Archon Keymaster - Core DID Toolkit

Core toolkit for Archon decentralized identities (DIDs). Manages identity lifecycle, encrypted communication, cryptographic operations, and authorization.

Related skills:

• - archon-vault — Vault management and encrypted distributed backups
• INLINECODE1 — Cashu ecash with DID-locked tokens

Capabilities

• - Identity Management - Create, manage multiple DIDs, recover from mnemonic
• Verifiable Credentials - Create schemas, issue/accept/revoke credentials
• Encrypted Messaging (Dmail) - Send/receive end-to-end encrypted messages between DIDs
• Nostr Integration - Derive Nostr keypairs from your DID (same secp256k1 key)
• File Encryption - Encrypt files for specific DIDs
• Digital Signatures - Sign and verify files with your DID
• DID Aliasing - Friendly names for DIDs (contacts, schemas, credentials)
• Authorization - Challenge/response verification between DIDs
• Groups - Create and manage DID groups for access control and multi-party operations
• Polls - Cryptographic voting with transparent or secret ballots
• Assets - Store and retrieve content-addressed assets in the registry

Prerequisites

• - Node.js installed (for npx @didcid/keymaster)
• Environment: ~/.archon.env with:

- ARCHON_WALLET_PATH - path to your wallet file (required) - ARCHON_PASSPHRASE - wallet encryption passphrase (required) - ARCHON_GATEKEEPER_URL - gatekeeper endpoint (optional, defaults to public)

• - All created automatically by INLINECODE7

Security Notes

This skill handles cryptographic identity operations:

1. 1. Passphrase in environment: ARCHON_PASSPHRASE is stored in ~/.archon.env for non-interactive script execution. The file should be chmod 600.

1. 2. Sensitive files accessed:

- ~/.archon.wallet.json — encrypted wallet containing DID private keys - ~/.archon.env — wallet encryption passphrase

1. 3. Network: Data is encrypted before transmission to Archon gatekeeper/hyperswarm. Only intended recipients can decrypt.

1. 4. Key recovery: Your 12-word mnemonic is the master recovery key. Store it offline, never in digital form.

Quick Start

First-Time Setup

CODEBLOCK0

Creates your first DID, generates passphrase, saves to ~/.archon.env.

• - Default wallet location: INLINECODE14
• You can specify a custom path: INLINECODE15
• Write down your 12-word mnemonic - it's your master recovery key.

Load Environment

All scripts require ~/.archon.env to be configured. Simply run:

CODEBLOCK1

The environment file sets ARCHON_WALLET_PATH and ARCHON_PASSPHRASE. Scripts will error if these are not set.

Identity Management

Create Additional Identity

CODEBLOCK2

Create pseudonymous personas or role-separated identities (all share same mnemonic).

List All DIDs

CODEBLOCK3

Switch Active Identity

CODEBLOCK4

Recovery

For disaster recovery and vault restore operations, see the archon-backup skill.

Verifiable Credential Schemas

Create and manage schemas for verifiable credentials.

Create Schema

CODEBLOCK5

Create a credential schema from a JSON file.

Example schema (proof-of-human.json):
CODEBLOCK6

CODEBLOCK7

List Your Schemas

CODEBLOCK8

Lists all schemas you own.

Get Schema

CODEBLOCK9

Retrieve schema definition by DID or alias.

Verifiable Credentials

Issue, accept, and manage verifiable credentials.

Issuing Credentials (3-step process)

1. Bind Credential to Subject

CODEBLOCK10

Creates a bound credential template file for the subject.

Example:
CODEBLOCK11

2. Fill in Credential Data

Edit the .BOUND.json file and fill in the credentialSubject data:

CODEBLOCK12

3. Issue Credential

CODEBLOCK13

Signs and encrypts the credential. Returns the credential DID. The underlying @didcid/keymaster command may save output files - refer to Keymaster documentation for exact file output behavior.

Example:
CODEBLOCK14

Accepting Credentials

CODEBLOCK15

Accept and save a credential issued to you.

Example:
CODEBLOCK16

Managing Credentials

List Your Credentials

CODEBLOCK17

Lists all credentials you've received.

List Issued Credentials

CODEBLOCK18

Lists all credentials you've issued to others.

Get Credential

CODEBLOCK19

Retrieve full credential details.

Publishing & Revoking

Publish Credential

CODEBLOCK20

Add credential to your public DID manifest (makes it visible to others).

