@solidus-network/agent-identity
v0.1.1
Published
Portable, verifiable, revocable identity for AI agents — did:solidus DIDs (W3C DID Method Registry: submitted, under review), BBS+ selective-disclosure credentials, and ERC-8004 passport anchoring. Testnet-grade; external audit pending.
Maintainers
Readme
@solidus-network/agent-identity
Portable, verifiable, revocable identity for AI agents:
- a
did:solidusDID scoped to the agent (not the operator), - an ERC-8004 Identity Registry passport (ERC-721) anchored to that DID on an L2,
- BBS+ selective-disclosure credentials (owner-binding, capability-scope, spend-mandate),
- offline hot-path verification via the sibling
@solidus-network/agent-identity-verifypackage.
Solidus integrates ERC-8004 (an open EIP backed by MetaMask, Google, Coinbase, OriginTrail and the EF) — Solidus is the credential issuer behind the passport, not the passport standard. Operator KYC is inherited from verify.solidus.network; this SDK consumes it, it never performs KYC.
Status — read this first
- Solidus L1 is testnet-only. DIDs resolve as
did:solidus:testnet:<addr>. There is no mainnet. The testnet resets daily — DIDs and credentials created on it are wiped at the next reset, so treat everything below as a live sandbox, not durable storage. - The hosted issuance backend (
agents.solidus.network) is not yet publicly deployed. The client methods that talk to it (registerOperator,createAgent,issueCredential,createMandate,exportAgentKey) will not connect yet — see What works today for everything that already runs against public endpoints, including creating an agent DID directly on the testnet. did:solidusis submitted to the W3C DID Method Registry and under review — not yet registered.- BBS+ signing is testnet-grade. External audit pending (NLnet NGI Zero, H2 2026 target). Do not protect production-grade value with it yet.
- ERC-8004 anchoring targets Base Sepolia during development. No passport has been anchored yet — that path goes live with the hosted backend.
Install
npm i @solidus-network/agent-identityWhat works today (no backend)
Everything in this section runs right now, against public endpoints only.
Resolve any did:solidus DID
import { createAgentIdentity } from '@solidus-network/agent-identity'
const solidus = createAgentIdentity({ baseUrl: 'https://agents.solidus.network' })
const doc = await solidus.resolveDid('did:solidus:testnet:<addr>')
// → { id, controller, active } | nullOr from any machine with nothing but curl:
curl -s -X POST https://rpc.solidus.network \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"solidus_didResolve","params":["did:solidus:testnet:<addr>"]}'Create an agent DID directly on the testnet (fee-exempt)
Until the hosted backend is live, create the DID with @solidus-network/sdk. Install it and the key library explicitly (both are dependencies of this package, but package managers with isolated node_modules — pnpm, Yarn PnP — won't let you import transitive dependencies). Pin @noble/ed25519 to v2 — the example uses the v2 API, which is what these packages ship with; v3 renamed it:
npm i @solidus-network/sdk @noble/ed25519@2DidCreate is fee-exempt on the Solidus testnet for a fresh key — no funding, no faucet:
import * as ed from '@noble/ed25519'
import { createSdk } from '@solidus-network/sdk'
const priv = Buffer.from(ed.utils.randomPrivateKey()).toString('hex')
const pub = Buffer.from(await ed.getPublicKeyAsync(priv)).toString('hex')
const sdk = createSdk({ mode: 'testnet', rpcUrl: 'https://rpc.solidus.network', signerPrivateKey: priv })
const did = await sdk.did.create(pub) // → { id: 'did:solidus:testnet:…', … }
const doc = await sdk.did.resolve(did.id) // full W3C DID document
await sdk.did.deactivate(did.id, priv) // revocable — resolves to null afterwards(Keep the private key: deactivation requires the signer. On sdk 0.6.1+, an immediate deactivate after create retries a stale-nonce failure automatically; on 0.6.0, if it fails with invalid nonce, retry after a couple of seconds.)
Verify credentials offline
Selective-disclosure proof verification runs entirely offline — see @solidus-network/agent-identity-verify for the gateway/middleware verifier, and this package's deriveCredentialProof and buildAgentAuthHeader / buildMandateHeader exports for the holder side.
Quickstart — hosted backend (not yet publicly deployed)
Once agents.solidus.network is live, the full flow is:
import { createAgentIdentity } from '@solidus-network/agent-identity'
const solidus = createAgentIdentity({ baseUrl: 'https://agents.solidus.network' })
// One-time: register as an operator. Agent creation requires a KYC
// credential ref from verify.solidus.network (assurance inherited, not re-run).
await solidus.registerOperator({
kyc: { credentialRef: 'urn:solidus:credential:…', assuranceLevel: 'substantial' },
})
const agent = await solidus.createAgent({ capabilities: ['browse'] })
// → { did: 'did:solidus:testnet:…', status: 'active', custody: 'managed', … }Key custody
managed(default) — the backend mints a fresh Ed25519 keypair for the agent and escrows it encrypted. Export it any time:const { privateKey } = await solidus.exportAgentKey(agent.id)byo— you hold the key. The DidCreate transaction is built and signed locally; only the signed transaction is relayed. The chain enforces that the transaction signer owns the registered key, so the backend physically cannot register a key it doesn't hold:const agent = await solidus.createAgent({ custody: 'byo', signerPrivateKey })
Trust boundary
This package is open source end-to-end and holds no issuer keys. Credential signing (BBS+ issuer, did:solidus issuer, ERC-8004 relayer) happens only in the Solidus backend — trust in a credential is trust in the issuer key, not in this code.
License
Apache-2.0
