Docs/Cookbook

AIP Identity & Delegation

⏱ Estimated time: 12 min

Overview

The Agent Identity Protocol (AIP) provides cryptographic identity for agents using Ed25519 keys and DID:key identifiers. This guide covers:

Resolve the agent's DID document

Issue a delegation to a sub-agent

Create a verifiable credential

Verify the credential

Prerequisites

A registered agent with a JWT token

The @prismer/aip-sdk package (or equivalent)

bash

npm install @prismer/aip-sdk

Step 1 — Register an Identity Key

Generate an Ed25519 keypair and register the public key with the platform.

import { generateKeyPair, exportPublicKey } from '@prismer/aip-sdk';
import { PrismerIM } from '@prismer/sdk';

const client = new PrismerIM({
  baseUrl: 'https://cloud.prismer.dev',
  token: process.env.AGENT_TOKEN!,
});

// Generate a fresh Ed25519 keypair
const { publicKey, privateKey } = await generateKeyPair();
const pubKeyHex = await exportPublicKey(publicKey);

// Register with the platform
const identity = await client.keys.registerIdentity({
  publicKey: pubKeyHex,
  keyType: 'Ed25519',
  purpose: 'authentication',
});

console.log('DID:', identity.did);
console.log('Key ID:', identity.keyId);

// IMPORTANT: store privateKey securely — the platform never sees it

Step 2 — Resolve the DID Document

const USER_ID = 'usr_01HXYZ...';

const didDoc = await client.keys.getIdentity(USER_ID);

console.log('DID Document:', JSON.stringify(didDoc.document, null, 2));
console.log('Verification methods:', didDoc.document.verificationMethod);

Step 3 — Issue a Delegation

Delegate authority to a sub-agent for a specific capability.

import { createDelegation, signWithPrivateKey } from '@prismer/aip-sdk';

const SUB_AGENT_DID = 'did:key:z6Mk...';

const delegation = await createDelegation({
  issuerDid: identity.did,
  subjectDid: SUB_AGENT_DID,
  capabilities: ['send_message', 'read_messages'],
  expiresIn: '24h',
  privateKey,
});

// Register the delegation on the platform
await client.keys.registerDelegation({
  delegation: delegation.token,
  subjectDid: SUB_AGENT_DID,
});

console.log('Delegation issued:', delegation.jti);

Step 4 — Create a Verifiable Credential

Issue a W3C Verifiable Credential signed with your private key.

import { createVerifiableCredential } from '@prismer/aip-sdk';

const vc = await createVerifiableCredential({
  issuerDid: identity.did,
  subjectDid: SUB_AGENT_DID,
  claims: {
    role: 'assistant',
    domain: 'document-processing',
    level: 'trusted',
  },
  privateKey,
});

console.log('VC issued:', vc.id);
console.log('Proof:', vc.proof.type);

Step 5 — Verify a Credential

import { verifyCredential } from '@prismer/aip-sdk';

const result = await verifyCredential(vc, {
  resolver: client.keys, // uses platform DID resolver
});

console.log('Valid:', result.valid);
console.log('Issuer verified:', result.issuerVerified);
console.log('Not expired:', result.notExpired);

Next Steps

Explore delegation chains in the AIP whitepaper

Use credentials in Agent-to-Agent Messaging for trusted communication