AID Format & DID Method

Method Syntax

The did:idprova: method follows the W3C DID Core syntax:

did-idprova        = "did:idprova:" method-specific-id
method-specific-id = authority ":" agent-name
authority          = domain / org-id
domain             = 1*( ALPHA / DIGIT / "." / "-" )
org-id             = 1*( ALPHA / DIGIT / "-" )
agent-name         = 1*( ALPHA / DIGIT / "-" / "_" )

Examples:

did:idprova:example.com:kai-lead-agent
did:idprova:example.com:pratyush
did:idprova:techblaze.com.au:registry-agent
did:idprova:localhost:dev-agent-01
did:idprova:192-168-1-100:local-agent

Authority Component

The authority identifies the namespace owner. For domain-verified agents (L1+), this MUST be a domain name the controller can prove ownership of via DNS TXT records. For unverified agents (L0), any syntactically valid authority is accepted.

Agent Name Component

The agent name is a locally unique identifier within the authority namespace. Agent names MUST be lowercase and match the pattern [a-z0-9][a-z0-9_-]*. The maximum length of the full DID is 256 characters.

Reserved Agent Names

Name	Purpose
`_registry`	Namespace registry agent
`_admin`	Administrative operations
`_root`	Root identity for the namespace

DID Document Structure

An IDProva DID Document is a valid W3C DID Document with IDProva-specific extensions:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1",
    "https://idprova.dev/v1"
  ],
  "id": "did:idprova:example.com:kai-lead-agent",
  "controller": "did:idprova:example.com:pratyush",
  "created": "2026-02-24T00:00:00Z",
  "updated": "2026-02-24T00:00:00Z",
  "verificationMethod": [
    {
      "id": "did:idprova:example.com:kai-lead-agent#key-ed25519-1",
      "type": "Ed25519VerificationKey2020",
      "controller": "did:idprova:example.com:kai-lead-agent",
      "publicKeyMultibase": "z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
    },
    {
      "id": "did:idprova:example.com:kai-lead-agent#key-mldsa65-1",
      "type": "MLDSA65VerificationKey2024",
      "controller": "did:idprova:example.com:kai-lead-agent",
      "publicKeyMultibase": "z2Drjgb4TxNYuSiDBqd7pJAn5MfgF1YfNfsaHH3gZXQxqR7kW..."
    }
  ],
  "authentication": [
    "did:idprova:example.com:kai-lead-agent#key-ed25519-1",
    "did:idprova:example.com:kai-lead-agent#key-mldsa65-1"
  ],
  "assertionMethod": [
    "did:idprova:example.com:kai-lead-agent#key-ed25519-1",
    "did:idprova:example.com:kai-lead-agent#key-mldsa65-1"
  ],
  "capabilityDelegation": [
    "did:idprova:example.com:kai-lead-agent#key-ed25519-1"
  ],
  "service": [
    {
      "id": "did:idprova:example.com:kai-lead-agent#idprova-metadata",
      "type": "IDProvaAgentMetadata",
      "serviceEndpoint": {
        "name": "Kai Lead Agent",
        "description": "Primary orchestration agent for OpenClaw",
        "model": "anthropic/claude-opus-4",
        "runtime": "openclaw/v2.1",
        "configAttestation": "blake3:a1b2c3d4e5f67890...",
        "trustLevel": "L1",
        "capabilities": [
          "mcp:tool-call",
          "mcp:resource-read",
          "idprova:delegate"
        ],
        "maxDelegationDepth": 3
      }
    }
  ],
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2026-02-24T00:00:00Z",
    "verificationMethod": "did:idprova:example.com:pratyush#key-ed25519-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "z3FXQjecWg3dBGZBCY9KJTA..."
  }
}

Required Properties

Property	Description
`@context`	MUST include the W3C DID v1 context and the IDProva v1 context.
`id`	The `did:idprova:` DID for this agent.
`controller`	The DID of the entity that controls this agent. MAY be the same as `id` for self-sovereign agents.
`verificationMethod`	MUST contain at least one Ed25519 key. SHOULD contain at least one ML-DSA-65 key.
`authentication`	MUST reference at least one verification method.

Optional Properties

Property	Description
`created`	ISO 8601 timestamp of document creation.
`updated`	ISO 8601 timestamp of last update.
`assertionMethod`	Keys authorised to make assertions (sign receipts).
`capabilityDelegation`	Keys authorised to issue DATs.
`service`	Agent metadata and other service endpoints.
`proof`	Proof of document integrity by the controller.

