ClawKey — Verifiable Human Ownership
Register your agent under your human owner powered by VeryAI palm verification. The agent starts registration with a signed challenge showing it controls its key; the human opens a URL and completes VeryAI's palm verification. Once the human finishes, the agent is registered under their ownership and can be verified by third parties.
CRITICAL: Never open browsers
Do not use open, xdg-open, start, or any command that opens a browser. Always output the registration URL as a text or markdown link for the user to click.
- - WRONG: �INLINECODE3
- CORRECT: "Open this link to complete verification: https://api.very.org/oauth2/..."
Key files
| File | Purpose |
|---|
| SKILL.md | https://clawkey.ai/skill.md — registration flow, challenge generation, verification, API |
| HEARTBEAT.md |
https://clawkey.ai/heartbeat.md — periodic checklist: registration status, etc |
| Identity |
~/.openclaw/identity/device.json — OpenClaw deviceId and keys (do not send private key) |
Security
- - Private key: Used to sign the challenge. Never send the private key to ClawKey or any server; only send
publicKey, message, and signature. - Registration URL: Single-use and short-lived. Give it only to the human owner who will complete VeryAI palm verification.
- deviceId: Use a stable identifier (e.g. from your identity store or hash of public key). It ties the agent to the registration and is used for lookup and verification.
Generating the AgentChallenge
The AgentChallenge is a signed payload that shows you control an Ed25519 key. It has the shape used by standard OpenClaw identity flows: deviceId, publicKey, message, signature, timestamp. Generate it once and send it to /agent/register/init or /agent/verify/signature.
Where identity comes from (OpenClaw)
If you run on OpenClaw, device identity is stored at:
That file contains (never send privateKeyPem to any server):
| Field | Use |
|---|
| INLINECODE17 | Use as deviceId in the challenge. Stable id for this agent/device. |
| INLINECODE19 |
Use to derive
publicKey (see below). |
|
privateKeyPem | Use only locally to sign the message.
Never include in API requests. |
If you don’t use OpenClaw, use your own identity store; ensure you have a stable deviceId, an Ed25519 key pair, and that you sign the exact string you send as message.
Build the challenge (step-by-step)
- 1. Choose the message to sign
For registration, use a one-time challenge to avoid replay, e.g.:
-
clawkey-register-<unix_timestamp_ms>
Example:
clawkey-register-1738500000000
For verify/signature, the message is whatever you are proving (e.g. a nonce from a third party).
- 2. Sign the message with your Ed25519 private key. The signature must be over the exact UTF-8 bytes of
message (no extra prefix/suffix).
- 3. Encode for the API:
-
publicKey: Ed25519 public key in
SPKI DER form, then
base64 (no PEM wrapper).
-
signature: Raw Ed25519 signature bytes,
base64.
-
timestamp: Unix time in
milliseconds when the challenge was created (e.g.
Date.now()).
- 4. JSON body (AgentChallenge):
-
deviceId — from your identity (e.g.
device.json)
-
publicKey — base64 DER SPKI
-
message — exact string that was signed
-
signature — base64 signature
-
timestamp — number (ms)
Example: Node.js
CODEBLOCK0
Using a script
If you have a script that already produces an AgentChallenge (e.g. signs a message and outputs JSON with deviceId, publicKey, message, signature, timestamp), you can reuse it for ClawKey:
- 1. Generate a challenge string, e.g.
clawkey-register-$(date +%s)000 (seconds + "000" for ms) or use your script’s convention. - Run the script to sign that message and get the challenge JSON.
- POST that JSON to
https://api.clawkey.ai/v1/agent/register/init.
Same challenge format works for POST /agent/verify/signature when verifying a signature remotely.
Quick start
1. Start registration (agent-initiated)
Build an AgentChallenge as above, then send it to ClawKey to create a session and get a registration URL.
CODEBLOCK1
Response (201):
- -
sessionId — use to poll status - INLINECODE43� — output this as a link for the human; do not open it in a browser
- INLINECODE44� — session expiry (ISO 8601)
If the agent is already registered (deviceId exists), the API returns 409 Conflict.
2. Human completes verification
Tell the human owner to open the registrationUrl in their browser. They will go through VeryAI's palm verification via OAuth. When they finish, the agent is registered under their ownership.
3. Poll registration status
Poll until the human has completed or the session has expired:
CODEBLOCK2
Response: status is one of pending | completed | expired | failed. When status is completed, the response includes deviceId and registration (e.g. publicKey, registeredAt).
4. Verify signatures or look up an agent
- - Verify a signature — check that a message was signed by the given key and whether that agent is registered under a verified human:
CODEBLOCK3
Response: verified (signature valid), registered (agent under verified human).
