Open Standard · v1.1.0

The open standard forAgent Identity

Agent identity, credentials, verification, wallet authority, and skills governance behind one open SDK facade.

Get startedExplore features
>resolve("")
7
SDKs
72
Crates
380K
LOC
12
Primitives

01 — Document

Identity and entity kind.

did:oas — the W3C DID method for autonomous agents.

did-document.json
JSONUTF-8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:oas:l1fe:agent:z6MkhaX...doK",
"entityKind": "agent",
"created": "2026-04-09T00:00:00Z",
"verificationMethod": [{
"id": "#key-1",
"type": "Ed25519VerificationKey2020",
"publicKeyMultibase": "z6Mkha...doK"
}],
"authentication": ["#key-1"],
"service": [{
"id": "#agent-api",
"type": "AgentService",
"serviceEndpoint": "https://agent.example"
}],
"proof": {
"type": "AgentLineageProof2025",
"creator": "did:oas:l1fe:hmr:alice",
"derivation": "HKDF-SHA256",
"jws": "eyJhbGciOiJFZERTQSJ9..."
}
}
Ln 0, Col 1Spaces: 2
0/23 linesbuilding

02 — Lineage

The human root.

Every identity chain begins with a verified human. The cryptographic anchor for all downstream trust.

Human Root
Derived Roots
Agents
Entities

03 — Verification

7-step verification pipeline.

Every identity passes through the same rigorous process.

READY
aegis-verify v0.1
RESOLVE

Fetch DID document from resolver

SCHEMA

Validate document structure against spec

SIGNATURE

Verify Ed25519 proof (constant-time)

REVOCATION

Check revocation tree for status

LINEAGE

Walk HKDF derivation chain to human root

LIVENESS

Confirm entity is active and reachable

CONFORMANCE

Assert L0/L1/L2 conformance level

did:oas:l1fe:agent:z6MkhaX...doK0/7 steps

Feature stack

One facade over the full agent identity control plane.

OpenAgent ID is not just a DID method. It is the layer where OAS identity, Arsenal capabilities, AEGIS verification, L1feID records, wallet derivation, skills governance, and conformance meet the app developer.

Facade

OpenAgent SDK

One import for creating agents, authenticating requests, brokering credentials, checking skills policy, and reaching the lower layers when needed.

  • TypeScript and Rust 0.1.0 public facade
  • OpenAgent.createAgent / OpenAgent.authenticate
  • Runtime escape hatches for OAS, Arsenal, and AEGIS
Identity

OAS

The did:oas identity layer: entity kinds, DID documents, local signatures, lineage proofs, and Sigil-backed authority verification.

  • Portable DID and document verification
  • Human, collective, org, agent, tool, skill, model, dataset, and service identities
  • Privileged authority fails closed without finalized Sigil lineage
Verification

AEGIS

The request-time decision layer for signature validity, lineage, revocation, liveness, trust tiers, delegated authority, and policy.

  • Anonymous, identified, and sovereign launch tiers
  • Fresh revocation checks even when verification is cached
  • Policy for rate, time, spend, approval, and trust requirements
Capabilities

Arsenal

The ACT and credential broker layer. Agents receive scoped capability, while raw provider secrets stay inside the broker.

  • Scope grammar: service:resource:action
  • Session-scoped and request-scoped ACTs
  • Credential proxy with audit instead of plaintext API keys in agent memory
Platform Record

L1feID

Stable identity records that map one or more DIDs to a single l1fe_id for accounts, audit, linking, and session bridges.

  • Auto-provision on first verified contact
  • did:oas, did:key, and did:pkh day-one method support
  • Multi-DID link and unlink flow with signature checks
Interop

Auth Protocol

The SDK-free HTTP challenge-response binding that lets any external agent prove key possession with canonical OpenAgent headers.

  • 401 challenge with WWW-Authenticate: OpenAgent
  • JCS challenge signing with Ed25519
  • Session headers with DID, trust tier, token, and expiry
Identity Wallets

Wallet Derivation

DID-rooted wallet derivation for Sigil, Solana, and EVM chains so identity and wallet authority stay connected.

