CLI Commands

idprova keygen

Generate a new Ed25519 keypair.

idprova keygen [--output <path>]

Flag	Description
--output, -o	File path to save the secret key (default: stdout)

Output: Hex-encoded secret key and multibase-encoded public key.

Secret key (hex): 4a3b2c1d...
Public key (multibase): z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK

---

idprova aid create

Create and sign an Agent Identity Document.

idprova aid create \
  --id <did> \
  --controller <did> \
  --key <path> \
  [--name <name>] \
  [--description <desc>] \
  [--model <model>] \
  [--runtime <runtime>] \
  [--trust-level <level>] \
  [--output <path>]

Flag	Required	Description
--id	Yes	DID identifier (e.g., did:idprova:example.com:my-agent)
--controller	Yes	Controller DID
--key	Yes	Path to Ed25519 secret key file
--name	No	Human-readable agent name
--description	No	Agent description
--model	No	AI model identifier (e.g., anthropic/claude-opus-4)
--runtime	No	Runtime environment identifier
--trust-level	No	Trust level: L0, L1, L2, L3, L4 (default: L0)
--output, -o	No	Output file path (default: stdout as JSON)

Output: W3C DID Document as JSON with verification methods, authentication, and agent metadata service extension.

---

idprova aid verify

Validate an AID document from a JSON file.

idprova aid verify <file>

Argument	Description
<file>	Path to the AID JSON file

Checks: DID format, required fields, key encoding, metadata structure.

---

idprova aid resolve

Resolve an AID from a registry.

idprova aid resolve <did>

Argument	Description
<did>	DID to resolve (e.g., did:idprova:example.com:my-agent)

Note

Registry resolution requires a running IDProva registry. Set the IDPROVA_REGISTRY environment variable to your registry URL.

---

idprova dat issue

Issue a signed Delegation Attestation Token.

idprova dat issue \
  --issuer <did> \
  --subject <did> \
  --scope <scopes> \
  --expires-in <duration> \
  --key <path>

Flag	Required	Description
--issuer	Yes	Issuer DID (the delegator)
--subject	Yes	Subject DID (the delegatee)
--scope	Yes	Comma-separated scope strings (e.g., mcp:tool:*:read,mcp:resource:docs:write)
--expires-in	Yes	Expiry duration: 1h, 24h, 7d, etc.
--key	Yes	Path to issuer’s Ed25519 secret key

Output: JWS compact serialization string.

Scope format: namespace:resource:action — see Scope Grammar.

---

idprova dat verify

Verify a DAT’s timing and claims.

idprova dat verify <token>

Argument	Description
<token>	JWS compact serialization string

Checks: Algorithm (EdDSA required), timing (not expired, not before valid), claim structure, scope format.

---

idprova dat inspect

Decode and pretty-print a DAT without verification.

idprova dat inspect <token>

Argument	Description
<token>	JWS compact serialization string

Output: Formatted JSON showing header, claims (issuer, subject, scope, jti, expiry), and signature info.

---

idprova receipt verify

Verify the hash chain integrity of a receipt log.

idprova receipt verify <file>

Argument	Description
<file>	Path to JSONL receipt log file

Checks: Genesis hash, sequential chain integrity (each receipt’s previous_hash matches the hash of the prior entry), hash algorithm consistency.

---

idprova receipt stats

Display statistics about a receipt log.

idprova receipt stats <file>

Argument	Description
<file>	Path to JSONL receipt log file

Output: Total entry count, action type breakdown, time range, agent DIDs referenced.

---

Global Options

Flag	Description
--help, -h	Show help for any command
--version, -V	Show version information

Exit Codes

Code	Meaning
0	Success
1	Validation error (invalid AID, expired DAT, broken chain)
2	I/O error (file not found, permission denied)

Next Steps

• CLI Usage Guide — Common workflows and CI/CD integration
• Registry API — REST API for the registry server