce was already used (replay attempt)
}
}
const publicClient = createPublicClient({ chain: mainnet, transport: http() })
const verifier = createVerifierClient(publicClient.verifyMessage, nonceStore)
const result = await verifier.verifyRequest(request)
if (result.ok) {
console.log(`Authenticated: ${result.address} on chain ${result.chainId}`)
} else {
console.log(`Failed: ${result.reason}`)
}
Sign options
| Option | Type | Default | Description |
|---|---|---|---|
binding |
"request-bound" | "class-bound" |
"request-bound" |
What to sign |
replay |
"non-replayable" | "replayable" |
"non-replayable" |
Include nonce |
ttlSeconds |
number |
60 |
Signature validity |
components |
string[] |
— | Additional components to sign |
contentDigest |
"auto" | "recompute" | "require" | "off" |
"auto" |
Content-Digest handling |
request-bound: Signs @authority, @method, @path, @query (if present), and content-digest (if body present). Each request is unique.
class-bound: Signs only the components you explicitly specify. Reusable across similar requests. Requires components array.
📖 See Request Binding for details.
Verify policy
| Option | Type | Default | Description |
|---|---|---|---|
maxValiditySec |
number |
300 |
Max allowed TTL |
clockSkewSec |
number |
0 |
Allowed clock drift |
replayable |
boolean |
false |
Allow nonce-less signatures |
classBoundPolicies |
string[] | string[][] |
— | Accepted class-bound component sets |
📖 See Verifying Requests and VerifyPolicy for full options.
CLI: erc8128 curl
For CLI usage, see references/cli.md.
Quick examples:
# GET with keystore
erc8128 curl --keystore ./key.json https://api.example.com/data
# POST with JSON
erc8128 curl -X POST \
-H "Content-Type: application/json" \
-d '{"foo":"bar"}' \
--keyfile ~/.keys/bot.key \
https://api.example.com/submit
# Dry run (sign only)
erc8128 curl --dry-run -d @body.json --keyfile ~/.keys/bot.key https://api.example.com
📖 See CLI Guide for full documentation.
Common Patterns
Express middleware
import { verifyRequest } from '@slicekit/erc8128'
import type { NonceStore } from '@slicekit/erc8128'
import { createPublicClient, http } from 'viem'
import { mainnet } from 'viem/chains'
const publicClient = createPublicClient({ chain: mainnet, transport: http() })
// Implement NonceStore (Redis example)
const nonceStore: NonceStore = {
consume: async (key, ttlSeconds) => {
const result = await redis.set(key, '1', 'EX', ttlSeconds, 'NX')
return result === 'OK'
}
}
async function erc8128Auth(req, res, next) {
const result = await verifyRequest(
toFetchRequest(req), // Convert Express req to Fetch Request
publicClient.verifyMessage,
nonceStore
)
if (!result.ok) {
return res.status(401).json({ error: result.reason })
}
req.auth = { address: result.address, chainId: result.chainId }
next()
}
Agent signing (with key file)
import { createSignerClient } from '@slicekit/erc8128'
import type { EthHttpSigner } from '@slicekit/erc8128'
import { privateKeyToAccount } from 'viem/accounts'
import { readFileSync } from 'fs'
const key = readFileSync(process.env.KEYFILE, 'utf8').trim()
const account = privateKeyToAccount(key as `0x${string}`)
const signer: EthHttpSigner = {
chainId: Number(process.env.CHAIN_ID) || 1,
address: account.address,
signMessage: async (msg) => account.signMessage({ message: { raw: msg } }),
}
const client = createSignerClient(signer)
// Use client.fetch() for all authenticated requests
Verify failure reasons
type VerifyFailReason =
| 'missing_headers'
| 'label_not_found'
| 'bad_signature_input'
| 'bad_signature'
| 'bad_keyid'
| 'bad_time'
| 'not_yet_valid'
| 'expired'
| 'validity_too_long'
| 'nonce_required'
| 'replayable_not_allowed'
| 'replayable_invalidation_required'
| 'replayable_not_before'
| 'replayable_invalidated'
| 'class_bound_not_allowed'
| 'not_request_bound'
| 'nonce_window_too_long'
| 'replay'
| 'digest_mismatch'
| 'digest_required'
| 'alg_not_allowed'
| 'bad_signature_bytes'
| 'bad_signature_check'
📖 See VerifyFailReason for descriptions.
