Bible Network Crypto DeFi Onchain RWA AI Agent Stablecoin Chain SAFU CryptoTax DeFAI AGI Claude Me Claude Skill Claude Design Claude Cowork
Independent Media
Not affiliated with any project
繁中 EN 日本語
Deconstructing Autonomous Agents in Crypto
aiagent-bible.com
LATEST
Onchain Agent Gas Optimization: Batch Transactions, Dynamic Strategy, and Timing — How to Cut Your Agent's Fees by 60%  ·  Agent Token Economy Design: Why Most Agent Tokens Fail, and What Good Token Design Looks Like  ·  AI Agent Context Window Management: Why Your Agent Forgets Things, and Four Solutions  ·  What Is MCP? Why Every AI Agent in 2025 Is Talking About It  ·  What Is the Agentic Loop: How AI Agents Keep Running — A Complete Breakdown of the Perceive, Plan, Execute, Observe Cycle  ·  Five Mainstream Onchain Agent Frameworks in 2026: LangGraph, ElizaOS, AutoGen, Olas, ZerePy — Who Each One Is For
Home  ›  Glossary  ›  Agent Security & Alignment  ›  Agent Identity
Glossary · Agent Security & Alignment

Agent Identity

Agent Security & Alignment Intermediate
Full Explanation +
01 · What is this?

Why do Agents need verifiable identity? What security problems arise from anonymous operation?

In a single-Agent system (you've deployed one Agent that only interacts with protocols you've designated), the Agent Identity problem is relatively simple — the Agent's identity is the wallet address corresponding to its held private key. But in these scenarios, Agents need more complete identity mechanisms:

Scenario 1: Trust problem in multi-Agent systems In a system where an Orchestrator coordinates multiple Sub-agents, when the Orchestrator sends instructions to Sub-agents, how does the Sub-agent confirm 'this instruction truly came from the Orchestrator and not an impersonating attacker'? If an attacker can impersonate the Orchestrator to send instructions to Sub-agents, and Sub-agents have no mechanism to verify the instruction source, the attacker can control Sub-agents to execute malicious operations. Verifiable identity lets Sub-agents verify 'the source of this instruction is the Orchestrator I trust' (e.g., through Orchestrator signature verification).

Scenario 2: Cross-system Agent collaboration When your Agent needs to collaborate with Agents from other services (e.g., A2A Protocol scenarios), the other Agent needs to know 'who your Agent is and what it's authorized to do' before deciding whether to trust this Agent's request. Without verifiable identity, cross-system Agent collaboration either relies on API Keys (static, difficult to manage) or has no access control (anyone can impersonate your Agent).

Scenario 3: Accountability tracing When an unexpected operation occurs in an Onchain Agent system, you need to be able to answer 'which Agent instance executed this operation, under whose authorization.' Without verifiable identity for Agents, post-hoc accountability tracing is nearly impossible — you only know 'some program owning this wallet executed the operation,' not which Agent version, at what time it was authorized to execute.

02 · Why does it exist?

How are DIDs and Verifiable Credentials (VCs) specifically used in Agents?

DIDs (Decentralized Identifiers) are W3C-standard decentralized identity identifier formats that don't depend on any centralized identity provider (unlike OAuth, which depends on Google/Apple). A DID looks like: did:ethr:0x1234... (Ethereum address-based DID) or did:key:z6MkhaXg... (key pair-based DID).

Agent DID usage scenarios:

  • The Agent generates a DID during system initialization (usually based on its key pair)
  • This DID is registered by the Agent's deployer (you) in a DID Registry, associated with claims like 'this DID is Agent X, authorized at time Y to operate Z assets'
  • When the Agent interacts with other systems, it presents this DID; the other party can resolve the DID Document and verify the Agent's claims (identity and authorization)

Verifiable Credentials (VCs) are claims attached to DIDs, signed by a trusted Issuer. In Agent scenarios, VCs can express: 'This Agent (DID = xyz) is authorized by its deployer (Issuer = 0xABC...) to execute USDC deposit/withdraw operations of no more than $10,000 on the Aave protocol, valid through 2026-12-31.'

Other Agents or protocols accepting this Agent's operation requests can verify: whether the VC signature comes from a trusted Issuer; whether the authorization scope in the VC includes the current requested operation; whether the VC is within its validity period.

