L8 SDKs and network adapters

L8 LIVE: PyPI oris-sdk 0.2.0, npm oris-sdk 0.4.0

L8 is the developer surface. It is the layer that takes the protocol from a 1.5 KB byte payload to a single line of code. Two SDKs ship today (Python and TypeScript). An MCP server is published for agent-native workflows. Rust core is on the roadmap.

What it does

The SDK wraps three responsibilities:

REST clients for the 171 API endpoints (agents, wallets, policies, payments, audit, compliance, KYA, …).
Protocol clients under oris.protocol (L6 verifier, L8 network adapters, offline verdict verification).
Ed25519 request signing for every authenticated call (Authorization, X-Request-Signature, X-Timestamp, X-Nonce).

The SDK never holds a key in plaintext on disk. The signing key stays in memory only for the duration of the request.

Two SDKs, paired API

Python — oris-sdk 0.2.0

pip install oris-sdk. Sync and async clients. Pydantic v2 models. PyPI live.

TypeScript — oris-sdk 0.4.0

npm install oris-sdk. Promise-based. Strict typed responses. npm live.

MCP server

@useoris/skill-openclaw v1.0.5. Fifteen MCP tools for agent-as-coder workflows.

Rust core

Vision-stage. Ships in a future release with mainnet rollout.

The Python and TypeScript SDKs ship with identical surface area. Method names align (snake_case for Python, camelCase for TypeScript) but the response shape is the same.

The protocol namespace

from oris.protocol import OrisProtocol

p = OrisProtocol(network="base-sepolia")

# 1. Fetch the live verifier pubkey
pubkey = p.verifier.get_pubkey()

# 2. Build a 112-byte tx_intent preimage
tx_intent_hex = p.adapter.encode_tx_intent_hex(
    counterparty="0x" + "11" * 20,
    amount_usd_e6=1_000_000,
    stablecoin="USDC",
    category="0x" + "00" * 32,
    nonce="0x" + "ab" * 32,
    expires_at=9_999_999_999,
)

# 3. Verify a compliance bundle against the live verifier
verdict = p.verifier.verify(
    bundle_bytes_hex=bundle_hex,
    tx_intent_hex=tx_intent_hex,
    signer_pubkey_hex=agent_pubkey_hex,
)

# 4. Independently verify the verdict's Ed25519 signature offline
ok = p.verifier.verify_response_signature(verdict, pubkey.pubkey_hex)

The oris.protocol namespace exposes only protocol-level primitives. It does not require an API key. Suitable for verifiers, networks, and auditors who consume bundles but do not produce them.

Network adapters

Base ships today. The adapter encodes tx_intent into the canonical 112-byte preimage and submits the on-chain transaction with a paymaster-sponsored gas profile (ERC-4337).

Adapter	State
Base	LIVE
Solana	PENDING
Stripe MPP	PENDING
Visa Tap	PENDING
AWS AgentCore	PENDING
x402	PENDING
Coinbase Agent	PENDING

v1 ships with Base only. v2 lights up the others as partners co-sign their integration.

Authentication

Every authenticated request needs four headers:

Authorization: oris_sk_live_...
X-Request-Signature: <hex>
X-Timestamp: <unix-epoch>
X-Nonce: <unique-token>

The signature is Ed25519 over a canonical payload:

{timestamp}.{nonce}.{METHOD}.{path}.{SHA256(body)}

The SDK builds and signs this automatically. You only configure the API key + the Ed25519 private key. Both come from the dashboard.

from oris import OrisClient
from oris.protocol import OrisProtocol

client = OrisClient(
    api_key=os.environ["ORIS_API_KEY"],
    private_key=os.environ["ORIS_PRIVATE_KEY"],
)

result = client.payments.send(
    agent_id=agent.id,
    to_address="0xA1b2...",
    amount=12.50,
    chain="base-sepolia",
    category="api_consumption",
)

# Offline verify the verdict
p = OrisProtocol(network="base-sepolia")
pubkey = p.verifier.get_pubkey()
ok = p.verifier.verify_response_signature(result.verdict, pubkey.pubkey_hex)
assert ok

import { OrisClient, OrisProtocol } from 'oris-sdk';

const client = new OrisClient({
  apiKey: process.env.ORIS_API_KEY!,
  privateKey: process.env.ORIS_PRIVATE_KEY!,
});

const result = await client.payments.send({
  agentId: agent.id,
  toAddress: '0xA1b2...',
  amount: 12.50,
  chain: 'base-sepolia',
  category: 'api_consumption',
});

const p = new OrisProtocol({ network: 'base-sepolia' });
const pubkey = await p.verifier.getPubkey();
if (!p.verifier.verifyResponseSignature(result.verdict, pubkey.pubkeyHex)) {
  throw new Error('verdict signature invalid');
}

Forward compatibility

The legacy OrisClient API (agents, wallets, policies, payments) is frozen on the wire. The oris.protocol namespace is additive: new methods land in minor releases, no breaking removals. New proof_type values (v2 ZK) ship without breaking existing SDK code.

Deploy state

PyPI oris-sdk 0.2.0 and npm oris-sdk 0.4.0 are both live. Cross-language parity is confirmed against fresh installs. The release passed its security audit with zero critical and zero important findings open.

Where to go next

Python SDK page for module-level reference and async patterns.
TypeScript SDK page for the same in TS.
MCP server page for the 15-tool agent integration surface.
Bundle verification guide for the protocol-namespace deep dive.