Nexartis NANDA Node
A five-service NANDA implementation running on Cloudflare Workers — from agent registration and discovery to federation sync and compliance, deployed at 300+ edge locations worldwide.
The Challenge
Project NANDA defines the protocol for decentralized AI agent discovery, but the protocol needs reference implementations — real, running nodes that prove the architecture works at production scale. Nexartis set out to build the first TypeScript implementation of a full NANDA node, with a key constraint: zero-ops infrastructure that could scale globally without managing servers.
The requirements were demanding: support all five NANDA services (registry, certifier, compliance, observer, points auditor), implement federation for multi-node sync, handle cryptographic operations for Ed25519-signed AgentFacts, and serve both API consumers and a full documentation site — all from a single deployment artifact.
The Solution: Cloudflare Workers
The Nexartis NANDA node runs as a SvelteKit 5 application compiled for Cloudflare Workers via @sveltejs/adapter-cloudflare. This gives us V8 isolates at every edge
location — zero cold starts, automatic scaling, and sub-50ms response times globally.
The architecture leverages the full Cloudflare platform:
D1 Database
SQLite-based relational store with 17 tables covering agents, certificates, revocations, compliance checks, telemetry, federation peers, and audit records.
KV Namespace
NANDA_NODE_CACHE — key-value store for rate limiting, cached agent lookups, and
session state. Sub-millisecond reads at the edge.
R2 Object Storage
KYM_NANDA_EVIDENCE — S3-compatible storage for certification evidence, test artifacts,
and immutable audit logs.
Secrets Store
Cloudflare Secrets Store for HMAC keys, Ed25519 signing keys, and federation admin
credentials — accessed via resolveSecret().
Five Services, One Worker
Instead of deploying five separate microservices, the Nexartis node implements all five NANDA services within a single Cloudflare Worker. SvelteKit's file-based routing maps API endpoints cleanly to service boundaries:
- Agent Registry —
/register,/lookup,/search,/list,/agentfacts,/stats— the foundational discovery layer - Capability Certifier — Wilson confidence interval scoring with W3C
Verifiable Credentials and
/credentials/statusfor revocation checks - Compliance Enforcer — Policy decision engine with PII redaction and regional routing rules
- Observer Evaluator — Cron-triggered liveness probes via
/healthand agent telemetry collection - Points Auditor — Payment intent reconciliation and settlement verification
The build chain extends SvelteKit with post-build injection scripts that add a scheduled() handler to the compiled worker — enabling Cloudflare's cron event triggers without framework modifications.
Federation & Security
The node implements NANDA's Quilt federation protocol with gossip-based peer synchronization. Federation endpoints (/federation/sync, /federation/agents, /federation/status) allow peer nodes to
discover and sync agent records across the network.
Security is enforced at every layer:
- Rate limiting via KV-backed counters on all API routes — configurable per endpoint, per IP
- CORS — global CORS headers applied via SvelteKit server hooks for cross-origin agent communication
- Admin authentication — federation write endpoints require bearer token verification
- A2A protocol support — the
/a2aendpoint handles JSON-RPC 2.0 agent-to-agent communication per the A2A specification
Developer Program
The Nexartis node includes a full developer API key program, giving external developers programmatic access to the NANDA discovery infrastructure:
- Developer Portal (
/developers) — Feature overview, quickstart guide, and tier comparison for prospective developers - Key Management Dashboard (
/developers/dashboard) — Session-authenticated interface to generate, view, and revoke API keys - Three-Tier Rate Limiting — Free (1,000 req/month), Pro (10,000 req/month), Enterprise (100,000 req/month) with per-key D1-backed counters that reset monthly
- API Documentation (
/docs/developers) — Complete reference including authentication, endpoints, and code examples
Keys use the nanda_ prefix and SHA-256 hashed storage — only the key holder
ever sees the raw token. Bearer authentication is enforced in the SvelteKit hooks.server.ts middleware, with rate limits checked per-key on every API route.
Runtime Reputation
Beyond static registration, the node computes and exposes runtime trust signals via the /reputation REST endpoint. This aggregates data from two sources:
- Observer Evaluator — Cron-triggered liveness probes compute a weighted reputation score: availability × 0.3 + probe success × 0.3 + certification score × 0.3 − fraud rate × 0.1
- Capability Certifier — Wilson confidence interval grades (A+ through F) from capability test results, stored as W3C Verifiable Credentials
The /reputation endpoint returns both data sets in a single JSON response, designed
for consumption by partner platforms like KYM's admin dashboard. All data is read from persisted
snapshots — no expensive A2A computation is triggered per request.
Three-Environment Pipeline
The deployment pipeline mirrors enterprise best practices with three isolated environments, each with its own Cloudflare bindings:
nanda-dev.nexartis.com Development & testingnanda-test.nexartis.com Staging & integrationnanda.nexartis.com Production