AGNTCY Identity allows to onboard, create and verify identities for Agents, Model Context Protocol (MCP) Servers and Multi-Agent Systems (MASs).
Welcome to the Identity repository
AGNTCY Identity provides a secure and verifiable method to uniquely identify agents through open and decentralized techniques. Each agent is assigned a universally unique identifier, backed by verifiable credentials (VCs). AGNTCY Identity enables to bring your own identity using conventions like IDs assigned by Identity Providers (e.g., Okta) or Agent Cards (e.g., Googleโs A2A), or be assigned an ID following standards (e.g., W3C DIDs). This component ensures that every agent in the AGNTCY ecosystem has a verifiable, universally unique identity, enabling secure authentication, trusted communication, and interoperability across diverse multi-agent systems, regardless of the identity assignment method.
[!NOTE] This same structure applies to MCP Servers and MASs, ensuring consistency across all identity-bearing entities in the IoA.
You can also:
Secure and reliable communication between software agents is a cornerstone of the Internet of Agents (IoA) vision. Without proper identity management, malicious or unverified agents can infiltrate Multi-Agent Systems (MASs), leading to misinformation, fraud, or security breaches. To mitigate these risks, the AGNTCY provides a standardized and consistent framework for authenticating agents and validating associated metadata. This applies equally to:
[!TIP] This repository includes an AI Agent and MCP Server to showcase the AGNTCY Identity components in action!
This short guide allows you to setup the Identity Issuer CLI
as well as the Identity Node Backend
.
The Issuer CLI
allows to generate, register, search for, and verify badges for Agents and MCP Servers. The CLI includes a library enabling storage and retrieval of the keys required to sign the badges, both on local storage or using a 3rd party wallet or vault.
The Node Backend
comprises the APIs and the backend core. It stores, maintains, and binds org:sub-org IDs, PubKeys, Subject IDs and metadata, including badges, ResolverMetadata and Verifiable Credentials (VCs).
To run these steps successfully, you need to have the following installed:
Use the following command to install the Issuer CLI
:
using curl
:
sh -c "$(curl -sSL https://raw.githubusercontent.com/agntcy/identity/refs/heads/main/deployments/scripts/identity/install_issuer.sh)"
or using wget
:
sh -c "$(wget -qO- https://raw.githubusercontent.com/agntcy/identity/refs/heads/main/deployments/scripts/identity/install_issuer.sh)"
[!NOTE] You can also download the
Issuer CLI
binary corresponding to your platform from the latest releases.On some platforms you might need to add execution permissions and/or approve the binary in
System Security Settings
.For easier use, consider moving the binary to your
$PATH
or to the/usr/local/bin
folder.
If you have Golang
set up locally, you could also use the go install command
:
go install github.com/agntcy/identity/cmd/issuer@latest && \
ln -s $(go env GOPATH)/bin/issuer $(go env GOPATH)/bin/identity
Clone the repository and navigate to the identity
directory:
git clone https://github.com/agntcy/identity.git && cd identity
Start the Node Backend with Docker:
./deployments/scripts/identity/launch_node.sh
Or use make
if available locally:
make start_node
[!NOTE] You can also install the
Node Backend
using our helm chart, for which instructions are available in the chart's directory.
You can verify the installation by running the command below to see the different commands available:
identity -h
Here are the core commands you can use with the CLI
This demo scenario will allow you to see how to use the AGNTCY Identity components can be used in a real environment. You will be able to perform the following:
First, follow the steps in the Get Started in 5 minutes section above to install the Issuer CLI
and run the Node Backend
, and generate a local vault and keys.
To run this demo setup locally, you need to have the following installed:
The agents in the samples rely on a local instance of the Llama 3.2 LLM to power the agent's capabilities. With Ollama installed, you can download and run the model (which is approximately 2GB, so ensure you have enough disk space) using the following command:
Run the Llama 3.2 model:
ollama run llama3.2
From the root of the repository, navigate to the samples
directory and run the following command to deploy the Currency Exchange A2A Agent
leveraging the Currency Exchange MCP Server
:
cd samples && docker compose up -d
[Optional] Test the samples using the provided test clients.
Create a local vault to store generated cryptographic keys:
identity vault connect file -f ~/.identity/vault.json -v "My Vault"
Generate a new key pair and store it in the vault:
identity vault key generate
For this demo we will use Okta as an IdP to create an application for the Issuer. To quickly create a trial account and application, we have provided a script to automate the process using the Okta CLI.
[!IMPORTANT] If you already have an Okta account, you can use the
okta login
command to log in to your existing organization.If registering a new Okta developer account fails, proceed with manual trial signup and then use the
okta login
command, as instructed by the Okta CLI.
Run the following command from the root repository to create a new Okta application:
. ./demo/scripts/create_okta_app
In the interactive prompt, choose the following options:
> 4: Service (Machine-to-Machine)
, > 5: Other
Register the Issuer using the Issuer CLI
and the environment variables from the previous step:
identity issuer register -o "My Organization" \
-c "$OKTA_OAUTH2_CLIENT_ID" -s "$OKTA_OAUTH2_CLIENT_SECRET" -u "$OKTA_OAUTH2_ISSUER"
[!NOTE] You can now access the
Issuer's Well-Known Public Key
athttp://localhost:4000/v1alpha1/issuer/{common_name}/.well-known/jwks.json
, where{common_name}
is the common name you provided during registration.
Create a second application for the MCP Server metadata using Okta, similar to the previous step:
Run the following command from the root repository to create a new Okta application:
. ./demo/scripts/create_okta_app
In the interactive prompt, choose the following options:
> 4: Service (Machine-to-Machine)
, > 5: Other
Generate metadata for the MCP Server using the Issuer CLI
and the environment variables from the previous step:
identity metadata generate -c "$OKTA_OAUTH2_CLIENT_ID" \
-s "$OKTA_OAUTH2_CLIENT_SECRET" -u "$OKTA_OAUTH2_ISSUER"
[!NOTE] When successful, this command will print the metadata ID, which you will need in the next step to view published badges that are linked to this metadata.
Issue a badge for the MCP Server:
identity badge issue mcp -u http://localhost:9090 -n "My MCP Server"
Publish the badge:
identity badge publish
[!NOTE] You can now access the
VCs as a Well-Known
athttp://localhost:4000/v1alpha1/vc/{metadata_id}/.well-known/vcs.json
, where{metadata_id}
is the metadata ID you generated in the previous step.
You can use the Issuer CLI
to verify a published badge any published badge, not just those that you issued yourself.
This allows others to verify the Agent and MCP badges you publish.
Download the badge that you created in the previous step, replacing {metadata_id} with the metadata ID from step 4:
curl -o vcs.json http://localhost:4000/v1alpha1/vc/{metadata_id}/.well-known/vcs.json
Verify the badges using the Issuer CLI
:
identity verify -f vcs.json
[!NOTE] You can also use our Python SDK to verify the badge programmatically. See the Python SDK for more details.
For more detailed development instructions please refer to the following sections:
See the open issues for a list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. For detailed contributing guidelines, please see CONTRIBUTING.md.
Distributed under Apache 2.0 License. See LICENSE for more information. Copyright AGNTCY Contributors.
{ "mcpServers": { "identity": { "command": "docker", "args": [ "compose", "up", "-d" ] } } }
Related projects feature coming soon
Will recommend related projects based on sub-categories