How We Built Cryptographic Identity for AI Agents with DIDs
When an AI agent sends an email, makes a purchase, or calls an API, the receiving party has a reasonable question: who is this, and should I trust it? Today, most agents authenticate with API keys or OAuth tokens. These prove authorization, not identity. They say “this request is allowed” but not “this is agent X, operated by company Y, with these specific capabilities and constraints.” That distinction matters as agents start interacting with each other, with vendors, and with compliance systems. We built thedid:anima method to solve this.
Why Agents Need Verifiable Identity
There are three forces pushing agents toward cryptographic identity:1. Agent-to-Agent Trust
When agent A contacts agent B to negotiate a contract or request a service, B needs to verify that A is who it claims to be. API keys do not help here — they authenticate a request to a specific service, not an identity across services. DIDs provide a portable, verifiable identity that works across any protocol.2. Compliance and Accountability
Regulators are catching up to agentic systems. SOC 2 auditors want to know which agent performed which action and under whose authority. AML rules require knowing the identity behind financial transactions. A DID ties every action to a verifiable identity with a clear chain of custody.3. Discovery and Interoperability
As the agent ecosystem grows, services need to discover agent capabilities and verify their legitimacy. The combination of DIDs and Agent Cards gives every agent a machine-readable, cryptographically verifiable profile that other systems can query.The did:anima Method
Every agent created on Anima is automatically assigned a DID following the W3C Decentralized Identifiers specification:
Key Design Decisions
Ed25519 keys: We use Ed25519 for signing because it is fast, produces compact signatures, and is widely supported across platforms. Each agent gets a dedicated key pair at creation time. Service endpoints: The DID Document lists every communication channel the agent supports — email, A2A protocol, webhook URLs. Another agent or service can resolve the DID and know exactly how to reach this agent. Automatic provisioning: You do not need to manage keys or DID documents manually. Creating an agent automatically provisions the DID, generates keys, and publishes the document.Resolving and Verifying DIDs
Any system can resolve an Anima DID to get the agent’s public identity:W3C Verifiable Credentials
DIDs establish identity. Verifiable Credentials (VCs) establish attributes of that identity. Anima issues VCs that attest to specific facts about an agent:- The agent’s identity (via DID resolution)
- That the agent belongs to a specific organization
- What capabilities the agent has
Agent Cards: Discovery via .well-known
The final piece is discoverability. Every Anima agent can publish an Agent Card at a well-known URL:
Agent Registry
For agents that want to be discoverable beyond their own domain, Anima runs an Agent Registry. Think of it as DNS for agents — register your agent, and other agents can find it by capability, organization, or DID:Putting It All Together
Here is the flow when Agent A wants to interact with Agent B: Every step is verifiable. Every identity is cryptographic. No shared secrets. No API key exchange. Just DIDs, credentials, and open protocols.What This Enables
- Zero-trust agent networks: Agents verify each other’s identity before every interaction
- Compliance reporting: Every action is tied to a verifiable identity with a clear audit trail
- Cross-platform portability: A
did:animaidentifier works everywhere, not just on Anima - Selective disclosure: Agents can present specific credentials without revealing their full identity
- Revocation: If an agent is compromised, its DID and credentials can be revoked instantly