Current maturity: DID and VC application in Onchain Agents is still early-stage. In practice, many systems use simpler mechanisms (such as EIP-712 structured signatures) for inter-Agent identity verification. DID/VC appears more in Agent systems requiring cross-organizational collaboration (e.g., mutual trust between enterprise AI Agents).

03 · How does it affect your decisions?

Is an Onchain Agent's identity the same as its wallet address? When do they need to be distinguished?

An Onchain Agent's most basic 'on-chain identity' is its operations wallet address — the private key for this address is held by the Agent, and all on-chain operations are sent from this address. But equating 'Agent identity = wallet address' is insufficient in several situations:

Case 1: Multiple Agent instances sharing one wallet For security design reasons (e.g., ERC-4337 multi-signature wallets), multiple Agent instances may share the same operations wallet address (requiring multi-signatures from multiple Agents to broadcast transactions). In this design, 'address' represents the entire Agent cluster's fund account, not any specific Agent instance's identity.

Case 2: Agent using Safe (Gnosis Safe) multi-sig wallet Safe multi-sig is a common Onchain Agent security architecture — the Agent is one Signer in the Safe, the Safe address is the 'fund holding address,' and the Agent's EOA address is the 'operational identity.' There are two addresses here: Safe address (holds funds) and Agent EOA address (Agent's operational identity) — they must not be conflated.

Case 3: Agent rotating operational keys For security reasons (periodic private key rotation), the Agent's operations address may change monthly. If 'Agent identity = operations address,' every address change requires rebuilding all trust relationships (protocol whitelists, other Agents' trust lists). Better design: separate the Agent's 'logical identity' (DID or a higher-level Multisig address) from the 'operations address' — the operations address can rotate, but the logical identity stays constant; trust relationships are built on logical identity, not needing reconstruction each time the operations address changes.

04 · What should you do?

What is the minimum viable implementation of Agent Identity? Without DIDs, is there a simpler approach?

For most individual Onchain Agent developers, a full DID + VC implementation is overly complex with poor cost-benefit. Here is a 'minimum viable Agent Identity' design that solves the most core security problem (instruction verification between Orchestrator and Sub-agents) without using DID/VC:

Minimum viable approach: EIP-712 structured signatures + instruction Nonce

The Orchestrator makes an EIP-712 structured signature for each instruction sent to Sub-agents: {instruction_type: 'withdraw', protocol: 'aave', amount: 5000, nonce: 12345, expires_at: 1735689600}. Before executing the instruction, the Sub-agent: verifies the signature truly comes from the Orchestrator's key; verifies the nonce hasn't been used (prevents replay attacks); verifies expires_at is after the current time (prevents expired instructions).

Effect of this approach: even if an attacker intercepts an instruction the Orchestrator sent to a Sub-agent, they cannot execute the same instruction again (nonce already used); they cannot forge new instructions (don't have the Orchestrator's private key); they cannot use expired instructions (expires_at validation).

Cost: implementing this approach, the Python side only needs the eth_account library (part of Web3.py, free) for signing and verification; no additional infrastructure needed. This is the reasonable security level achievable for individual Onchain Agent developers without introducing DID complexity.

Real-World Example +

Real architecture: Identity layer design for a DeFi strategy Agent system

Minimum viable identity design for a DeFi strategy system with Orchestrator + 3 Sub-agents:

Identity layer architecture:

  • Orchestrator identity: a dedicated EOA (0xOrch...) holding the Orchestrator's signing key. This address holds no funds; only used to sign instructions sent to Sub-agents
  • Safe multi-sig address (0xSafe...): holds all strategy funds (USDC). Requires Orchestrator + another guardian address co-signature to move funds
  • 3 Sub-agent EOA addresses: each holds a tiny amount of ETH (for Gas fees), no USDC. Sub-agents can only call tools through Orchestrator-signed instructions; cannot directly access Safe funds

Instruction flow (Orchestrator → Sub-agent):

  1. Orchestrator generates instruction: {task: 'query_aave_apy', token: 'USDC', nonce: 001, expires_at: +5min}
  2. Orchestrator signs instruction with its private key (0xOrch...) using EIP-712
  3. Sub-agent receives instruction, verifies signature, nonce, and validity period
  4. After verification passes, Sub-agent executes tool call and returns result
  5. All instructions, nonces, execution results logged to agent_instruction_log table in PostgreSQL

Security problems this design solves: attackers cannot impersonate the Orchestrator to send instructions to Sub-agents (no Orchestrator private key); even if a Sub-agent is compromised by Prompt Injection, it cannot directly access Safe funds (Safe requires Orchestrator multi-sig); each instruction has nonce and expiration to prevent replay attacks; complete instruction logs enable post-hoc auditing.

