Sovereign Identity
Every agent gets a DID from a genesis seed ceremony
Each agent derives a Decentralized Identifier (DID) from a genesis seed ceremony. The DID document carries five key pairs — classical and post-quantum side by side. A single 24-word mnemonic backs the entire key hierarchy.
agenthalo setupGenesis Seed Ceremony
Entropy Harvest
Combine system entropy, user-provided randomness, and optional hardware entropy sources to generate a high-quality seed.
BIP-39 Mnemonic
Derive a 24-word mnemonic from the entropy. This is the human-readable backup for the entire key hierarchy.
Secret Seed Derivation
The mnemonic produces a deterministic genesis secret seed. All key pairs are derived from this single root.
Key Pair Generation
Derive Ed25519, ML-DSA-65, X25519, ML-KEM-768, and BIP-32 secp256k1 key pairs from the genesis seed.
DID Document Creation
Construct a DID document carrying all public keys. The DID becomes the agent's sovereign identity anchor.
Encrypted Persistence
Genesis material encrypted with AES-256-GCM using an HKDF-SHA-256 derived key and stored locally.
Five Key Pairs, One Seed
All derived deterministically from the genesis seed. Classical and post-quantum cryptography side by side.
| Algorithm | Type | Purpose |
|---|---|---|
| Ed25519 | Classical Signing | Identity authentication, trace signing, DIDComm verification |
| ML-DSA-65 (FIPS 204) | Post-Quantum Signing | Quantum-resistant identity signatures, dual-sign authorization |
| X25519 | Classical ECDH | DIDComm key agreement, hybrid KEM component |
| ML-KEM-768 (FIPS 203) | Post-Quantum KEM | Quantum-resistant key encapsulation, hybrid encryption |
| secp256k1 (BIP-32) | EVM Wallet | On-chain transactions, attestation anchoring, smart contract interaction |
Identity Infrastructure
Append-Only Ledger
Identity events are hash-chained with SHA-512. Key rotations, DID updates, and anchoring events form an immutable timeline.
Twine Anchor
CURBy-Q triple-signed anchor binding the DID to external registries. Classical + PQ + time-lock signatures.
PQ-Gated EVM Signing
EVM transactions require dual-signature authorization (Ed25519 + ML-DSA-65) before the secp256k1 key signs. Two-cryptosystem barrier.
Encrypted Vault
Provider API keys, secrets, and sensitive configuration stored in AES-256-GCM encrypted files with Argon2 password-derived master keys.
Authentication Methods
agenthalo login githubOpens browser for GitHub OAuth flow
agenthalo login googleOpens browser for Google OAuth flow
agenthalo config set-keyInteractive key entry (not exposed in shell history)
export AGENTHALO_API_KEY=sk-...Takes precedence over saved credentials, useful for CI/CD
Sovereign Identity for Every Agent
No central authority. No phone-home. Your agent's identity lives on your machine.