IDENTITY-FIRST
CAPABILITY-BASED AUTH
CROSS-LANGUAGE BY DEFAULT
Machines need to authenticate to other machines, often on behalf of a user. Aster makes that safe — without a central authority and without shared secrets.
Aster is a peer-to-peer RPC framework with identity in the connection. Define typed services in code; connect by cryptographic address; authorize per method with capability credentials minted from an offline root key. No DNS. No load balancer. No certificate authority. No OAuth proxy in the middle.
The 2026 vivid example is AI agents calling tools on remote machines: agent on machine A wants to invoke a function on machine B, you don't want a hosted proxy, you don't want to rotate API keys, and you want the call scoped to specific methods. The same engineering covers IoT fleets, edge compute, multi-tenant microservices, and anything else where the machine is the principal and the user is the delegating authority.
Built on iroh (QUIC + NAT traversal), Apache Fory (cross-language wire format), and BLAKE3 (content-addressed contract identity). Capability-based credentials, four-gate authorization, and an offline ed25519 root key.
Hostname-first, infra-first, static-network RPC was designed for an era when machines lived in datacenters with stable addresses and a central control plane. That era is gone. More code now runs on more machines than people, and the percentage is going one direction. Edge devices, AI agents acting on behalf of users, multi-tenant runtimes, cross-organisational fleets — none of these fit cleanly into the assumption that you control DNS, the certificate authority, the load balancer, and the network path.
Aster starts from different assumptions:
| Identity-first transport | Reach endpoints by cryptographic identity, not stable addresses. |
| Capability-based auth | Mint scoped credentials offline; the framework enforces them at the connection level before your code runs. |
| Content-addressed contracts | Service contracts are deterministic BLAKE3 hashes — portable artifacts with real identity, not incidental files. |
| Cross-language by default | Python and TypeScript share the same wire format natively. No codegen step. No IDL file. |
| Decentralised registry | Publish and discover contracts without a central control plane. Built on iroh-docs and iroh-gossip. |
| Session-scoped services | Stateful, per-peer instances modelled cleanly for long-lived workflows and agent sessions. |
| Layer | Role |
|---|---|
| Transport | Identity-first connectivity across real-world networks. iroh QUIC with NAT traversal and relay fallback. |
| Serialization | High-performance cross-language payload exchange. Apache Fory in XLANG, NATIVE, ROW modes; JSON for debugging and the dynamic proxy. |
| Contract | Deterministic service definitions, BLAKE3 contract identity, decentralised discovery. |
| Repo | What it is |
|---|---|
aster-rpc |
The framework itself — Python + TypeScript bindings, the CLI, the trust spec, examples. Start here if you want to install or read the code. |
docs |
Source for docs.aster.site. Mission Control walkthrough, concept guides, API reference for both languages. |
website |
Source for aster.site. |
.github |
Org profile (this page). |
# Python
pip install aster-rpc aster-cli
# TypeScript
bun add @aster-rpc/asterA minimal service:
from dataclasses import dataclass
from aster import service, rpc, AsterServer
@dataclass
class Greeting:
name: str = ""
message: str = ""
@service(name="Hello", version=1)
class Hello:
@rpc
async def greet(self, req: Greeting) -> Greeting:
return Greeting(message=f"Hello, {req.name}!")
async with AsterServer(services=[Hello()]) as srv:
print(srv.address) # share this aster1... ticket
await srv.serve()For the full story — auth, sessions, four streaming patterns, cross-language interop — work through the Mission Control walkthrough. Seven chapters, 30 minutes, takes you from first hello to a credential-gated control plane with live log streaming, agent sessions, and a generated typed client.
Today: typed services, four streaming patterns, capability-based auth, Python and TypeScript bindings shipping at 0.1.2, MCP integration for AI agent tool calling.
Next: identity-aware load balancing and self-healing built from the same primitives. The substrate keeps growing from one consistent identity model — load balancing across endpoints that share an identity, self-healing rooted in the same trust topology. The "no infrastructure" pitch starts as no DNS, no LB, no certs and grows into no DNS, no LB, no certs, no service mesh, no sidecars, no control plane.
Java, .NET, Kotlin, and Go bindings are in progress. Rust is planned (direct access to the core crate, no FFI overhead).
0.1.2 alpha. Python and TypeScript first-class. Real packages on PyPI and npm.
aster-rpcon PyPI — framework + Python bindingsaster-clion PyPI — theastercommand (shell, trust, gen-client, MCP)@aster-rpc/asteron npm — framework + TypeScript bindings@aster-rpc/transporton npm — NAPI-RS native addonThe shape is real and the engineering is in the open. Expect rapid iteration.