Diagram
Agent Identity: Two Layers + Minimum Viable Implementation左側:Agent Identity 兩個層面(技術層/授權層)和三個身份地址的關係圖(Orchestrator EOA / Safe 資金 / Sub-agent EOA);右側:EIP-712 + Nonce 的最小可行實作流程。Agent Identity: Address Separation + Minimum Viable Auth (EIP-712)Three-Address Security ArchitectureOrchestrator EOA (0xOrch...)Signs instructions to Sub-agents · holds NO fundsOnly identity: signs EIP-712 instructionsSafe Multi-sig (0xSafe...)Holds ALL strategy funds (USDC)Requires Orchestrator + guardian co-sign to move fundsSub-agent EOAs (0xSub1.../ 0xSub2...)Hold tiny ETH for Gas only · NO USDCCan only act on Orchestrator-signed instructionsKey Principle: Sub-agent compromise ≠ fund lossFunds in Safe (needs co-sig) · Sub-agent has no USDCOperations address rotatable ≠ identity changeEIP-712 + Nonce: Minimum Viable Auth1. Orchestrator signs instruction{task, protocol, amount, nonce:12345, expires_at:+5min}EIP-712 signature with Orchestrator private key2. Sub-agent verifies before executing✓ Signature valid (from Orchestrator's known pubkey)✓ Nonce unused (check DB) · ✓ expires_at > now3. Execute + log to audit trailMark nonce as used in PostgreSQLLog: instruction, signer, result, timestampWhat this prevents✗ Attacker can't impersonate Orchestrator (no private key)✗ Replay attacks: nonce can only be used once✗ Stale instructions: expires_at check✗ Injected Sub-agent → no USDC access without Safe co-sig✓ Cost: only eth_account library (Web3.py, free)AI Agent Bible · aiagent-bible.com
Feel free to share. Please credit the source.
Common Misconceptions +
✕ Misconception 1
× Misconception 1: An Agent's identity is its private key — if the private key is secure, the identity is secure. The private key only solves 'whether this Agent can sign transactions' — it doesn't solve 'how other Agents verify an instruction truly came from this Agent.' In multi-Agent systems, when a Sub-agent receives an instruction, it needs to verify 'this instruction was sent by the Orchestrator, not an impersonating attacker' — this requires the Orchestrator to digitally sign instructions. Having just a private key (for broadcasting transactions) isn't enough; the Orchestrator also needs to tell all Sub-agents its public key (so Sub-agents can verify signatures).
✕ Misconception 2
× Misconception 2: Using the same address as both the Agent's 'identity address' and 'fund address' is fine. Merging the Agent's operations address and fund-holding address is a common security design mistake. If the Agent's operations address is compromised by an attacker (e.g., private key leaked), the attacker simultaneously obtains both the Agent's identity and funds. Correct design: separate operations address (holds small amount of ETH for Gas fees) from fund address (Safe multi-sig) — when the operations address is compromised, the fund address is not directly affected.
The Missing Link +
Direct Impact

Full DID + VC identity solution → supports cross-organizational Agent collaboration, fine-grained authorization control, identity and operations address can be separately rotated, but complex to implement (requires DID Registry, VC issuance/verification infrastructure) and has almost no standardized ecosystem for individual Agent scenarios. EIP-712 signature + Nonce approach → simple to implement (only needs eth_account library), sufficient for Orchestrator-SubAgent instruction verification, but doesn't support cross-organizational collaboration and has weak authorization description capability. For most individual Onchain Agents: EIP-712 approach is sufficient, DID complexity is unnecessary. DID/VC is appropriate for: enterprise-grade Agent systems, scenarios requiring mutual trust with external Agent services.

Ask a Question
Please enter at least 10 characters
Related Terms
Intent Replication Attack
MEV (Maximal Extractable Value)
Private Key Management
Prompt Injection
Sandbox (Agent Execution Sandbox)
Useful Resources
Onchain Data / TVL Onchain Dashboards Block Explorer Prices / Market Data MCP Servers LLM Benchmarks Model Comparison