AGNTCY Identity (Issuer CLI + Node Backend)

Use the identity CLI to create, manage, issue, and verify

decentralized agent identities and badges within the AGNTCY ecosystem.

This tool enables:

• Identity creation (Agents, MCP Servers, MASs)
• BYOID onboarding (e.g., Okta-based identities)
• Metadata generation
• Badge issuance & publishing
• Verifiable Credential (VC) verification

Requirements

• Docker Desktop OR
• Docker Engine v27+
• Docker Compose v2.35+
• Optional for demo:
• Okta CLI
• Ollama CLI

Core Commands

Vault Management

Manage cryptographic vaults and signing keys:

identity vault connect file -f \~/.identity/vault.json -v "My Vault"

identity vault key generate

Issuer Management

Register and manage issuer configurations:

identity issuer register -o "My Organization" -c

"$CLIENT_ID" -s "$CLIENT_SECRET" -u "\$ISSUER_URL"

Metadata Management

Generate and manage identity metadata:

identity metadata generate -c "$CLIENT_ID" -s "$CLIENT_SECRET" -u

"\$ISSUER_URL"

Badge Issuance

Issue and publish badges (Verifiable Credentials):

identity badge issue mcp -u -n "My MCP Server"

identity badge publish

Verification

Verify published badges:

identity verify -f vcs.json

Running the Node Backend

Start locally using Docker:

git clone cd identity

./deployments/scripts/identity/launch_node.sh

Or:

make start_node

Typical Workflow

1. Install CLI
2. Start Node Backend
3. Create vault + keys
4. Register Issuer
5. Generate metadata
6. Issue badge
7. Publish badge
8. Verify badge

Security notes (read before providing secrets)

• ~/.identity/vault.json can contain signing key material and should be treated as a high-value secret.

Use a dedicated test vault for evaluation; do not reuse production keys.

• CLIENT_SECRET is a high-value secret. Only provide it after you have reviewed the code/binaries you

will run and you are operating in a controlled environment.

• Avoid pasting secrets into chat, logs, tickets, or issue trackers. Prefer secure secret injection.

Notes

• The CLI binary name is identity.
• Public issuer keys are exposed via:

/v1alpha1/issuer/{common_name}/.well-known/jwks.json

• Published VCs are accessible via:

/v1alpha1/vc/{metadata_id}/.well-known/vcs.json

• Supports Agents, MCP Servers, and MASs.
• Follows decentralized identity standards (e.g., W3C DIDs).