AGNTCY Identity (Issuer CLI + Node Backend)
Use the identity CLI to create, manage, issue, and verify
decentralized agent identities and badges within the AGNTCY ecosystem.
This tool enables:
- - Identity creation (Agents, MCP Servers, MASs)
- BYOID onboarding (e.g., Okta-based identities)
- Metadata generation
- Badge issuance & publishing
- Verifiable Credential (VC) verification
Requirements
- Docker Engine v27+
- Docker Compose v2.35+
- Okta CLI
- Ollama CLI
Core Commands
Vault Management
Manage cryptographic vaults and signing keys:
identity vault connect file -f \~/.identity/vault.json -v "My Vault"
identity vault key generate
Issuer Management
Register and manage issuer configurations:
identity issuer register -o "My Organization" -c
"$CLIENTID" -s "$CLIENTSECRET" -u "\$ISSUER_URL"
Metadata Management
Generate and manage identity metadata:
identity metadata generate -c "$CLIENTID" -s "$CLIENTSECRET" -u
"\$ISSUER_URL"
Badge Issuance
Issue and publish badges (Verifiable Credentials):
identity badge issue mcp -u -n "My MCP Server"
identity badge publish
Verification
Verify published badges:
identity verify -f vcs.json
Running the Node Backend
Start locally using Docker:
git clone cd identity
./deployments/scripts/identity/launch_node.sh
Or:
make start_node
Typical Workflow
- 1. Install CLI
- Start Node Backend
- Create vault + keys
- Register Issuer
- Generate metadata
- Issue badge
- Publish badge
- Verify badge
Security notes (read before providing secrets)
- -
~/.identity/vault.json can contain signing key material and should be treated as a high-value secret.
Use a dedicated test vault for evaluation; do not reuse production keys.
- -
CLIENT_SECRET is a high-value secret. Only provide it after you have reviewed the code/binaries you
will run and you are operating in a controlled environment.
- - Avoid pasting secrets into chat, logs, tickets, or issue trackers. Prefer secure secret injection.
Notes
- - The CLI binary name is
identity. - Public issuer keys are exposed via:
/v1alpha1/issuer/{common_name}/.well-known/jwks.json
- - Published VCs are accessible via:
/v1alpha1/vc/{metadata_id}/.well-known/vcs.json
- - Supports Agents, MCP Servers, and MASs.
- Follows decentralized identity standards (e.g., W3C DIDs).
AGNTCY 身份(发行者 CLI + 节点后端)
使用 identity CLI 在 AGNTCY 生态系统中创建、管理、发行和验证去中心化代理身份及徽章。
该工具支持:
- - 身份创建(代理、MCP 服务器、MAS)
- BYOID 接入(例如基于 Okta 的身份)
- 元数据生成
- 徽章发行与发布
- 可验证凭证(VC)验证
系统要求
- Docker Engine v27+
- Docker Compose v2.35+
- Okta CLI
- Ollama CLI
核心命令
保险库管理
管理加密保险库和签名密钥:
identity vault connect file -f \~/.identity/vault.json -v 我的保险库
identity vault key generate
发行者管理
注册和管理发行者配置:
identity issuer register -o 我的组织 -c
$CLIENTID -s $CLIENTSECRET -u \$ISSUER_URL
元数据管理
生成和管理身份元数据:
identity metadata generate -c $CLIENTID -s $CLIENTSECRET -u
\$ISSUER_URL
徽章发行
发行和发布徽章(可验证凭证):
identity badge issue mcp -u -n 我的 MCP 服务器
identity badge publish
验证
验证已发布的徽章:
identity verify -f vcs.json
运行节点后端
使用 Docker 本地启动:
git clone cd identity
./deployments/scripts/identity/launch_node.sh
或:
make start_node
典型工作流程
- 1. 安装 CLI
- 启动节点后端
- 创建保险库和密钥
- 注册发行者
- 生成元数据
- 发行徽章
- 发布徽章
- 验证徽章
安全注意事项(提供密钥前请阅读)
- - ~/.identity/vault.json 可能包含签名密钥材料,应视为高价值机密。
请使用专用测试保险库进行评估;不要重复使用生产密钥。
- - CLIENT_SECRET 是高价值机密。仅在审查了将要运行的代码/二进制文件并在受控环境中操作后提供。
- 避免将机密粘贴到聊天、日志、工单或问题跟踪器中。建议使用安全的机密注入方式。
备注
- - CLI 二进制文件名为 identity。
- 发行者公钥通过以下路径公开:
/v1alpha1/issuer/{common_name}/.well-known/jwks.json
/v1alpha1/vc/{metadata_id}/.well-known/vcs.json
- - 支持代理、MCP 服务器和 MAS。
- 遵循去中心化身份标准(例如 W3C DID)。
