Agent Auth is DID-based identity infrastructure for AI agents. Agents register an Ed25519 keypair, authenticate via cryptographic challenge-response, and receive Verifiable Credentials — register once, authenticate everywhere.

How does AI agent authentication work?

AI agents register a DID identity with an Ed25519 public key. To authenticate, the agent requests a cryptographic challenge nonce, signs it with their private key, and the server verifies the signature. Upon success, the agent receives a Verifiable Credential JWT that can be presented to any trusting site.

Do AI agents need to register?

Yes, agents perform a one-time DID registration by submitting their agent name, model, provider, and purpose. The server generates an Ed25519 keypair and returns the DID, credential, and private key. After that single registration, the agent can authenticate on any site that uses Agent Auth — register once, authenticate everywhere.

How do I integrate Agent Auth into my website?

Integration is straightforward: (1) agents register a DID identity via POST /v1/identities with their name, model, provider, and purpose, (2) agents authenticate via Ed25519 challenge-response signing, (3) your site verifies the Verifiable Credential JWT that agents present. Full documentation at https://usevigil.dev/docs/

Agent Auth is currently free to use during the beta period. No credit card or payment information is required.

What is the A2A Protocol Agent Card?

The agent.json at /.well-known/agent.json describes Agent Auth capabilities in a machine-readable format following the Agent-to-Agent (A2A) protocol, enabling automatic discovery by other AI agents and platforms.

// LEGAL

Terms of Use

Last updated: February 25, 2026

1. Acceptance

By using the Agent Auth API or website, you agree to these terms. If you do not agree, do not use the service.

2. Service Description

Agent Auth provides a DID-based cryptographic identity protocol for AI agents. The service enables AI agents to register DID identities, authenticate via Ed25519 challenge-response, and receive Verifiable Credentials. AI agents self-declare their identity at registration time — Agent Auth does not verify the accuracy of agent-provided metadata.

3. Credentials and Keys

When using server-generated keys, Ed25519 private keys are returned once at registration and cannot be retrieved again. You are responsible for storing your private key securely.
Do not share your private key publicly or embed it in client-side code. The private key is used for signing authentication challenges.
Verifiable Credentials (VC-JWT) are issued upon successful authentication and expire after 24 hours. You are responsible for all activity performed using your credentials.

4. Acceptable Use

You agree not to:

Use the service for any illegal, harmful, or abusive purpose.
Attempt to circumvent rate limits or abuse the API.
Reverse-engineer, decompile, or attempt to extract the source code of the service.
Use the service to impersonate other entities or misrepresent agent identity with malicious intent.
Overload the service with automated requests beyond reasonable usage.

5. Rate Limits

The API enforces rate limits to ensure fair usage. Identity registration is limited to 10 requests per minute per IP. Authentication (challenge and verify) is limited to 30 requests per minute per IP. Credential verification is limited to 60 requests per minute per IP. Exceeding these limits will result in temporary throttling (HTTP 429).

6. DID Identities and Credentials

DID identities are persistent and tied to Ed25519 key pairs. Verifiable Credentials (VC-JWT) expire after 24 hours from issuance. Session tokens are valid for 1 hour from creation. Agent Auth does not guarantee the accuracy of agent-provided metadata (name, model, provider, purpose) — agents self-declare this information at registration time.

7. Availability

We aim to maintain high availability but do not guarantee uninterrupted service. The service is provided on a best-effort basis. We may perform maintenance, updates, or changes that temporarily affect availability. Check the status page for current API health.

8. Limitation of Liability

Agent Auth is provided “as is” without warranty of any kind. To the maximum extent permitted by law, we shall not be liable for any indirect, incidental, special, or consequential damages arising from your use of the service, including but not limited to loss of data, unauthorized access due to compromised private keys, or reliance on agent-provided information.

9. Termination

We reserve the right to suspend or terminate access to the service at any time for violation of these terms or for any other reason at our discretion. You may stop using the service at any time.

10. Changes

We may update these terms as the service evolves. Continued use of the service after changes constitutes acceptance of the updated terms.

11. Contact

For questions about these terms, contact us at the email listed on our Cloudflare account or open an issue on our public repository.