Revoke Credential

CODEBLOCK21

Revoke a credential you issued (invalidates it).

Complete Example: Issuing Proof-of-Human

CODEBLOCK22

Encrypted Messaging (Dmail)

End-to-end encrypted messages between DIDs with attachment support.

Send Message

CODEBLOCK23

Examples:
CODEBLOCK24

Check Inbox

CODEBLOCK25

Read Message

CODEBLOCK26

Reply/Forward/Archive

CODEBLOCK27

Attachments

CODEBLOCK28

Nostr Integration

Derive Nostr identity from your DID - same secp256k1 key, two protocols.

Prerequisites

Install nak CLI:
CODEBLOCK29

Derive Nostr Keys

CODEBLOCK30

Outputs nsec, npub, and hex pubkey (derived from m/44'/0'/0'/0/0).

Save Keys

CODEBLOCK31

Publish Nostr Profile

CODEBLOCK32

Update DID with Nostr Identity

CODEBLOCK33

File Encryption & Signatures

Encrypt Files

CODEBLOCK34

Returns encrypted DID (stored on-chain/IPFS). Only recipient can decrypt.

Decrypt Files

CODEBLOCK35

Sign Files (Proof of Authorship)

CODEBLOCK36

Important: File must be JSON. Adds proof section with signature.

Verify Signatures

CODEBLOCK37

Shows who signed it, when, and whether content was tampered with.

DID Aliasing

Friendly names for DIDs - use "alice" instead of INLINECODE28

Add Alias

CODEBLOCK38

Examples:
CODEBLOCK39

Resolve Alias

CODEBLOCK40

Pass-through safe (returns DID unchanged if you pass a DID).

List/Remove Aliases

CODEBLOCK41

Note: Aliases work in most Keymaster commands and all encryption/messaging scripts.

Asset Management

Store and retrieve assets (files, images, documents, JSON data) in the distributed registry. Assets are content-addressed (DIDs) and support binary data via base64 encoding.

List Assets

CODEBLOCK42

Lists all asset DIDs in the registry.

Create Assets

From JSON Data (inline)

CODEBLOCK43

From JSON File

CODEBLOCK44

From File (any type)

CODEBLOCK45

Encodes file as base64 with metadata (filename, content-type).

From Image

CODEBLOCK46

Auto-detects image type (png/jpg/gif/webp/svg) and encodes with metadata.

Retrieve Assets

Get Asset (raw JSON)

CODEBLOCK47

Returns raw asset data.

Get Asset as JSON

CODEBLOCK48

Pretty-prints asset data.

Get File Asset

CODEBLOCK49

Decodes base64 and saves to disk. Auto-detects filename if no output path provided.

Get Image Asset

CODEBLOCK50

Decodes base64 and saves image. Auto-detects filename if no output path provided.

Update Assets

Update with JSON Data

CODEBLOCK51

Update with JSON File

CODEBLOCK52

Update with File

CODEBLOCK53

Update with Image

CODEBLOCK54

Transfer Assets

CODEBLOCK55

Transfer asset ownership to another DID.

Use Cases

• - Skill Packages: Store SKILL.md + scripts as signed assets
• Profile Media: Avatar images, banners
• Documents: PDFs, markdown files, archives
• Data Sets: JSON datasets, configuration files
• Shared Resources: Transfer assets between DIDs for collaboration

Groups

Manage collections of DIDs for access control, multi-party operations, and organizational structure.

Create Group

CODEBLOCK56

Creates a group and automatically aliases it by name.

Examples:
CODEBLOCK57

Add/Remove Members

CODEBLOCK58

Examples:
CODEBLOCK59

List Groups

CODEBLOCK60

Lists all groups owned by your current identity.

Get Group Details

CODEBLOCK61

Shows group metadata and membership.

Test Membership

CODEBLOCK62

If member is omitted, tests whether your current identity is in the group.

Examples:
CODEBLOCK63

Use Cases

• - Access control - Encrypt files for a group, all members can decrypt
• Team management - Organize DIDs by role or project
• Multi-party workflows - Define who can participate in group operations

Authorization

Challenge/response flow for verifying a DID controls its private key. Used for agent-to-agent authentication, access control, and proof-of-identity workflows.

Create a Challenge

CODEBLOCK64

Output: a challenge DID (e.g., did:cid:bagaaiera...) that the responder must sign.

Create a Response

CODEBLOCK65

Output: a response DID containing a signed proof.

