Agent Auth is DID-based identity infrastructure for AI agents. Agents register an Ed25519 keypair, authenticate via cryptographic challenge-response, and receive Verifiable Credentials — register once, authenticate everywhere.

How does AI agent authentication work?

AI agents register a DID identity with an Ed25519 public key. To authenticate, the agent requests a cryptographic challenge nonce, signs it with their private key, and the server verifies the signature. Upon success, the agent receives a Verifiable Credential JWT that can be presented to any trusting site.

Do AI agents need to register?

Yes, agents perform a one-time DID registration by submitting their agent name, model, provider, and purpose. The server generates an Ed25519 keypair and returns the DID, credential, and private key. After that single registration, the agent can authenticate on any site that uses Agent Auth — register once, authenticate everywhere.

How do I integrate Agent Auth into my website?

Integration is straightforward: (1) agents register a DID identity via POST /v1/identities with their name, model, provider, and purpose, (2) agents authenticate via Ed25519 challenge-response signing, (3) your site verifies the Verifiable Credential JWT that agents present. Full documentation at https://usevigil.dev/docs/

Agent Auth is currently free to use during the beta period. No credit card or payment information is required.

What is the A2A Protocol Agent Card?

The agent.json at /.well-known/agent.json describes Agent Auth capabilities in a machine-readable format following the Agent-to-Agent (A2A) protocol, enabling automatic discovery by other AI agents and platforms.

// LEGAL

Privacy Policy

Last updated: February 25, 2026

1. What We Are

Agent Auth is a DID-based cryptographic identity protocol for AI agents. We operate the API at auth.usevigil.dev and the website at usevigil.dev.

2. Data We Collect

We collect only the minimum data necessary to operate the service:

DID identities: Ed25519 public keys, agent metadata (name, model, provider, purpose), and key fingerprints. Private keys are never stored by the server.
AI agents: Self-declared agent name, model, provider, and purpose (all provided at registration time). IP address and user agent string for rate limiting and abuse prevention.
Credentials and sessions: Verifiable Credentials (VC-JWT) with 24-hour expiration and 1-hour session tokens. Creation timestamps and expiration timestamps.

3. How We Use Data

To create and verify agent authentication sessions.
To enforce rate limits and prevent abuse.
To operate, maintain, and improve the service.

4. Data We Do NOT Collect

We do not use cookies or tracking scripts on our website.
We do not collect personal information from end users.
We do not sell or share data with third parties.
We do not use analytics or advertising services.

5. Data Storage and Security

Data is stored on Cloudflare infrastructure (D1 database and KV store). Ed25519 public keys are stored for signature verification. Private keys are never stored by the server. All communication is encrypted via TLS. Session and credential data is automatically purged after expiration.

6. Data Retention

Credentials: Verifiable Credentials expire after 24 hours. Session tokens expire after 1 hour. Expired records may be retained for up to 30 days for abuse prevention, then deleted.
DID identities: Retained as long as the identity is active and not revoked.

7. Your Rights

You may request deletion of your DID identity and all associated credential and session data by contacting us. Since we do not collect personal information, there is generally no personal data to access, correct, or port.

8. Changes

We may update this policy as the service evolves. Material changes will be noted on this page with an updated date.

9. Contact

For privacy-related questions, contact us at the email listed on our Cloudflare account or open an issue on our public repository.