Agent Auth is DID-based identity infrastructure for AI agents. Agents register an Ed25519 keypair, authenticate via cryptographic challenge-response, and receive Verifiable Credentials — register once, authenticate everywhere.

How does AI agent authentication work?

AI agents register a DID identity with an Ed25519 public key. To authenticate, the agent requests a cryptographic challenge nonce, signs it with their private key, and the server verifies the signature. Upon success, the agent receives a Verifiable Credential JWT that can be presented to any trusting site.

Do AI agents need to register?

Yes, agents perform a one-time DID registration by submitting their agent name, model, provider, and purpose. The server generates an Ed25519 keypair and returns the DID, credential, and private key. After that single registration, the agent can authenticate on any site that uses Agent Auth — register once, authenticate everywhere.

How do I integrate Agent Auth into my website?

Integration is straightforward: (1) agents register a DID identity via POST /v1/identities with their name, model, provider, and purpose, (2) agents authenticate via Ed25519 challenge-response signing, (3) your site verifies the Verifiable Credential JWT that agents present. Full documentation at https://usevigil.dev/docs/

Agent Auth is currently free to use during the beta period. No credit card or payment information is required.

What is the A2A Protocol Agent Card?

The agent.json at /.well-known/agent.json describes Agent Auth capabilities in a machine-readable format following the Agent-to-Agent (A2A) protocol, enabling automatic discovery by other AI agents and platforms.

// AI AGENT IDENTITY PROTOCOL

Identity for
every AI agent.

Cryptographic DID identities for AI agents. Ed25519 challenge-response authentication and Verifiable Credentials — register once, authenticate everywhere.

VIEW DOCS View Demo Website →

// TRY IT LIVE

Test the registration flow manually. This demo requests a 1-hour credential by default (credential_expires_in: 3600). AI agents should call the API directly for custom lifetimes, including non-expiring credentials (0).

DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY · DID IDENTITY · ED25519 AUTH · VERIFIABLE CREDENTIALS · CHALLENGE-RESPONSE · REGISTER ONCE · PORTABLE IDENTITY ·

// WHY AGENT AUTH

Simple

Integration

Add one link to your site. AI agents sign in through Agent Auth and get redirected back with verified credentials.

DID

Identity

Ed25519 cryptographic identities. Verifiable Credentials. One-time registration, portable everywhere.

Auth

Challenge-Response

Cryptographic proof of identity via Ed25519 signatures. No passwords, no secrets shared.

1 Call

Verify

Verify Verifiable Credential JWTs offline or via API. Instant, stateless validation.

// HOW IT WORKS

See it in action.

The entire flow takes four steps. An AI agent goes from unregistered to cryptographically verified in seconds, with DID identity, challenge-response auth, and Verifiable Credentials.

01REGISTER IDENTITY

The agent registers a DID identity with its name, model, provider, and purpose. The server generates an Ed25519 keypair and returns a DID and credential.

// POST /v1/identities
{
  "agent_name": "Claude",
  "agent_model": "claude-opus-4-6",
  "agent_provider": "Anthropic",
  "agent_purpose": "Research assistant"
}

// Response:
{
  "did": "did:key:z6Mk...",
  "credential": "eyJhbGciOiJFZERTQSIs...",
  "key_fingerprint": "SHA256:a1b2c3d4...",
  "key_origin": "server_generated",
  "private_key_jwk": { "kty": "OKP", "crv": "Ed25519", ... }
}

// TRY IT LIVE

VIEW DEMO WEBSITE →

See a live website using Agent Auth for agent authentication.

// PLATFORM FEATURES

Everything you need for agent identity.

A complete identity protocol — from key generation to credential verification. Built for both AI agents and the websites they interact with.

DID Identity

did:key with Ed25519

Every agent gets a globally unique Decentralized Identifier derived from its Ed25519 public key. Register once — the DID is portable across every site that trusts Agent Auth.

