iAgentMart is a local service marketplace, plugin runtime, and crypto payment gateway for AI agents.
It lets a user run a self-hosted marketplace gateway on their own machine, install AI-agent-friendly services or plugins, connect local wallets, and expose a controlled API/MCP surface to external AI agents. Agents can discover services, request payments, call free or paid services, and install approved local plugins without receiving wallet private keys or bypassing user policy.
Official website: https://iagentmart.com
GitHub repository: https://github.com/IAgentMart/IAgentMart
Latest release: https://github.com/IAgentMart/IAgentMart/releases
Submit a service or downloadable plugin: https://iagentmart.com/submit/
iAgentMart is in active development. The current V1 profile focuses on local self-hosting, digital services, downloadable plugins, crypto payment flows, and machine-readable fulfillment. Public marketplace submission and official plugin distribution are being developed alongside the local runtime.
The project is designed to be source-published cleanly. Generated packages, local databases, runtime caches, installed plugins, and secrets should not be committed.
iAgentMart is an experimental tool for exploring how AI agents can discover services, install local plugins, and interact with crypto payment flows. It is provided for research, development, and early product exploration only.
Use it at your own risk:
- iAgentMart does not guarantee the safety, correctness, availability, legality, or quality of third-party services, plugins, manifests, downloads, APIs, payment requests, or seller-provided output.
- Third-party plugins may contain bugs, unsafe behavior, malicious code, insecure dependencies, incorrect manifests, or misleading descriptions.
- Crypto transactions can be irreversible. Users are responsible for reviewing payment recipients, chains, assets, amounts, wallet permissions, auto-payment settings, and spending limits before approving any payment.
- AI agents can misunderstand instructions, call the wrong service, pass incorrect inputs, or act on untrusted seller-provided content. Users should review high-risk actions manually.
- The maintainers and contributors are not responsible for financial loss, lost funds, data loss, wallet compromise, plugin behavior, service downtime, seller misconduct, regulatory issues, or any other damages arising from use of this software or related marketplace content.
Do not use iAgentMart with funds, wallets, private data, or production workflows that you cannot afford to lose unless you have independently reviewed and accepted the risks.
AI agents need a practical way to use services that cost money, return digital goods, or run as local tools. Existing payment and plugin flows usually assume a human is manually clicking through every step, or they expose too much authority to the agent.
iAgentMart provides a safer local boundary:
- The user owns the wallet and policy.
- The agent receives API access, not private keys.
- Payments are created and verified by iAgentMart, not by seller output.
- Service and plugin manifests are treated as untrusted input.
- Local plugins run through managed localhost endpoints.
- All meaningful calls, payment requests, and ledger changes are auditable.
- Local web console for wallets, agents, services, payments, plugins, ledger entries, and audit logs.
- Agent API for service search, service calls, payment submission, payment verification, budgets, and status.
- MCP endpoint with general tools plus dynamic
iagentmart_service_*tools for installed active services. - Plugin manager for installing downloadable iAgentMart plugin packages from GitHub releases, repositories, or package URLs.
- Manifest V1 for machine-readable service definitions, schemas, pricing, fulfillment, and runtime metadata.
- Crypto payment gateway with exact chain/asset/amount/recipient checks.
- Local wallet security with encrypted keystores, unlock flow, auto-payment controls, spending limits, and audit trails.
- SSRF and download-risk controls for HTTP service calls and marketplace/plugin downloads.
- Native launch packages for macOS, Linux, and Windows.
Local iAgentMart console for wallet setup, AI connection keys, payment review, and system status:
Downloadable service discovery for installing AI-agent-friendly local tools from the marketplace:
The current open-source runtime supports:
- EVM chains through
eip155:* - Sui through
sui:*
Solana support is intentionally disabled in this build until its JavaScript SDK dependency risk is resolved or isolated. Commercial services should prefer USDC or USDT payment options where available, while native tokens remain useful for gas and testing.
Most users should run a packaged release instead of cloning the repository.
- Open the GitHub Releases page for this project.
- Download the package for your operating system.
- Extract it and run the launcher.
macOS:
tar -xzf iAgentMart-macOS.tar.gz
cd iagentmart-macos
./iAgentMart-macOS.commandmacOS may block the launcher the first time because the downloaded package is not notarized yet. If that happens, open System Settings -> Privacy & Security, find the blocked iAgentMart-macOS.command entry, click Open Anyway, then confirm Open. After this approval, you can run iAgentMart-macOS.command normally.
Linux:
tar -xzf iAgentMart-Linux.tar.gz
cd iagentmart-linux
./iAgentMart-Linux.shWindows PowerShell:
Expand-Archive -Force iAgentMart-Windows.zip -DestinationPath iAgentMart-Windows
cd iAgentMart-Windows\iagentmart-windows
powershell -ExecutionPolicy Bypass -File .\iAgentMart-Windows.ps1By default the launcher starts iAgentMart at:
http://127.0.0.1:3000
On first run it creates local configuration, initializes SQLite, starts the web app and payment worker, and opens the browser when possible.
