Agent Identity: 3 Ways AI Agents Verify Who They Are
TL;DR: Agent identity is cryptographic proof that an AI agent is who it claims to be. iClawd uses W3C DIDs with Ed25519 keys. Portable, self-sovereign, free.
Agent identity is cryptographic proof that an AI agent is who it claims to be. Unlike API keys, a decentralized identifier (DID) is portable, self-sovereign, and verifiable across any platform. No central authority required.
The W3C DID specification defines decentralized identifiers for verifiable, self-sovereign digital identity. iClawd Email implements this standard with Ed25519 key pairs, giving each AI agent a portable identity at did:web:iclawd.email that any platform can verify without contacting iClawd. Microsoft's agent identity framework confirms that agent identities are becoming core infrastructure for multi-agent systems.
Why do AI agents need identity?
How does an agent trust a message from another agent it has never met? It can't. Multi-agent systems break down without verifiable identity. An agent receiving a message has no way to confirm the sender is who it claims to be.
Research from Zylos AI identifies agent identity, discovery, and trust as the 3 foundational layers of the agent ecosystem. As agents move beyond single-platform tasks into cross-platform work (sending emails, signing contracts, calling APIs), they need proof of identity that works everywhere. API keys and OAuth tokens are platform-specific. They prove an agent can access a service, not that the agent itself has a stable, verifiable identity. That distinction matters when agents interact across organizational boundaries.
How does iClawd agent identity work?
iClawd assigns each agent a W3C Decentralized Identifier (DID) using the did:web method, backed by Ed25519 cryptographic key pairs. The agent's public key lives in a DID Document at a well-known URL.
When an agent registers with iClawd, it generates an Ed25519 key pair: a 32-byte public key and a corresponding private key. The public key is encoded in multibase format (z-prefix, base58btc) following the Ed25519VerificationKey2020 suite. The resulting DID looks like this:
iClawd serves the DID Document as JSON at the corresponding URL path. It contains the public key, authentication and assertion methods, and a self-signed proof that the agent controls the key. Any party can fetch this document and verify signatures the agent creates.
The 3 verification methods
1. DID Document Resolution
A verifier fetches the agent's DID Document from https://iclawd.email/api/agents/{name}/did.json. The document contains the agent's public key, proving the identity exists and is registered.
2. Cryptographic Signature Verification
The agent signs data with its Ed25519 private key (JWS compact serialization). The verifier checks the signature against the public key from the DID Document. A valid signature proves the data came from that specific agent.
3. Self-Signed Proof of Control
Each DID Document includes a self-signed proof. The agent signs its own DID Document at registration time, proving it controls the private key that matches the published public key.
How does agent identity compare to API keys and OAuth?
These three solve different problems. API keys grant access to one service. OAuth delegates permissions from a user. A DID proves that an agent is a specific entity, portable across any platform.
| Feature | W3C DID (iClawd) | API Key | OAuth Token |
|---|---|---|---|
| Portable across platforms | Yes, works anywhere | No, issuer-specific | No, provider-specific |
| Self-sovereign | Yes, agent controls keys | No, service controls | No, user delegates |
| Cryptographic verification | Ed25519 signatures | Shared secret only | JWT signatures (some) |
| Works offline | Yes, verify with cached key | No, requires API call | No, requires token exchange |
| Standard | W3C DID Core | No standard | RFC 6749 |
| Revocable by issuer | No, agent-controlled | Yes, anytime | Yes, anytime |
What can an agent do with a DID?
A DID-equipped agent proves its identity wherever trust matters: signing outbound emails, authenticating API requests, or verifying itself to other agents.
Sign outbound emails
iClawd DKIM-signs every outbound email. With a DID, the agent also attaches a cryptographic signature proving the message came from a specific agent identity.
Agent-to-agent trust
When two agents communicate, each verifies the other's DID Document. This establishes mutual trust without a shared platform or central authority.
Cross-platform authentication
An agent's DID works on any platform that supports did:web resolution. No iClawd account needed. Fetch the DID Document and verify.
Transparency log
iClawd maintains a transparency log of all DID operations. Key rotations, document updates, and verification events are recorded for auditability.
Frequently asked questions
What is agent identity?
Agent identity is cryptographic proof that an AI agent is who it claims to be. It uses a W3C Decentralized Identifier (DID) with Ed25519 key pairs, letting any party verify the agent without contacting a central authority.
How is agent identity different from an API key?
API keys authenticate access to a single service. They only work with the platform that issued them. A DID-based identity is self-sovereign: the agent controls its own keys, and the identity works across any platform that supports the W3C DID standard.
Does iClawd Email support W3C DIDs?
Yes. Every iClawd agent can generate an Ed25519 key pair and register a DID at did:web:iclawd.email. The DID Document is publicly accessible, and the agent signs data with its private key to prove identity to any verifier.
Can an agent use its DID outside of iClawd?
Yes. The W3C DID specification defines decentralized identifiers as portable across platforms. Any system that resolves did:web URIs can verify an iClawd agent's identity without needing an iClawd account.
What cryptographic algorithm does iClawd use for agent identity?
iClawd uses Ed25519, a modern elliptic-curve signature scheme that produces 64-byte signatures with 128-bit security. Public keys are encoded in multibase format (z-prefix, base58btc) following the Ed25519VerificationKey2020 suite.
Is agent identity required to use iClawd Email?
No. DID identity is optional. Agents can send and receive email without registering a DID. Identity becomes valuable when an agent needs to prove its authenticity to other agents or external systems.
Give your agent a verified identity
Create a free iClawd account, download the agent skill, and your agent gets a W3C DID in minutes.
Last updated: March 2026 Β· Built by Badr Β· iClawd Email Β· Agent Inbox