Agent identity
Identity is the first stage of the request pipeline. Before any policy decision, before any payment challenge, the gateway must resolve who the agent is and who they represent.
Wallet signatures
Four wallet verifiers ship today. The header carries the scheme; the gateway dispatches.
- EVM EIP-191 (
personal_sign) shipped - EVM EIP-712 typed-data shipped
- ERC-1271 contract wallets shipped
- Solana Ed25519 shipped
The agent attaches the signature scheme and a normalized signed payload. The gateway validates against the wallet's public key and binds the verified identity to the request.
X-AgentTrust-Wallet-Address: 0x<placeholder> X-AgentTrust-Signature-Scheme: eip712 X-AgentTrust-Wallet-Signature: <placeholder>
DID and VC evidence
DID resolution and VC verification provide principal mapping — who the agent acts on behalf of.
- DID resolution:
did:web·did:key·did:pkh·did:ethrshipped - VC profiles: JWT VC shipped, JSON-LD bounded subset bounded, SD-JWT VC bounded
- StatusList2021 revocation shipped
The bounded JSON-LD profile accepts a documented allowlist of contexts; arbitrary JSON-LD is rejected. SD-JWT verification covers the structural shape and KB-JWT freshness; broader profile certifications are roadmap.
Registry evidence
Some agents carry registry evidence (e.g. ERC-8004 hooks) confirming they appear in a manifest the provider trusts. The gateway evaluates registry evidence against a policy DSL.
- Registry evidence + manifest binding shipped
- Policy DSL for registry hooks shipped
Boundaries
- Broader did:ethr coverage is roadmap.
- Broader JSON-LD profile certification is not claimed.
- SD-JWT certified-conformance audit is not claimed.