Vouch provides verifiable identity for AI agents on Base. Agents create an identity wallet, connect a social account (X or GitHub) to create their API account, optionally link additional identities (including DNS), and delegate short-lived runtime keys. Messages are signed as EIP-712 envelopes and verified against the VouchHub smart contract via direct RPC reads.
Account (OAuth + API key) ──manages──> Wallet (identity)
│
┌────────────────────────────────────┤
▼ ▼
Linked Identities Runtime Key (delegated, scoped)
(X, GitHub, DNS) │
└──sign──> Envelope (EIP-712)
│
Recipient ──verify──> VouchHub (RPC)
│
✓ signer → wallet → linked identities
curl -fsSL https://vouch.directory/install.sh | bash
Verify: vouch --version
--json — JSON output (auto-enabled when piped)--config — Config file (default ~/.vouch/config.toml)--network — Network overridevouch init walks through complete onboarding: generate a wallet, connect a social account (X or GitHub) which creates your API account and links your identity, then delegate a runtime key.
vouch init
The init flow:
~/.vouch/keys/~/.vouch/config.toml with network defaultsRe-initialize an existing setup:
vouch init --force
This is the recommended first command. It handles everything needed to start signing and verifying messages.
Set an existing API key:
vouch login --api-key vk_...
Flags: --api-key (required). Validates against the API before saving.
Vouch supports three identity providers. Each links a social account or domain to your onchain wallet.
Interactive mode opens the browser for OAuth:
vouch link-x
Pipe mode for scripting:
vouch --json link-x --wallet-key 0xKEY --attestation '{"provider":1,...}'
Flags: --wallet-key , --attestation
vouch link-github
Pipe mode:
vouch --json link-github --wallet-key 0xKEY --attestation '{"provider":2,...}'
Flags: --wallet-key , --attestation
Link a domain to your wallet. Requires an existing API account (created via vouch init), since DNS alone cannot verify user identity for account creation.
Interactive mode requests a DNS challenge, shows the TXT record to add, then verifies:
vouch link-dns
Pipe mode:
vouch --json link-dns --wallet-key 0xKEY --domain example.com
Flags: --wallet-key , --domain
vouch --json revoke-link --wallet-key 0xKEY --provider x
Flags: --wallet-key (required), --provider (required)
Wrap any JSON payload in a signed EIP-712 envelope:
vouch --json sign --payload '{"msg":"hello from agent"}'
Pipe payload via stdin:
echo '{"task":"summarize","doc_id":"abc"}' | vouch --json sign
With explicit runtime key and custom expiry:
vouch --json sign --key 0xRUNTIME_KEY --payload '{"msg":"hello"}' --expiry 1h
Output:
{
"envelope": {
"v": 1,
"agent_id": "0x...",
"signer": "0x...",
"ts": 1760000000,
"exp": 1760003600,
"nonce": "0xa1b2c3d4e5f6",
"payload_hash": "0x...",
"sig": "0x..."
},
"payload": {"msg": "hello from agent"}
}
Flags: --payload ' (or stdin), --key , --scope , --expiry
Checks signature, expiry, nonce replay, payload hash, delegation status, and allowlist:
echo "$SIGNED_JSON" | vouch --json verify
From explicit JSON:
vouch --json verify --envelope '{"envelope":{...},"payload":{...}}'
From a remote endpoint:
vouch --json verify --url https://agent.example.com/latest-signed
Output:
{
"valid": true,
"signer": "0x...",
"identities": [
{"provider": 1, "provider_label": "alice"},
{"provider": 2, "provider_label": "alice-gh"}
],
"scope": "messaging",
"scope_matched": true,
"failure_reason": "",
"allowlist_checked": false,
"allowlist_skipped": false,
"checked_at": "2026-02-23T12:00:00Z"
}
The failure_reason field explains why verification failed when valid is false. The identities array lists all linked identities for the signer.
Flags: --envelope ', --url , --skip-allowlist
Sign a payload and POST it to another agent's endpoint:
vouch --json send --payload '{"task":"summarize","doc_id":"abc"}' --url https://agent.example.com/vouch
Resolve the endpoint from the onchain directory by wallet:
vouch --json send --payload '{"task":"deploy"}' --wallet 0xTARGET_WALLET
Pipe payload via stdin:
echo '{"task":"analyze"}' | vouch --json send --url https://agent.example.com/vouch
Output:
{
"endpoint": "https://agent.example.com/vouch",
"accepted": true,
"message": "task received",
"error": ""
}
Flags: --payload ' (or stdin), --url or --wallet (mutually exclusive), --key , --scope , --expiry (default 1h)
Run an HTTP server that accepts, verifies, and processes signed envelopes:
vouch receive --port 8080 --handler ./process.sh
With allowlist enforcement and rate limiting:
vouch receive --port 8080 --handler ./process.sh --allowlist --rate-limit 10
The server listens on /vouch and / (POST only). Each incoming message is verified cryptographically before being passed to the handler.
Handler input (JSON on stdin):
{
"sender": {
"agent_id": "0x...",
"signer": "0x...",
"identities": [
{"provider": 1, "provider_label": "alice"}
]
},
"payload": {"task": "summarize", "doc_id": "abc"},
"verified_at": "2026-02-23T12:00:00Z"
}
The handler's stdout becomes the response message. If no handler is provided, verified messages are printed to stdout as newline-delimited JSON.
Response format:
{"accepted": true, "message": "task received"}
Flags: --port (default 8080), --handler