For developers building trusted AI Agents able to interact with persons, companies, services, and other agents
Wallet4Agent provides the trust layer that AI Agents need to operate safely in the real world.
This document explains the technical components, standards, and identity mechanisms behind the platform.
AI Agents increasingly take actions, access data, and collaborate.
To do this safely, they must be able to:
- 🆔 Prove who they are
- 👤 Prove who owns or controls them
- 📄 Hold verifiable credentials
- 🔐 Sign actions and data securely
- 🔗 Trust users, companies, and other agents
- 🪪 Authenticate to external systems without fragile API keys
Wallet4Agent provides AI Agents with:
- A DID-based identity
- A secure wallet for credentials
- Cloud KMS-backed signing keys
- Interoperability with OIDC4VCI, OIDC4VP, SD‑JWT, JSON-LD, OAuth2
- An MCP server interface for agents
Everything is standards‑based and interoperable.
Wallet4Agent is built with three coordinated layers:
- Single endpoint:
POST https://wallet4agent.com/mcp - Exposes all operations as tools:
- Identity creation
- Credential issuance
- Verification flows
- Signing operations
- Configuration
Manages:
- The Agent’s DID & DID Document
- Stored credentials (SD‑JWT VC, VC JSON‑LD)
- Linked Verifiable Presentations
- Wallet metadata & service endpoints
Supports:
- OAuth2 access tokens
- OIDC4VCI (credential issuance)
- OIDC4VP (presentation)
- User verification flows
- Agent‑to‑Agent authentication
All complex cryptographic and identity logic stays in Wallet4Agent.
Your agent simply calls MCP tools.
Each AI Agent receives a Decentralized Identifier (DID) compliant with the W3C DID Core specification.
Wallet4Agent supports two DID methods:
A DID anchored on a domain.
did:web:wallet4agent.com:<agent-id>
⭐ Characteristics:
- Easy to resolve using HTTPS
- DID Document lives at:
https://wallet4agent.com/did/<agent-id> - Perfect for SaaS agents
- Human-readable, infrastructure-friendly
- Works well for corporate or platform-linked AI agents
🔗 DID:web specification:
https://www.w3.org/TR/did-spec-registries/#did-method-web
A DID anchored on the Cheqd decentralized ledger.
did:cheqd:<network>:<identifier>
⭐ Characteristics:
- Tamper-resistant DID Document stored on-ledger
- Supports ledger-anchored keys, rotations, service endpoints
- Ideal for:
- High-assurance identity
- Regulated environments
- Trust registries
- Decentralized compliance ecosystems
🔗 DID:cheqd specification:
https://docs.cheqd.io/identity/
Regardless of DID method, the DID Document exposes:
- 🔑 Public keys
- 🔐 Authentication methods
- 📌 Service endpoints
- 🧾 Linked Verifiable Presentations
- 🧬 Key types (JWK, Ed25519, etc.)
DID Documents are automatically updated when:
- Keys rotate
- New developer or agent keys are registered
- Credentials are published as Linked VPs
- Authentication methods change
External agents and services use the DID Document to verify signatures, credentials, and linked proofs.
Linked VP allows Wallet4Agent to publish verifiable credentials inside the DID Document as references.
Why this matters:
- Public credentials become discoverable
- Third parties can verify agent capabilities
- Useful for:
- Corporate mandates
- Agent capabilities
- Service trust signals
- Compliance proofs
Supported formats:
- 🟦 SD‑JWT VC
- 🟩 JWT‑VC / JWT‑VP
- 🟪 JSON‑LD VC / VP
Specification:
https://identity.foundation/linked-vp/spec/v1.0.0/
Each agent has a dedicated cloud KMS key.