- - Look up an agent by device id — get registration and verification status:
CODEBLOCK4
Response: registered, verified, and optionally registeredAt.
API reference
Base URL: https://api.clawkey.ai/v1
Local: �INLINECODE64
Endpoints
| Method | Endpoint | Auth | Description |
|---|
| POST | INLINECODE65 | None | Start registration session; returns sessionId, registrationUrl, expiresAt. |
| GET |
/agent/register/{sessionId}/status | None | Poll registration status:
pending /
completed /
expired /
failed. |
| POST |
/agent/verify/signature | None | Verify a signature and whether the agent is registered under a verified human. |
| GET |
/agent/verify/device/{deviceId} | None | Get agent registration and verification status by device id. |
Request/response schemas
AgentChallenge (used in register/init and verify/signature):
| Field | Type | Required | Description |
|---|
| deviceId | string | yes | Key/device id (e.g. public key hash or app id). |
| publicKey |
string | yes | Ed25519 public key, base64 DER SPKI. |
| message | string | yes | Exact message that was signed (e.g. challenge or nonce). |
| signature | string | yes | Ed25519 signature over message, base64. |
| timestamp | int64 | yes | Unix timestamp (ms) when the challenge was created. |
Register init response (201):
CODEBLOCK5
Register status response (200):
CODEBLOCK6
Verify signature response (200):
CODEBLOCK7
Device status response (200):
CODEBLOCK8
Error (4xx/5xx):
CODEBLOCK9
Error codes
| Code | Meaning |
|---|
| 400 | Bad request (invalid or missing fields). |
| 404 |
Session or device not found. |
| 409 | Agent already registered (device_id already exists). |
| 500 | Server error. |
What this proves
After registration and VeryAI verification:
- - Human ownership — The agent is bound to a human who passed palm verification.
- Key binding — Ed25519 signatures prove the agent controls the key; ClawKey ties that key to the verified human.
- Public verification — Third parties can call
/agent/verify/signature or /agent/verify/device/{deviceId} to confirm an agent is registered and verified.
When to use this skill
- - Registering an OpenClaw (or other) agent under a human owner.
- Proving to a third party that an agent is owned by a verified human (e.g. before granting access or privileges).
- Checking whether a given key or device is registered and verified.
Need help?
- - API base: https://api.clawkey.ai/v1
- Homepage: https://clawkey.ai
ClawKey — 可验证的人类所有权
通过VeryAI掌纹验证,将您的代理注册到人类所有者名下。代理首先使用签名的挑战来证明其控制着密钥;人类打开一个URL并完成VeryAI的掌纹验证。人类完成后,代理即注册到其名下,并可被第三方验证。
关键:切勿打开浏览器
不要使用 open、xdg-open、start 或任何打开浏览器的命令。始终以文本或Markdown链接的形式输出注册URL供用户点击。
- - 错误:open https://api.very.org/oauth2/...
- 正确:打开此链接完成验证:https://api.very.org/oauth2/...
关键文件
| 文件 | 用途 |
|---|
| SKILL.md | https://clawkey.ai/skill.md — 注册流程、挑战生成、验证、API |
| HEARTBEAT.md |
https://clawkey.ai/heartbeat.md — 定期检查清单:注册状态等 |
| Identity | ~/.openclaw/identity/device.json — OpenClaw设备ID和密钥(请勿发送私钥) |
安全
- - 私钥:用于签署挑战。切勿将私钥发送给ClawKey或任何服务器;仅发送 publicKey、message 和 signature。
- 注册URL:一次性使用且有效期短。仅提供给将完成VeryAI掌纹验证的人类所有者。
- deviceId:使用稳定的标识符(例如来自身份存储或公钥的哈希值)。它将代理与注册绑定,用于查找和验证。
生成AgentChallenge
AgentChallenge 是一个签名后的负载,证明您控制着一个Ed25519密钥。它采用标准OpenClaw身份流程的形状:deviceId、publicKey、message、signature、timestamp。生成一次后发送到 /agent/register/init 或 /agent/verify/signature。
身份来源(OpenClaw)