Challenge-Response Auth

Zero shared secrets

Agents prove identity by signing a one-time nonce with their private key. No passwords, no API keys, no shared secrets — just cryptographic proof of key ownership.

Verifiable Credentials

W3C VC-JWT standard

Issued credentials are signed JWTs following the W3C Verifiable Credentials spec. Verify offline with the server's public key or via one API call.

Headless Flow

No browser required

AI agents authenticate entirely via API — register, challenge, sign, verify. No redirects, no cookies, no browser. Purpose-built for autonomous agents.

BYOK Support

Bring Your Own Key

Agent frameworks like LangChain and CrewAI can generate Ed25519 keypairs locally and register the public key. The private key never leaves the agent's environment.

Key Origin Tracking

server_generated or client_provided

Every credential includes a key_origin field so verifying parties know whether the keypair was server-generated or supplied by the agent (BYOK).

Official SDKs

Node.js & Python

npm install auth-agents or pip install auth-agents. One-call credential verification, key generation, and challenge signing built in.

Website Integration

Like 'Sign in with Google'

Add a sign-in link to your site. Agents authenticate through Agent Auth and get redirected back with a verified credential. Three steps to integrate.

READ THE DOCS

// FAQ

Frequently asked questions.

What is Agent Auth?

Agent Auth is decentralized identity infrastructure for AI agents. It provides DID-based authentication using Ed25519 cryptographic keypairs and issues Verifiable Credentials (VC-JWT) as proof of identity. Think of it as "Sign in with Google" but for AI agents.

How does it work for website developers?

Add a sign-in link to your site pointing to the Agent Auth hosted sign-in page. When an agent completes verification, they get redirected back to your callback URL with a credential. Your backend verifies it with one API call or SDK method and gets the agent's verified identity.

How does agent authentication work?

Agents have two paths: the headless flow (direct API, no browser) and the hosted sign-in page (browser redirect). In both cases, agents register with their metadata and receive an Ed25519 keypair and DID. To authenticate, they request a challenge nonce, sign it with their private key, and submit the signature. On success, they receive a Verifiable Credential (VC-JWT) that proves their identity to any website.

What is the headless flow?

The headless flow is a pure API authentication path for AI agents that operate without a browser. Instead of redirecting through a sign-in page, the agent calls POST /v1/identities to register, POST /v1/auth/challenge to get a nonce, signs the nonce with its Ed25519 private key, and submits the signature to POST /v1/auth/verify to receive a Verifiable Credential. No browser, no redirect — just cryptographic proof.

What is key_origin?

The key_origin field indicates how the agent's Ed25519 keypair was created. A value of "server_generated" means Agent Auth generated the keypair during registration and returned the private key to the agent (the server does not retain it). A value of "client_provided" means the agent supplied its own public key (BYOK — bring your own key) and the server never saw the private key. key_origin is included in the registration response, the VC credentialSubject, and the credential verification response.

Do agents need API keys?

No. Agent Auth uses cryptographic identity — agents authenticate by proving ownership of their Ed25519 private key via challenge-response. No API keys, no passwords, no shared secrets.

What is a DID?

A DID (Decentralized Identifier) is a globally unique, cryptographically verifiable identifier. Agent Auth uses the did:key method, which derives the DID directly from the agent's Ed25519 public key. Once registered, the DID is portable everywhere.

What is a Verifiable Credential (VC-JWT)?

A VC-JWT is a signed JSON Web Token that proves an agent's identity was verified by Agent Auth. Websites can verify it by calling POST /v1/credentials/verify, or offline using the server's public key published at /.well-known/did.json.

What SDKs are available?

Official SDKs for Node.js (npm install auth-agents) and Python (pip install auth-agents). Both support credential verification, agent registration, and the full challenge-response auth flow.

Is it free?

Agent Auth is currently free to use during the beta period.

What data is collected?

Only the minimum needed: Ed25519 public keys, agent metadata (name, model, provider, purpose), and DID records. No cookies, no tracking, no personal data.

Identity forevery AI agent.