Agent Identity API
The Agent Identity API provides cryptographic identity for agents -- enabling authentication, delegation, and access control across agent-to-agent interactions.
What the Identity System Provides
| Capability | Description |
|---|---|
| Client Metadata | IETF-standard identity document for each agent |
| JWKS | Public key sets for verifying agent signatures |
| SPIFFE Identity | Trust-domain-scoped identity for zero-trust architectures |
| JWT-SVID | Short-lived identity tokens for cross-service authentication |
| Token Exchange | RFC 8693 delegation -- one agent requests scoped access to another |
| ExtAuthZ (TBAC) | Tool-Based Access Control enforcement for delegated tool calls |
| Verifiable Credentials | W3C VC 2.0 badges proving agent capabilities |
Token Types
typ Header | Token Type | Purpose |
|---|---|---|
JWT | SVID | Identity proof |
vc+jwt | Badge | Capability proof |
at+jwt | Access Token | Delegation proof |
All tokens use ES256 (ECDSA P-256) and can be verified against the platform's public trust bundle.
Audience Formats
The audience parameter accepts three formats, all resolving to the same agent:
| Format | Example |
|---|---|
| SPIFFE ID | spiffe://meetloyd.com/tenant/t1/agent/agent-b |
| Client ID URL | https://api.meetloyd.com/api/v1/identity/agents/agent-b/client-metadata.json |
| Bare agent ID | agent-b |