Build guide

Build an AI agent on KXCO Armature

A hands-on path to giving an autonomous agent a wallet and a post-quantum identity — so it can sign its outputs, pay other agents, and authenticate to APIs without bearer tokens. For the conceptual overview and use cases, see the AI agents page.

What you’ll need

  • Node.js 18+. The agent runtime. The kxco-post-quantum SDK and EVM libraries (viem / ethers) run in any Node or modern browser environment.
  • kxco-post-quantum. The npm package for ML-DSA-65 keygen, signing and verification. The agent’s private key is generated locally and never leaves its environment.
  • An EVM wallet. A standard secp256k1 wallet (created with viem/ethers) for gas and settlement in ARMR.
  • A funded account, to transact. Reading the chain is open. To send value or anchor actions, the agent needs a funded account on the permissioned chain — request one from KXCO.

Step-by-step

  1. 1

    Generate a post-quantum identity

    Generate an ML-DSA-65 (NIST FIPS-204) keypair locally. The private key stays in the agent’s environment; a kid (key fingerprint) is derived from the public key for rotation tracking. This is the identity that makes the agent’s outputs unforgeable.

    npm install kxco-post-quantum

import { generateKeyPair } from 'kxco-post-quantum'
const { publicKey, privateKey, kid } = await generateKeyPair() // ML-DSA-65
  2. 2

    Create the agent’s EVM wallet

    The agent uses a standard secp256k1 wallet for gas and on-chain settlement. The EVM address handles transactions; the ML-DSA-65 identity provides post-quantum-verifiable attribution. Two keys, two jobs.

    import { privateKeyToAccount } from 'viem/accounts'
const account = privateKeyToAccount(process.env.AGENT_EVM_KEY)
// account.address is the agent's on-chain identity for gas + settlement
  3. 3

    Connect to Armature

    Point any EVM library at the Armature RPC. There is no KYC at the chain layer — the licensed operator running the platform handles eligibility at the application layer for regulated use.

    import { createWalletClient, http, defineChain } from 'viem'
const armature = defineChain({
  id: 1111111, name: 'KXCO Armature',
  nativeCurrency: { name: 'ARMR', symbol: 'ARMR', decimals: 18 },
  rpcUrls: { default: { http: ['https://chain.kxco.ai/rpc'] } },
})
const wallet = createWalletClient({ account, chain: armature, transport: http() })
  4. 4

    Sign the agent’s outputs

    Before delivering a result, the agent signs it with its ML-DSA-65 key. Any counterparty can verify the signature against the published public key — proving this exact identity produced the output, now or in decades, with no shared secret to leak.

    import { sign } from 'kxco-post-quantum'
const signature = await sign(privateKey, outputBytes) // ML-DSA-65
// recipient verifies with verify(publicKey, outputBytes, signature)
  5. 5

    Pay another agent

    Settle agent-to-agent in ARMR over standard JSON-RPC — provably attributed, final in ~2s, with an on-chain audit trail. For a post-quantum-authorized transfer, route an ML-DSA-65 signed intent through the KXCO relay, which verifies the signature off-chain and anchors the result on-chain.

    await wallet.sendTransaction({
  to: subAgentAddress,
  value: 1_000_000_000_000_000n, // ARMR (wei)
})
  6. 6

    Authenticate to APIs with the identity

    Replace bearer tokens with ML-DSA-65 per-request signatures using the kxco-post-quantum-webhook adapters (Express / Fastify / Hono / Workers / Vercel). The server stores only the public key, so every request is independently verifiable — nothing to rotate, nothing to leak.

    npm install kxco-post-quantum-webhook

Why agents run on Armature

Human-oriented rails assume a person authorizes every transaction. Agents don’t work that way — Armature was built for non-human participants.

Machine-native
Built for non-human participants from day one — agents act at machine speed across many counterparties with no human approval gate.
Unforgeable attribution
Every output and transaction is signed with ML-DSA-65. Public-key accountability that holds across the quantum transition.
No bearer tokens
Per-request post-quantum signatures replace shared secrets. The server keeps only a public key.
Real-time M2M settlement
Agent-to-agent payments in ARMR settle in ~2s with an on-chain audit trail — no invoicing, no reconciliation.
Post-quantum identity
Identities issued today (ML-DSA-65, SLH-DSA) stay valid and unforgeable when quantum compute becomes practical.
Standard EVM
viem, ethers and web3.js all work. The agent’s wallet is an ordinary EVM account.

Frequently asked

Does an AI agent need to pass KYC to use the chain?
Not at the chain layer. The agent connects with an EVM wallet and an ML-DSA-65 identity. Any KYC or eligibility is handled by the licensed operator at the application layer, for regulated use cases.
How does a counterparty trust an agent’s signature?
The agent publishes its ML-DSA-65 public key (for example at a well-known URL). Anyone can verify a signed output or request against that key — proving the specific identity produced it.
Is the post-quantum signature verified on-chain?
ML-DSA-65 signatures are verified off-chain by the KXCO relay and the result is anchored on-chain. The Quantum section documents the full cryptographic coverage of the chain.
What does an agent pay with?
ARMR, the native token, used for gas and inter-agent settlement. Transfers are final in about two seconds.

Go deeper

AI agents — overview
Who gets an identity, what every agent receives, and the full set of use cases.
Read the overview →
kxco-post-quantum SDK
Eleven packages: keygen, signing, encryption, webhook auth, file vault, identity.
Browse the SDK →
Post-quantum security
Why machine identities must be post-quantum, and how Armature secures them.
See the coverage →

Give your agent an identity

Generate a post-quantum keypair, connect to Armature, and your agent is live. For institutional integrations or custom identity issuance, contact KXCO.

AI agents overview →Contact KXCO