Used for:
- Signing Verifiable Presentations
- Proofs of key ownership in OIDC4VCI
- JWTs for OAuth2 client authentication
- Internal signature operations
Benefits:
- Private key never leaves KMS
- Agent identity is tied to a secure execution environment
- High‑assurance signatures
Developers may register additional public JWKs:
- For OAuth
private_key_jwt - For agent frameworks managing their own keys
- For corporate signing keys
Wallet4Agent stores the public keys; developers retain the private keys.
Wallet4Agent supports three agent authentication flows:
Authorization: Bearer <agent_pat>
Simple and effective for development or local agents.
Agent receives:
client_id= Agent DIDclient_secret
Then exchanges using:
grant_type=client_credentials
Ideal for most production requests.
Strongest method:
- Developer registers a public JWK
- Agent signs a JWT with its private key
- Wallet4Agent validates it using the registered public JWK
Useful for hardware-backed keys and enterprise infrastructures.
Wallet4Agent handles complete credential issuance flows:
- Fetch issuer metadata
- Obtain OAuth tokens
- Create proof of key ownership signed by the agent's KMS key
- Request credentials
- Store as attestations
Supported formats:
- 🟦 SD‑JWT VC
- 🟩 VC JSON‑LD
Agents only call MCP tools — Wallet4Agent does all protocol-level work.
Wallet4Agent supports verification of:
- Natural persons
- Other agents
- Credential-based access
Agents can:
- Start user verification
- Poll status
- Receive verified attributes safely
- Authenticate peer agents
The agent never sees sensitive tokens; only derived, safe claims are returned.
Wallet4Agent stores credentials as attestations, including:
- Format
- Issuer
- VCT/VC type
- Expiry
- Encrypted payload
- Publication status (for Linked VP)
Agents can:
- List their credentials
- Accept new ones
- Access credentials of other agents (if published)
Published under:
/.well-known/oauth-protected-resource/mcp
Includes:
- Supported authentication methods
- Resource identifiers
- Trusted authorization servers
Enables automatic configuration by OAuth2 clients and gateways.
Wallet4Agent supports human-in-the-loop requirements:
{
"always_human_in_the_loop": true
}Used for:
- High-risk operations
- Sensitive credential acceptance
- Escalation to human review
If you are an Agent developer, Wallet4Agent gives you:
| Feature | What you get |
|---|---|
| 🆔 Agent identity | DID + DID Document |
| 🔑 Authentication | Dev PAT, Agent PAT, OAuth2 Client Credentials, private_key_jwt |
| 🔐 Cryptographic keys | Cloud KMS signatures, non‑exportable |
| 📜 Credential issuance | Full OIDC4VCI support (SD‑JWT VC & VC JSON‑LD) |
| ✅ Credential verification | OIDC4VP with simple MCP tools and safe derived claims |
| 👤 Human interaction | QR code → wallet → verified attributes |
| 🤝 Inter‑agent trust | Ability to inspect credentials of other agents (when authorized) |
| ⚙️ Configuration | Auth mode, keys, policies all manageable via MCP |
| 🛡️ Security | KMS, OAuth2, DID rotation & key updates, role‑separated tokens |
Your AI Agent becomes a verifiable digital entity, capable of participating in decentralized and regulated digital identity ecosystems while preserving security and accountability.
Maintainer: Wallet4Agent (Web3 Digital Wallet / Talao )
For feedback or additional documentation, use the contact channels on the Wallet4Agent website.
| Standard | Purpose | Link |
|---|---|---|
| DID Core | Core DID specification | https://www.w3.org/TR/did-core/ |
| Linked Verifiable Presentations | Public VCs in DID Documents | https://identity.foundation/linked-vp/spec/v1.0.0/ |
| OIDC4VCI | Credential issuance | https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html |
| OIDC4VP | Credential presentation | https://openid.net/specs/openid-4-verifiable-presentations-1_0.html |
| W3C Verifiable Credentials | VC Data Model | https://www.w3.org/TR/vc-data-model-2.0/ |
| SD-JWT VC (IETF) | Selective disclosure credential format | https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-12.html |