Nexartis NANDA Node
A five-service NANDA implementation running on Cloudflare Workers — from agent registration and discovery to federation sync and compliance, deployed at 300+ edge locations worldwide.
The Challenge
Project NANDA defines the protocol for decentralized AI agent discovery, but the protocol needs reference implementations — real, running nodes that prove the architecture works at production scale. Nexartis set out to build the first TypeScript implementation of a full NANDA node, with a key constraint: zero-ops infrastructure that could scale globally without managing servers.
The requirements were demanding: support all five NANDA services (registry, certifier, compliance, observer, points auditor), implement federation for multi-node sync, handle cryptographic operations for Ed25519-signed AgentFacts, and serve both API consumers and a full documentation site — all from a single deployment artifact.
The Solution: Cloudflare Workers
The Nexartis NANDA node runs as a SvelteKit 5 application compiled for Cloudflare Workers via @sveltejs/adapter-cloudflare. This gives us V8 isolates at every edge
location — zero cold starts, automatic scaling, and sub-50ms response times globally.
The architecture leverages the full Cloudflare platform:
D1 Database
SQLite-based relational store with 17 tables covering agents, certificates, revocations, compliance checks, telemetry, federation peers, and audit records.
KV Namespace
NANDA_NODE_CACHE — key-value store for rate limiting, cached agent lookups, and
session state. Sub-millisecond reads at the edge.
R2 Object Storage
KYM_NANDA_EVIDENCE — S3-compatible storage for certification evidence, test artifacts,
and immutable audit logs.
Secrets Store
Cloudflare Secrets Store for HMAC keys, Ed25519 signing keys, and federation admin
credentials — accessed via resolveSecret().
Core Services and Domain Layers, One Worker
Instead of deploying separate microservices for every concern, the Nexartis node implements NANDA's core services plus newer federation, switchboard, billing, and orchestration layers within a single Cloudflare Worker. SvelteKit's file-based routing maps API endpoints cleanly to service boundaries:
- Agent Registry —
/register,/lookup,/search,/list,/agentfacts,/stats— the foundational discovery layer - Capability Certifier — Wilson confidence interval scoring with W3C
Verifiable Credentials and
/credentials/statusfor revocation checks - Compliance Enforcer — Policy decision engine with PII redaction and regional routing rules
- Observer Evaluator — Cron-triggered liveness probes via
/healthand agent telemetry collection - Points Auditor — Payment intent reconciliation and settlement verification
The build chain extends SvelteKit with post-build injection scripts that add a scheduled() handler to the compiled worker — enabling Cloudflare's cron event triggers without framework modifications.
Federation & Security
The node implements NANDA's Quilt federation protocol with gossip-based peer synchronization. Federation endpoints (/federation/sync, /federation/agents, /federation/status) allow peer nodes to
discover and sync agent records across the network.
Security is enforced at every layer:
- Rate limiting via KV-backed counters on all API routes — configurable per endpoint, per IP
- CORS — global CORS headers applied via SvelteKit server hooks for cross-origin agent communication
- Admin authentication — federation write endpoints require bearer token verification
- A2A protocol support — the
/a2aendpoint handles JSON-RPC 2.0 agent-to-agent communication per the A2A specification
Developer Program
The Nexartis node includes a full developer API key program, giving external developers programmatic access to the NANDA discovery infrastructure:
- Developer Portal (
/developers) — Feature overview, quickstart guide, and tier comparison for prospective developers - Key Management Dashboard (
/developers/dashboard) — Session-authenticated interface to generate, view, and revoke API keys - Three-Tier Rate Limiting — Free (1,000 req/month), Pro (10,000 req/month), Enterprise (100,000 req/month) with per-key D1-backed counters that reset monthly
- API Documentation (
/docs/developers) — Complete reference including authentication, endpoints, and code examples
Keys use the nanda_ prefix and SHA-256 hashed storage — only the key holder
ever sees the raw token. Bearer authentication is enforced in the SvelteKit hooks.server.ts middleware, with rate limits checked per-key on every API route.
Runtime Reputation
Beyond static registration, the node computes and exposes runtime trust signals via the /reputation REST endpoint. This aggregates data from two sources:
- Observer Evaluator — Cron-triggered liveness probes compute a weighted reputation score: availability × 0.3 + probe success × 0.3 + certification score × 0.3 − fraud rate × 0.1
- Capability Certifier — Wilson confidence interval grades (A+ through F) from capability test results, stored as W3C Verifiable Credentials
The /reputation endpoint returns both data sets in a single JSON response, designed
for consumption by partner platforms like KYM's admin dashboard. All data is read from persisted
snapshots — no expensive A2A computation is triggered per request.
Three-Environment Pipeline
The deployment pipeline mirrors enterprise best practices with three isolated environments, each with its own Cloudflare bindings:
nanda-dev.nexartis.com Development & testingnanda-test.nexartis.com Staging & integrationnanda.nexartis.com Production