Identity

<p align="center"> <a href="https://agntcy.org"> <picture> <source media="(prefers-color-scheme: dark)" srcset="img/_logo-Agntcy_White@2x.png" width="300"> <img alt="" src="img/_logo-Agntcy_FullColor@2x.png" width="300"> </picture> </a> <br /> <caption>Welcome to the <b>Identity</b> repository</caption> </p>

---

AGNTCY Identity provides a secure and verifiable method to uniquely identify agents through open and decentralized techniques. Each agent is assigned a universally unique identifier, backed by verifiable credentials (VCs). AGNTCY Identity enables to bring your own identity using conventions like IDs assigned by Identity Providers (e.g., Okta) or Agent Cards (e.g., Google’s A2A), or be assigned an ID following standards (e.g., W3C DIDs). This component ensures that every agent in the AGNTCY ecosystem has a verifiable, universally unique identity, enabling secure authentication, trusted communication, and interoperability across diverse multi-agent systems, regardless of the identity assignment method.

<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="img/agent-badge-dark.png" width="100%"> <img alt="" src="img/agent-badge-light.png" width="100%"> </picture> </p>

• The ID is linked to a ResolverMetadata object for secure and automated verification.
• The ID can be linked to one or more Agent Badges. Why? Multiple badges can provide nuanced, task-specific access to different systems without over-privileging the agent. Agent Badges contain Verifiable Credentials (VCs), which include:
  • The Agent's ID
  • Schema definition (e.g., OASF)
  • Metadata for authentication and other security needs.

[!NOTE] This same structure applies to MCP Servers and MASs, ensuring consistency across all identity-bearing entities in the IoA.

📚 Table of Contents

• 🚀 Architecting Agentic Trust
• 🌟 Features & Main Components
• ⚡️ Get Started in 5 Minutes
• 📜 See the core commands of the CLI
• 🧪 Run the Demo

You can also:

• 📖 See the full CLI and Node docs
• 📦 Check-out the Sample Agents and MCP servers
• 📘 Explore our full Documentation to understand our platform's capabilities
• 📝 Dive into our API Specs for detailed API documentation

🚀 Architecting Agentic Trust

• Core Principle: Trust is foundational for the Internet of Agents.
• Identity as the Root: AGNTCY Identity ensures Agents and Tools (MCP Servers) are verifiably authentic.
• Flexible & Interoperable: BYOID (Bring Your Own ID), integrates with existing Identity Providers (IdPs).

Secure and reliable communication between software agents is a cornerstone of the Internet of Agents (IoA) vision. Without proper identity management, malicious or unverified agents can infiltrate Multi-Agent Systems (MASs), leading to misinformation, fraud, or security breaches. To mitigate these risks, the AGNTCY provides a standardized and consistent framework for authenticating agents and validating associated metadata. This applies equally to:

• Agents
• Model Context Protocol (MCP) Servers
• MASs (Multi-Agent Systems)

[!TIP] This repository includes an AI Agent and MCP Server to showcase the AGNTCY Identity components in action!

🌟 Features & Main Components

Features

• Identity creation: Generate unique, verifiable identities for agents and MCP servers.
• Existing identity onboarding: Integrate identities from external IdPs.
• Badges creation & verification: Authenticate agents and MCP servers and validate metadata.

Main Components

• Issuer CLI: Manage identities, vaults and credentials via command-line interface.
• Node Backend: Backend server for identity management and metadata.

⚡️ Get Started in 5 Minutes

This short guide allows you to setup the Identity Issuer CLI as well as the Identity Node Backend. The Issuer CLI allows to generate, register, search for, and verify badges for Agents and MCP Servers. The CLI includes a library enabling storage and retrieval of the keys required to sign the badges, both on local storage or using a 3rd party wallet or vault. The Node Backend comprises the APIs and the backend core. It stores, maintains, and binds org:sub-org IDs, PubKeys, Subject IDs and metadata, including badges, ResolverMetadata and Verifiable Credentials (VCs).

Prerequisites

To run these steps successfully, you need to have the following installed:

• Docker Desktop, or have both: Docker Engine v27 or higher and Docker Compose v2.35 or higher

Step 1: Install the Issuer CLI

Use the following command to install the Issuer CLI:

using curl:

sh -c "$(curl -sSL https://raw.githubusercontent.com/agntcy/identity/refs/heads/main/deployments/scripts/identity/install_issuer.sh)"

or using wget:

sh -c "$(wget -qO- https://raw.githubusercontent.com/agntcy/identity/refs/heads/main/deployments/scripts/identity/install_issuer.sh)"

[!NOTE] You can also download the Issuer CLI binary corresponding to your platform from the latest releases.

On some platforms you might need to add execution permissions and/or approve the binary in System Security Settings.

For easier use, consider moving the binary to your $PATH or to the /usr/local/bin folder.

If you have Golang set up locally, you could also use the go install command:

go install github.com/agntcy/identity/cmd/issuer@latest && \
  ln -s $(go env GOPATH)/bin/issuer $(go env GOPATH)/bin/identity

Step 2: Start the Node Backend with Docker

1. Clone the repository and navigate to the identity directory:

   git clone https://github.com/agntcy/identity.git && cd identity
   

2. Start the Node Backend with Docker:

   ./deployments/scripts/identity/launch_node.sh
   

   Or use make if available locally:

   make start_node
   

[!NOTE] You can also install the Node Backend using our helm chart, for which instructions are available in the chart's directory.

Step 3: Verify the Installation

You can verify the installation by running the command below to see the different commands available:

identity -h

📜 Core commands to use the CLI

Here are the core commands you can use with the CLI

• vault: Manage cryptographic vaults and keys
• issuer: Register and manage issuer configurations
• metadata: Generate and manage metadata for identities
• badge: Issue and publish badges for identities
• verify: Verify identity badges
• config: Display the current configuration context

🧪 Run the demo

This demo scenario will allow you to see how to use the AGNTCY Identity components can be used in a real environment. You will be able to perform the following:

• Register as an Issuer
• Generate metadata for an MCP Server
• Issue and publish a badge for the MCP Server
• Verify the published badge

Prerequisites

First, follow the steps in the Get Started in 5 minutes section above to install the Issuer CLI and run the Node Backend, and generate a local vault and keys.

To run this demo setup locally, you need to have the following installed:

• Docker Desktop, or have both: Docker Engine v27 or higher and Docker Compose v2.35 or higher
• Ollama CLI
• Okta CLI

Step 1: Run the Samples with Ollama and Docker

The agents in the samples rely on a local instance of the Llama 3.2 LLM to power the agent's capabilities. With Ollama installed, you can download and run the model (which is approximately 2GB, so ensure you have enough disk space) using the following command:

1. Run the Llama 3.2 model:

   ollama run llama3.2
   

2. From the root of the repository, navigate to the samples directory and run the following command to deploy the Currency Exchange A2A Agent leveraging the Currency Exchange MCP Server:

   cd samples && docker compose up -d
   

3. [Optional] Test the samples using the provided test clients.

Step 2: Use the CLI to create a local Vault and generate keys

1. Create a local vault to store generated cryptographic keys:

   identity vault connect file -f ~/.identity/vault.json -v "My Vault"
   

2. Generate a new key pair and store it in the vault:

   identity vault key generate
   

Step 3: Register as an Issuer

For this demo we will use Okta as an IdP to create an application for the Issuer. To quickly create a trial account and application, we have provided a script to automate the process using the Okta CLI.

[!IMPORTANT] If you already have an Okta account, you can use the okta login command to log in to your existing organization.

If registering a new Okta developer account fails, proceed with manual trial signup and then use the okta login command, as instructed by