Identity for
AI Agents

Every AI agent gets a W3C-compatible DID, a signed identity document with Ed25519 keys, and a scope system validated against provider manifests.

$ pip install agentity-sdk-python

View on GitHubQuick Start
from agentity_sdk import AgentKeyPair

kp = AgentKeyPair()
aid = kp.create_identity(
    owner_did="did:agentity:human:alice",
    scopes=["payments:read"],
)

# DID: did:agentity:agent:7Xj3mK...

The Problem

Agents have no identity

AI agents calling APIs today cannot prove who controls them, what they are allowed to do, or who is responsible for their actions. OAuth2, JWT, and API keys were designed for humans and static apps — not for autonomous, ephemeral software entities.

The Solution

Three questions

  • 01

    Who are you?

    Verifiable identity via Ed25519 key + self-signed DID

  • 02

    What can you do?

    Scopes validated against provider manifests

  • 03

    Who is responsible?

    Delegation chain rooted in a human via OIDC

How It Works

Three steps

01

Create Identity

Generate an Ed25519 keypair, create a self-signed Agent Identity Document (AID)

kp = AgentKeyPair()
aid = kp.create_identity(
    "human:alice",
    ["payments:read"]
)

02

Sign Requests

Every HTTP request carries the AID, a nonce, a timestamp, and an Ed25519 signature

signer = RequestSigner(kp, aid)
headers = signer.sign_request(
    "GET", "/api/v1/payments"
)

03

Verify

The server verifies signature, checks anti-replay, validates scopes, and confirms via Registry

verifier = RequestVerifier()
aid = verifier.verify_request(
    headers, "GET",
    "/api/v1/payments"
)

Security

Built-in protections

OIDC Auth

Google, GitHub, Apple, Microsoft login — verified owner_did

Rate Limiting

Redis-based per-DID rate limiting with configurable windows

Key Rotation

version+1, previousAid link, TTL-based expiration

Signed Audit Log

HMAC-SHA256 on every entry, verifiable via API

Anti-Replay

UUID nonce + 5 min timestamp window

Delegation Chain

Max 10 levels, child ⊆ parent scopes, cascade revocation

Packages

13 packages, 3 languages

Monorepo with Rust core, Python and TypeScript SDKs, middleware for FastAPI and Express, CLI tool, protocol plugins, dashboard, and EVM bridge.

agentity-core

Rust·library

Ed25519 keys, DID, AID, scope matching

agentity-sdk-python

Python·library·PyPI

AgentKeyPair, RequestSigner, LangChain, rotation

agentity-sdk-ts

TypeScript·library·npm

Full parity SDK for Node.js/Next.js

agentity-registry

Python·service·PyPI

FastAPI: register, lookup, revoke, audit, WS

agentity-auth

Python·plugin·PyPI

OIDC: Google, GitHub, Apple, Microsoft

agentity-cli

Python·cli·PyPI

create, inspect, verify, sign, manifest

agentity-middleware-python

Python·middleware·PyPI

FastAPI automatic token verification

agentity-middleware-express

TS·middleware·npm

Express automatic token verification

agentity-mcp

Python·plugin·PyPI

MCP Anthropic protocol plugin

agentity-a2a

Python·plugin·PyPI

A2A Google agent-to-agent protocol

agentity-inspector

TypeScript·ui

Next.js dashboard with WS live revocations

agentity-manifest-gen

TypeScript·cli·npm

Provider manifest JSON generator

agentity-evm

Python+Sol·bridge

EVM cross-registry DID bridge

Quick Start

Install in seconds

Python

pip install agentity-sdk-python agentity-registry agentity-auth agentity-cli agentity-middleware-python agentity-mcp agentity-a2a

TypeScript

pnpm add @agentity/sdk

CLI

python -m agentity_cli create --owner "did:agentity:human:alice" --scope "api:read" --output agent.json

Docker

docker compose up -d

Registry API

Self-hostable

The registry is a FastAPI server that tracks agent lifecycle — registration, status, revocation, audit. Run it in-memory for development or with PostgreSQL + Redis via Docker Compose.

MethodPathDescription
GET/healthHealth check + auth status
GET/auth/login/{provider}OIDC login (google, github)
POST/registerRegister an AID
GET/did/{did}Get AID document
GET/did/{did}/statusGet AID status
POST/revokeRevoke an AID (cascade)
GET/audit/{did}Signed audit log
WS/wsReal-time revocation events

Documentation

Guides & reference

Getting Started

Install, create identity, sign requests, verify

Architecture

Four-layer design, request flow, package roles

Security

Key rotation, anti-replay, delegation, OIDC, threat model

Registry API

All REST endpoints, WebSocket, rate limiting

CLI Reference

create, inspect, verify, sign, manifest commands

Deployment

Docker Compose, env vars, production config

Development

Build/test/lint all 3 languages, CI/CD

Protocol Spec

RFC: DID method, AID schema, verification rules

Browse all documentation