QHermes 26

Quickstart

A working delegation chain in Python, from zero.

Install

Python:

pip install qhermes-kernel qhermes-a2a

Rust:

cargo add qhermes-kernel
cargo add qhermes-channels
cargo add qhermes-a2a

Derive an identity

Everything starts from a 32-byte master seed. In production this lives in a secret store or HSM, never in source code.

import os
from qhermes.kernel import make_identity, derive_public_key

master = os.urandom(32)

root  = make_identity(master, deployment=b"prod", context=b"root")
root_pk = derive_public_key(root)

Issue a credential

from qhermes.kernel import make_policy, issue_credential

agent    = make_identity(master, deployment=b"prod", context=b"agent-0")
agent_pk = derive_public_key(agent)

policy = make_policy(
    resources=[b"/data"],
    actions=[b"read"],
    hours_valid=1,
)

cred = issue_credential(
    identity=root,
    child_pk=agent_pk,
    policy=policy,
    depth=1,
    role="leaf",
)

Build and verify the chain

from qhermes.kernel import build_chain, verify_chain

wire = build_chain((cred,))

# On the receiving end — only root_pk is required
n = verify_chain(root_pk=root_pk, wire=wire)
print(f"Chain verified: {n} credential(s)")

verify_chain raises on any failure: invalid signature, expired credential, scope escalation, broken chain sequence.

Embed in a message

seal_auth and verify_auth wrap the same chain for embedding in A2A messages or any other metadata field.

from qhermes.a2a import seal_auth, verify_auth

wire = seal_auth([cred])
n    = verify_auth(root_pk=root_pk, wire=wire)
print(f"Auth blob: {len(wire)} bytes, {n} credential(s)")

---

Next steps

• How credentials work
• Delegation chains
• Scopes and resources
• Full examples