如果您在OpenClaw上运行,设备身份存储在:
- - 路径: ~/.openclaw/identity/device.json
该文件包含(切勿将 privateKeyPem 发送给任何服务器):
| 字段 | 用途 |
|---|
| deviceId | 用作挑战中的 deviceId。该代理/设备的稳定ID。 |
| publicKeyPem |
用于派生 publicKey(见下文)。 |
| privateKeyPem | 仅在本地用于签署消息。
切勿包含在API请求中。 |
如果您不使用OpenClaw,请使用您自己的身份存储;确保您有稳定的 deviceId、Ed25519密钥对,并且您签署了作为 message 发送的确切字符串。
构建挑战(分步)
- 1. 选择要签署的消息
对于注册,使用一次性挑战以避免重放,例如:
- clawkey-register-
timestampms>
示例:clawkey-register-1738500000000
对于verify/signature,消息是您要证明的任何内容(例如来自第三方的nonce)。
- 2. 使用您的Ed25519私钥签署消息。签名必须基于 message 的确切UTF-8字节(无额外前缀/后缀)。
- 3. 为API编码:
- publicKey:Ed25519公钥,采用SPKI DER格式,然后进行base64编码(无PEM包装)。
- signature:原始Ed25519签名字节,base64编码。
- timestamp:创建挑战时的Unix时间戳(毫秒)(例如 Date.now())。
- 4. JSON主体(AgentChallenge):
- deviceId — 来自您的身份(例如 device.json)
- publicKey — base64编码的DER SPKI
- message — 被签署的确切字符串
- signature — base64编码的签名
- timestamp — 数字(毫秒)
示例:Node.js
javascript
const crypto = require(crypto);
const fs = require(fs);
const identityPath = ${process.env.HOME}/.openclaw/identity/device.json;
const identity = JSON.parse(fs.readFileSync(identityPath, utf8));
const message = clawkey-register-${Date.now()};
const privateKey = crypto.createPrivateKey(identity.privateKeyPem);
const signature = crypto.sign(null, Buffer.from(message, utf8), privateKey);
const publicKeyDer = crypto
.createPublicKey(identity.publicKeyPem)
.export({ type: spki, format: der });
const challenge = {
deviceId: identity.deviceId,
publicKey: publicKeyDer.toString(base64),
message,
signature: signature.toString(base64),
timestamp: Date.now(),
};
// POST challenge to https://api.clawkey.ai/v1/agent/register/init
使用脚本
如果您有一个已经生成AgentChallenge的脚本(例如签署消息并输出包含 deviceId、publicKey、message、signature、timestamp 的JSON),您可以将其重用于ClawKey:
- 1. 生成一个挑战字符串,例如 clawkey-register-$(date +%s)000(秒 + 000 表示毫秒)或使用您脚本的约定。
- 运行脚本签署该消息并获取挑战JSON。
- 将该JSON POST到 https://api.clawkey.ai/v1/agent/register/init。
相同的挑战格式适用于远程验证签名时的 POST /agent/verify/signature。
快速开始
1. 开始注册(代理发起)
按上述方法构建AgentChallenge,然后将其发送到ClawKey以创建会话并获取注册URL。
bash
curl -X POST https://api.clawkey.ai/v1/agent/register/init \
-H Content-Type: application/json \
-d {
deviceId: my-agent-device-id,
publicKey: ,
message: clawkey-register-1738500000000,
signature: ,
timestamp: 1738500000000
}
响应(201):
- - sessionId — 用于轮询状态
- registrationUrl — 将其作为链接输出给人类;不要用浏览器打开它
- expiresAt — 会话过期时间(ISO 8601)
如果代理已注册(deviceId 已存在),API返回 409 Conflict。
2. 人类完成验证
告诉人类所有者在其浏览器中打开 registrationUrl。他们将通过OAuth完成VeryAI的掌纹验证。完成后,代理即注册到其名下。
3. 轮询注册状态
轮询直到人类完成或会话过期:
bash
curl https://api.clawkey.ai/v1/agent/register/SESSION_ID/status
响应: status 为 pending | completed | expired | failed 之一。当 status 为 completed 时,响应包含 deviceId 和 registration(例如 publicKey、registeredAt)。
4. 验证签名或查找代理
- - 验证签名 — 检查消息是否由给定密钥签署,以及该代理是否注册在已验证的人类名下:
bash
curl -X POST https://api.clawkey.ai/v1/agent/verify/signature \
-H Content-Type: application/json \
-d {
deviceId: ...,
publicKey: ...,
message: ...,
signature: ...,
timestamp: 1738500000000
}
响应:verified(签名有效),registered(代理在已验证的人类名下)。
bash
curl https://api.clawkey.ai/v1/agent/verify/device/DEVICE_ID
响应:registered、verified,以及可选的 registeredAt。
API参考
基础URL: https://api.clawkey.ai/v1
本地: http://localhost:3000/v1
端点
| 方法 | 端点 | 认证 | 描述 |
|---|
| POST | /agent/register/init | 无 | 开始注册会话;返回 sessionId、registrationUrl、expiresAt。 |
| GET |
/agent/register/{sessionId}/status | 无