  • DID is the wallet root material
  • HKDF domain separation for EVM keys
  • Rotation and revocation change wallet authority paths
Runtime Policy

Skills Governance

Policy for SKILLS.md surfaces: allow, deny, rate limits, argument schemas, time windows, consent, and audit receipts.

  • Deny unknown skills by default
  • Human approval for sensitive skills
  • BLAKE3 hash-chain audit receipts
Compatibility

Conformance

JSON vectors and runners for challenge, signatures, nonces, trust tiers, sessions, errors, headers, and raw interop.

  • Rust and TypeScript runners
  • SDK-free Ed25519 and HTTP compatibility
  • Launch-required vs future-capable fixtures

The ecosystem

The lower layers stay independent.

OpenAgent ID is the facade. OAS, AEGIS, Arsenal, L1feID, OATS, visual identity, and acoustic transport remain composable libraries for teams that need to reach below the facade.

OAS

Open Agent Specification

W3C DID-based identity framework for autonomous agents. Portable DIDs and lineage claims give every privileged agent action an accountable authority path.

22.7K LOC|10 crates|2 langs

AEGIS

Identity Verification & Authorization

Modular framework for verification, authentication, delegation, and policy enforcement. Plugin-based architecture with FROST threshold signatures.

14.9K LOC|10 crates|1 langs

Arsenal

Agent Key Management & Credential Proxy

Short-lived, scoped Agent Capability Tokens (ACTs) with proof-of-possession binding. Minimizes blast radius with cryptographically-linked audit trails.

58.4K LOC|7 crates|1 langs

OAS Fingerprint

Visual Identity Transport

Particle-based visual encoding of DID identities. Makes DIDs camera-readable with Reed-Solomon error correction and animated particle clouds.

3K LOC|1 pkg|1 langs

OAS Glyph

Deterministic Visual Identicons

Converts did:oas addresses into scannable 12x12 block-grid avatars with embedded identity data. BLAKE3-derived color palettes unique to each DID.

5.1K LOC|3 crates|1 langs

OAS Voice

Acoustic Identity Transport

Transforms identity credentials into modulated audio signals. FSK modulation over audio with encrypted channels and replay protection.

8.2K LOC|2 crates|1 langs

OATS

Open Audit & Trust Standard

Trust scoring and auditing standard for agent lifecycle and behavior. Multi-factor trust evaluation with temporal decay and behavioral modeling.

2.1K LOC|4 crates|1 langs

SDKs

One import. All the layers.

Create OAS identities, authenticate requests, broker Arsenal credentials, require Sigil-backed authority, and gate skills from the current TypeScript and Rust facade.

OAS identity and Sigil-backed lineage
AEGIS verification and revocation checks
Arsenal ACTs and credential proxying
Skills policy with audit-friendly decisions
import { OpenAgent } from '@openagent/sdk';

const agent = await OpenAgent.createAgent({
parent: 'did:oas:l1fe:hmr:alice',
name: 'research-bot',
scopes: ['openai:chat:invoke'],
});
const openai = await agent.credentialsFor('openai');
$npm install github:OpenAgentID/openagent-sdk

Open source

Built as open infrastructure, not a closed identity silo.

The facade is developer-friendly, but the contracts underneath it are inspectable: protocol specs, SDKs, conformance vectors, and independent libraries.

Open standard

OAS identity, OpenAgent auth, Arsenal ACTs, AEGIS results, and conformance vectors are documented as contracts.

Layered by design

Use the OpenAgent facade for app code, then drop into OAS, Arsenal, or AEGIS when you are building infrastructure.

Fail-closed authority

Privileged actions require Sigil-backed lineage. If the authority path cannot be reconstructed, the request is rejected.

Ready to give your agents identity?

Start with one import, then explore the full feature stack behind agent identity, credentials, policy, wallets, and skills.

Get StartedStar on GitHub