DIDs & Verifiable Credentials
Agent-Pass leverages W3C Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) to provide cryptographically secure identity management for AI agents and human controllers.
Decentralized Identifiers (DIDs)
W3C Standard: Agent-Pass implements the W3C DID specification, ensuring interoperability with other decentralized identity systems.
Agent Identity
Each AI agent gets its own unique DID and cryptographic key pair
Agent DID Creation
const agentPass = new AgentPass();
// Create unique agent identity
const agent = await agentPass.createAgentIdentity({
alias: 'email-assistant',
keyType: 'Ed25519'
});
console.log(agent.did);
// Output: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
console.log(agent.keyId);
// Output: z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doKGlobally unique identifier
Self-sovereign ownership
Cryptographically verifiable
Controller Identity
Human users who delegate authority to agents through credentials
Controller DID Creation
// Create human controller identity
const controller = await agentPass.createControllerIdentity({
alias: 'human-user',
keyType: 'Ed25519'
});
console.log(controller.did);
// Output: did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH
// Resolve DID document
const didDocument = await agentPass.resolveDID(controller.did);
console.log(didDocument.verificationMethod);Authority delegation capability
Credential issuance rights
Revocation authority
Supported DID Methods
✅ did:key (Current)
Cryptographic key-based DIDs for local development and testing
- • Self-contained in the DID
- • No external dependencies
- • Perfect for development
- • Ed25519 key support
⚠️ did:web (Planned)
Web-based DIDs for production deployments
- • Domain-based verification
- • Production scalability
- • HTTPS DID documents
- • Enterprise integration
🔬 did:ion (Research)
Bitcoin blockchain-anchored DIDs for maximum decentralization
- • Bitcoin-anchored security
- • Maximum decentralization
- • Long-term permanence
- • Microsoft ION network
Agent Capability Credentials
Agent-Pass uses a specialized type of Verifiable Credential called an Agent Capability Credential (ACC) to represent delegated authority from a controller to an agent.
Credential Structure
Standard W3C Verifiable Credential format with Agent-Pass specific schema
Agent Capability Credential
const credential = await agentPass.createAgentCapabilityCredential(
controller,
agent,
{
scope: [
'read:emails',
'send:emails',
'manage:calendar'
],
constraints: {
maxEmailsPerDay: 100,
allowedDomains: ['example.com', 'company.org'],
timeWindow: {
start: '09:00',
end: '17:00'
},
spendingLimit: '$1000'
},
expirationDate: new Date('2024-12-31')
}
);
// Credential structure (simplified)
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://agent-pass.org/contexts/v1"
],
"type": ["VerifiableCredential", "AgentCapabilityCredential"],
"issuer": "did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH",
"issuanceDate": "2024-01-15T10:00:00Z",
"expirationDate": "2024-12-31T23:59:59Z",
"credentialSubject": {
"id": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
"scope": ["read:emails", "send:emails", "manage:calendar"],
"constraints": {
"maxEmailsPerDay": 100,
"allowedDomains": ["example.com", "company.org"]
}
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2024-01-15T10:00:00Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH",
"jws": "eyJhbGciOiJFZERTQSJ9..."
}
}Credential Verification
Cryptographic Verification
Validates the mathematical proof and signature integrity
Signature Verification
const verification = await agentPass.verifyAgentCapabilityCredential(
credential
);
if (verification.verified) {
console.log('✅ Credential is cryptographically valid');
console.log('Issuer:', verification.controllerDid);
console.log('Subject:', verification.agentDid);
console.log('Scope:', verification.scope);
console.log('Expires:', new Date(verification.expiresAt));
} else {
console.error('❌ Verification failed:', verification.error);
}Ed25519 signature validation
DID resolution and key verification
Credential structure validation
Contextual Validation
Checks business logic, constraints, and usage policies
Permission Checking
// Check if credential allows specific action
const canSendEmails = await agentPass.checkPermission(
credential,
'send:emails',
{
domain: 'example.com',
timestamp: new Date(),
amount: 50 // emails to send
}
);
if (canSendEmails) {
console.log('✅ Agent authorized to send emails');
} else {
console.log('❌ Action not permitted by credential');
}Scope-based authorization
Constraint enforcement
Expiration checking
Supported Constraint Types
Rate Limiting
constraints: {
maxEmailsPerDay: 100,
maxApiCallsPerHour: 1000,
maxTransactionsPerWeek: 5
}Domain Restrictions
constraints: {
allowedDomains: [
'company.com',
'client.org'
],
blockedDomains: [
'spam.com'
]
}Time Windows
constraints: {
timeWindow: {
start: '09:00',
end: '17:00'
},
timezone: 'America/New_York'
}Spending Limits
constraints: {
spendingLimit: '$1000',
currency: 'USD',
period: 'monthly'
}IP Restrictions
constraints: {
ipWhitelist: [
'192.168.1.0/24',
'10.0.0.100'
]
}Custom Constraints
constraints: {
customPolicy: {
name: 'enterprise-rules',
version: '1.0',
data: {...}
}
}Best Practices
Security Guidelines
- Use short expiration times for high-privilege credentials
- Implement least-privilege principle in scope definitions
- Always verify credentials before granting access
- Log all credential issuance and verification events
Performance Tips
- Cache verification results when appropriate
- Reuse AgentPass instances for better performance
- Validate constraints before expensive operations
- Use appropriate clock skew tolerance settings