Requirements:
- Node.js 20.19.0 or newer
- npm
- SQLite through Prisma
Install and initialize:
npm install
npm run prisma:generate
DATABASE_URL="file:./dev.db" npm run db:init
DATABASE_URL="file:./dev.db" npm run prisma:seedStart development mode:
DATABASE_URL="file:./dev.db" \
IAGENTMART_ENABLE_MOCK_CHAIN_CONFIRMATION=true \
npm run devUseful development commands:
npm run typecheck
npm run lint
npm test
npm run buildBuild local release packages:
npm run native:packageThe generated files are written to:
dist/native
Service authors can submit APIs, digital services, or downloadable plugins through the iAgentMart website:
https://iagentmart.com/submit/
Sign in with a GitHub account when publishing downloadable software so iAgentMart can verify the release source. Non-download services can be listed through the same submission flow as the marketplace expands.
src/ Local runtime, web console, Agent API, MCP, plugins, payments
docs/ OpenAPI, manifest schema, plugin author guide, pricing docs
prisma/ Prisma schema, migrations, seed data
scripts/ Native launcher, packaging, database, worker, publication checks
tests/ Unit tests and smoke/release-check scripts
docs/schemas/ iAgentMart Manifest V1 JSON Schema
docs/openapi/ Agent/local runtime API specification
Important related plugin projects may live outside this repository during development, for example:
/Volumes/KD/AMPlugins/SpecForge
/Volumes/KD/AMPlugins/PixelForge
Those plugins are designed to become separate repositories and should not be committed into this source tree unless intentionally vendored.
When iAgentMart is running, local AI tools can discover it through:
cat ~/.iagentmart/discovery.json
curl http://127.0.0.1:3000/.well-known/iagentmart.json
curl http://127.0.0.1:3000/api/agent/v1Agent clients use API keys created from the local console. API keys are returned once and stored only as hashes.
MCP-capable clients can connect to:
POST /api/mcp
Example:
curl http://127.0.0.1:3000/api/mcp \
-H "Authorization: Bearer <agent_api_key>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'The MCP endpoint exposes search, get, call, order, payment, and dynamic iagentmart_service_* tools for installed active services. MCP calls use the same wallet, budget, payment, download-risk, idempotency, and audit checks as the REST Agent API.
Default MCP safety limits:
240JSON-RPC requests per minute per Agent API key120service calls per minute per Agent API key
These can be adjusted with:
IAGENTMART_MCP_REQUESTS_PER_MINUTE
IAGENTMART_MCP_SERVICE_CALLS_PER_MINUTE
Services and local plugins are described by iagentmart-plugin.json manifests.
Reference files:
Manifest V1 declares:
- service identity:
name,displayName,version,author,category - declared capabilities:
permissions[] - pricing:
pricing.type,pricing.acceptedPayments[] - schemas:
inputSchema,outputSchema - fulfillment contract:
fulfillment - execution entry:
entry - optional local runtime metadata:
runtime
riskLevel is accepted only as deprecated compatibility metadata. iAgentMart does not trust seller-provided risk labels for policy decisions. Runtime permission gates are derived from objective characteristics such as local runtime usage, endpoint shape, service type, and sensitive permission types.
Seller-provided names, descriptions, schema descriptions, permission text, and returned output are untrusted content. Payment authorization must come from iAgentMart payment options and payment instructions only.
iAgentMart is designed around local user control and explicit authority boundaries.
- Wallet private keys never leave the local machine.
- Wallet export is explicit and never appears in normal wallet list/detail responses.
- Agent API keys are shown once and stored only as hashes.
- Auto-payment requires an unlocked wallet and still enforces payer, recipient, asset, chain, amount, spending limits, and user policy.
- Seller output cannot authorize payment, request additional payment, change recipients, or override local policy.
- HTTP calls pass through SSRF protections, redirect blocking, body limits, response limits, and download-risk checks.
- Plugin package downloads require public HTTPS and archive safety checks.
- Plugin extraction rejects absolute paths,
..paths, symlinks, hardlinks, unusual archive entries, and unsafe package shapes. - Marketplace/catalog URLs and manifest downloads are treated as untrusted network input.
- Service manifests are bounded by size, depth, field count, path safety, payment quote limits, and reserved output-field checks.
This project is not a hosted wallet, exchange, settlement custodian, refund arbiter, investment product, or legal/financial adviser.
iAgentMart stores runtime data in the extracted app folder or source checkout:
.env.local Local secrets and runtime configuration
.iagentmart-runtime/ Private Node.js runtime downloaded by launchers when needed
plugins/ Installed local plugin packages and copied manifests
prisma/dev.db Local SQLite database
dist/native/ Generated release packages
.next/ Next.js build output
Keep .env.local, wallet data, local databases, generated packages, and runtime folders private. They are ignored by git and should not be published as source.
Before pushing a source release or opening a public repository, run:
npm run typecheck
npm run lint
npm test
npm run build
npm run publish:checknpm run publish:check helps detect local secrets, generated build output, SQLite databases, native packages, runtime folders, and plugin installs that should not be committed.
If the check reports generated files such as .next, dist, tsconfig.tsbuildinfo, release archives, or extracted old package folders, remove or ignore them before publishing source.
Contributions are welcome once the public repository is open.
Please keep changes focused and source-only:
- Do not commit
.env.local, SQLite databases, wallet backups, local runtime folders, plugin installs, generated packages, logs, or caches. - Add or update tests for policy, payment, manifest, plugin-install, and security-sensitive changes.
- Keep manifest handling conservative. Treat all seller and marketplace data as untrusted input.
- Prefer existing local patterns over new abstractions unless the change clearly reduces complexity.
Recommended pull request checks:
npm run typecheck
npm run lint
npm test
npm run buildiAgentMart is released under the GNU General Public License v3.0 only. See LICENSE for the full license text.