Key Management
For agents and automated systems:
| Method | Security | Use Case |
|---|---|---|
--keyfile |
Medium | Unencrypted key file, file permissions for protection |
--keystore |
High | Encrypted JSON keystore, password required |
ETH_PRIVATE_KEY |
Low | Environment variable, avoid in production |
| Signing service | High | Delegate to external service (SIWA, AWAL) |
Documentation
- Full docs: erc8128.slice.so
- Quick Start: erc8128.slice.so/getting-started/quick-start
- Concepts: erc8128.slice.so/concepts/overview
- API Reference: erc8128.slice.so/api/signRequest
- ERC-8128 Spec: GitHub
Usage Guidance
This skill's content is coherent for building wallet-signed HTTP requests and verification. Before you use it: (1) note that the skill bundle contains only documentation — the actual CLI/library would be installed separately (npm/@slicekit packages); verify the package publisher and inspect the package code before installing. (2) Avoid passing raw private keys on command lines or in scripts; prefer encrypted keystores, hardware wallets, or process-limited environment injection. (3) If you plan to run the CLI, prefer installing from an official, verifiable source and check package integrity (verify author, version, and package contents). (4) If you need higher assurance, ask the publisher/source for a repository or checksum and request a homepage or canonical source URL — absence of a homepage in the skill metadata reduces confidence in auditing the referenced packages.
Capability Analysis
Type: OpenClaw Skill
Name: erc8128
Version: 1.0.0
The OpenClaw AgentSkills skill bundle for ERC-8128 provides tools for signing and verifying HTTP requests using Ethereum wallets. The documentation clearly outlines the purpose, usage, and various methods for handling private keys, including explicit security best practices and warnings about less secure options (e.g., `ETH_PRIVATE_KEY` environment variable or `--private-key` CLI option). All file and network access (e.g., reading key files, sending signed HTTP requests) is directly related to the skill's stated purpose. There is no evidence of intentional data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. The skill functions as a legitimate cryptographic utility with transparent operations.
Capability Assessment
Purpose & Capability
The name/description (ERC-8128 HTTP signatures) match the contents: examples for signing and verifying, a verifier nonce-store, Express middleware, and a CLI are all appropriate for building wallet-based HTTP auth.
Instruction Scope
SKILL.md and references/cli.md limit actions to signing/verifying requests and reading key material (keystore, keyfile, or ETH_PRIVATE_KEY). There are no instructions to read unrelated system files or exfiltrate data. Use of NonceStore and Redis is scoped to replay protection and is relevant.
Install Mechanism
This is an instruction-only skill with no install spec. The docs point users to install npm packages (e.g., @slicekit/erc8128-cli) via npm/npx — expected for a JS CLI but means installing external code from registries if you follow the docs. Because no package source/homepage is provided in the skill metadata, you cannot verify the referenced packages from this skill bundle alone.
Credentials
The skill declares no required environment variables, but the docs mention using ETH_PRIVATE_KEY and support keyfile/keystore/password/--private-key options. Those env/file accesses are normal for a signing tool, but the metadata/instructions mismatch (no declared required env in metadata) is worth noting. The number and type of secrets referenced are proportionate to the task, but handling private keys on the CLI or as raw env vars is intrinsically risky and the docs themselves warn about it.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide privileges, and is instruction-only (no code written by the skill). It does not ask to modify other skills or system configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install erc8128 - After installation, invoke the skill by name or use
/erc8128 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of erc8128.
- Enables signing and verifying HTTP requests using Ethereum wallets (ERC-8128 standard).
- Supports both a JavaScript library (@slicekit/erc8128) and command-line interface (erc8128 curl).
- Provides replay protection, nonce support, request binding options, and request integrity features.
- Includes extensible verification policies and integration patterns for APIs and agent-based authentication.
- Comprehensive documentation links and common implementation patterns for servers and bots.
Metadata
Frequently Asked Questions
What is ERC-8128?
Sign and verify HTTP requests with Ethereum wallets using ERC-8128. Use when building authenticated APIs that need wallet-based auth, making signed requests... It is an AI Agent Skill for Claude Code / OpenClaw, with 537 downloads so far.
How do I install ERC-8128?
Run "/install erc8128" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ERC-8128 free?
Yes, ERC-8128 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ERC-8128 support?
ERC-8128 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ERC-8128?
It is built and maintained by jacopo (@jacopo-eth); the current version is v1.0.0.
More Skills