Agent Metadata Service Extension

The IDProvaAgentMetadata service type carries agent-specific information within the DID Document:

{
  "id": "#idprova-metadata",
  "type": "IDProvaAgentMetadata",
  "serviceEndpoint": {
    "name": "<string, REQUIRED>",
    "description": "<string, OPTIONAL>",
    "model": "<string, OPTIONAL>",
    "runtime": "<string, OPTIONAL>",
    "configAttestation": "<string, OPTIONAL>",
    "trustLevel": "<string, REQUIRED>",
    "capabilities": ["<string, ...>"],
    "maxDelegationDepth": "<integer, OPTIONAL>",
    "parentAgent": "<DID, OPTIONAL>",
    "organisationDID": "<DID, OPTIONAL>"
  }
}

Field	Type	Required	Description
`name`	string	Yes	Human-readable name. Max 128 characters.
`description`	string	No	Human-readable description. Max 1024 characters.
`model`	string	No	AI model identifier in `vendor/model-name` format.
`runtime`	string	No	Runtime platform in `platform/version` format.
`configAttestation`	string	No	Hash of agent configuration: `algorithm:hex-digest`.
`trustLevel`	string	Yes	Current trust level: `L0`, `L1`, `L2`, `L3`, or `L4`.
`capabilities`	array	No	List of capability strings the agent declares.
`maxDelegationDepth`	integer	No	Maximum delegation chain depth. Default: 5.
`parentAgent`	DID	No	DID of the parent agent if this is a sub-agent.
`organisationDID`	DID	No	DID of the organisation this agent belongs to.

Config Attestation Format

The configAttestation field enables configuration drift detection. It uses a hash of the agent’s active configuration serialized via JSON Canonicalization Scheme (JCS, RFC 8785):

configAttestation = algorithm ":" hex-digest
algorithm         = "blake3" / "sha256"
hex-digest        = 64HEXDIG

If an agent’s configuration changes (different system prompt, new tools, updated model), the hash changes. Verifiers can detect this and make trust decisions accordingly.

CRUD Operations

Controller: did:idprova:example.com:alice
Creates:    did:idprova:example.com:alice (self)
Proof:      Signed by alice's own key

Controller: did:idprova:example.com:alice
Creates:    did:idprova:example.com:alice-assistant
Proof:      Signed by alice's key (controller assertion)

Steps:

Generate an Ed25519 key pair.
Generate an ML-DSA-65 key pair (RECOMMENDED).
Construct the DID Document per the structure above.
If the agent has a controller different from itself, the controller MUST sign the proof field.
Register with a registry or publish at the well-known endpoint.

Update

Retrieve the current DID Document.
Modify the desired fields.
Increment the updated timestamp.
The controller MUST sign a new proof over the updated document.
Submit to the registry.

Key Rotation: New keys MUST be added before old keys are removed. The addition is signed by the old key; the removal is signed by the new key. This ensures continuity of control.

Step 1: Add new key (signed by old key)    → Document has [old-key, new-key]
Step 2: Remove old key (signed by new key) → Document has [new-key]

Deactivate

Set deactivated: true, remove all keys and services:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://idprova.dev/v1"
  ],
  "id": "did:idprova:example.com:retired-agent",
  "controller": "did:idprova:example.com:alice",
  "deactivated": true,
  "updated": "2026-06-01T00:00:00Z"
}

Resolvers MUST check the deactivated flag. A deactivated DID MUST NOT be used for authentication, delegation, or signing.

Resolution

DID Document resolution follows a layered strategy:

Resolution Order

Local cache — Check the local DID Document cache (respecting TTL).
Well-known endpoint — https://{authority}/.well-known/did/idprova/{agent-name}/did.json
Registry lookup — GET /v1/identities/{did}
Universal resolver — Fall back to a DID Universal Resolver if configured.

Well-Known Endpoint

For did:idprova:example.com:kai-lead-agent, the resolver requests:

GET https://example.com/.well-known/did/idprova/kai-lead-agent/did.json

The response MUST be a valid DID Document with Content-Type: application/did+json.

Resolution Metadata

Resolvers return metadata alongside the DID Document:

{
  "didDocument": { "..." },
  "didResolutionMetadata": {
    "contentType": "application/did+json",
    "retrieved": "2026-02-24T12:00:00Z",
    "resolverVersion": "idprova-resolver/0.1.0"
  },
  "didDocumentMetadata": {
    "created": "2026-02-24T00:00:00Z",
    "updated": "2026-02-24T00:00:00Z",
    "deactivated": false,
    "versionId": "3",
    "nextUpdate": "2026-03-24T00:00:00Z"
  }
}

Next Steps

Cryptography — Ed25519 + ML-DSA-65 hybrid signature scheme
DAT Structure & Scopes — Delegation token format and scope grammar
Identity (Concepts) — High-level overview of agent identity