Verify a Response

CODEBLOCK66

Output:
CODEBLOCK67

INLINECODE30 means the response is valid and cryptographically verified.

Complete Authorization Flow

CODEBLOCK68

Polls

Cryptographically verifiable voting with support for transparent or secret ballots. Voters are added directly to polls (no separate roster required).

Create Poll Template

CODEBLOCK69

Outputs a v2 template JSON:
CODEBLOCK70

Create Poll

CODEBLOCK71

Creates a poll from a JSON template file. Returns poll DID.

Options:

• - --alias TEXT - DID alias for the poll
• INLINECODE32 - Registry URL (default: hyperswarm)

Example:
CODEBLOCK72

Manage Voters

Add, remove, or list eligible voters for a poll:

CODEBLOCK73

Vote in Poll

CODEBLOCK74

Cast a vote in a poll. Returns a ballot DID.

Arguments:

• - poll-did - DID of the poll
• INLINECODE34 - Vote number: 0 = spoil, 1-N = option index

Examples:
CODEBLOCK75

Ballot Workflow

For distributed voting (voters not directly connected to poll owner):

CODEBLOCK76

Send Poll Notice

Notify all voters about a poll:

CODEBLOCK77

Creates a notice DID that voters can use to find and vote in the poll.

View Poll

CODEBLOCK78

View poll details including options (with indices), deadline, and (if published) results.

Publish Poll Results

Two options for publishing results:

Secret ballots (default):

./scripts/polls/publish-poll.sh <poll-did>

Publishes aggregate results while hiding individual votes.

Transparent ballots:

./scripts/polls/reveal-poll.sh <poll-did>

Publishes results with individual ballots visible (who voted for what).

Unpublish Poll Results

CODEBLOCK81

Remove published results from a poll.

Complete Polling Example

CODEBLOCK82

Use Cases

• - Governance decisions - DAO-style voting with verifiable results
• Team consensus - Anonymous feedback or transparent decision-making
• Multi-agent coordination - Agents voting on shared resources
• Access control - Voting to add/remove group members

Advanced Usage

Multiple Identities (Pseudonymous Personas)

CODEBLOCK83

Use cases:

• - Separate personal/work identities
• Anonymous participation
• Role-based access control

Dmail Message Format

Dmails are JSON:
CODEBLOCK84

Direct Keymaster commands:
CODEBLOCK85

Signature Verification

Signed files include proof:
CODEBLOCK86

Security Notes

Cryptographic Security

• - Mnemonic is master key - Store offline, write down, never digital
• Passphrase encrypts wallet - Protects wallet.json on disk
• Aliases are local - Not shared, fully decentralized
• Dmail is end-to-end encrypted - Only sender/recipients can read
• Signatures are non-repudiable - Can't deny creating valid signature
• Backups persist - As long as any hyperswarm node retains them

Data Access Disclosure

This skill accesses sensitive data by design:

Data	Scripts	Purpose
INLINECODE35	All scripts	Contains encrypted private keys
INLINECODE36

All scripts | Contains ARCHON_PASSPHRASE for non-interactive use |
| ~/.clawstr/secret.key | Nostr scripts | Stores derived Nostr private key |

Environment Variables

The following are set in ~/.archon.env:

• - ARCHON_WALLET_PATH - Path to wallet file
• INLINECODE41 - Wallet decryption passphrase (sensitive!)
• INLINECODE42 - Optional, defaults to public gatekeeper

Important: ~/.archon.env contains your passphrase in plaintext for script automation. Ensure:
CODEBLOCK87

Network Transmission

Scripts connect to:

• - https://archon.technology - Public gatekeeper (default)
• INLINECODE45 - Local gatekeeper (if configured)
• Hyperswarm DHT - Distributed storage network

All transmitted data is encrypted. No plaintext secrets leave your machine

Troubleshooting

Wallet/Passphrase Issues

"Cannot read wallet":
CODEBLOCK88

"Permission denied":
CODEBLOCK89

Encryption/Signing

"Cannot decrypt":

• - Ensure message was encrypted for YOUR DID
• Check passphrase is correct

"Signature verification failed":

• - File modified after signing
• Signer's DID may be revoked

Dmail

"Messages not arriving":
CODEBLOCK90

"Recipient can't decrypt":

• - Use correct recipient DID (not alias on their side)

References

• - Archon documentation: https://github.com/archetech/archon
• Keymaster reference: https://github.com/archetech/archon/tree/main/keymaster
• W3C DID specification: https://www.w3.org/TR/did-core/