去中心化身份(DID)和可验证凭证管理系统,专为 AI Agent 设计,基于 W3C DID Core 和 W3C Verifiable Credentials 标准构建。
📋 概述
Identity Trust 提供完整的去中心化身份管理解决方案,使 AI Agent 能够:
- 创建和管理去中心化标识符(DID)
- 签发和验证符合 W3C 标准的可验证凭证
- 在 Agent 之间建立信任关系
- 安全管理加密密钥
- 本地存储身份数据以保护隐私
📦 安装
步骤 1:安装包
选项 A:通过 npm(推荐)
# 安装全局版本以获取 CLI 访问
npm install -g openclaw-identity-trust# 验证安装
identity-trust --version
选项 B:从 GitHub
# 克隆仓库
git clone https://github.com/ZhenRobotics/openclaw-identity-trust.git
cd openclaw-identity-trust# 安装依赖
npm install
# 构建
npm run build
步骤 2:验证安装
# 检查 CLI 是否正常工作
identity-trust info# 创建您的第一个 DID
identity-trust did create
🚀 使用场景
何时使用此技能
自动触发当用户消息包含:
- 关键词:
DID、verifiable credential、identity、trust、decentralized identity
- 询问创建或管理数字身份
- 需要验证凭证或建立信任
- 想要实现 W3C DID/VC 标准
- 构建 Agent 身份验证系统
触发示例:
- "为我的 AI Agent 创建一个 DID"
- "签发一个可验证凭证"
- "如何验证这个凭证?"
- "设置去中心化身份进行身份验证"
- "评估这个 Agent 的信任级别"
不要使用当:
- 仅进行一般身份/密码管理(使用密码管理器)
- OAuth/SAML 身份验证(使用标准身份验证库)
- 简单用户账户(使用传统数据库)
🎯 核心功能
1. DID 管理
- did:key - 自包含,无需注册表
- did:web - 用于公开验证的 Web 托管 DID
- did:ethr - 基于以太坊的 DID(基本支持)
2. 可验证凭证
- 符合 W3C VC Data Model 1.1
- Ed25519 和 secp256k1 签名
- 过期日期管理
- 自定义声明支持
3. 信任评估
- 基于策略的信任评分
- 凭证验证
- 发行者信任链
- 信誉系统
4. 安全
- Ed25519 现代加密(默认)
- secp256k1 以太坊兼容签名
- 本地密钥存储在
~/.openclaw/identity/
- 无外部密钥依赖
💻 工具
此技能为 AI Agent 提供 6 个核心工具:
1. did_create - 创建去中心化标识符
为 Agent 或实体创建新的 DID。
参数:
method(字符串,可选):DID 方法 - key、web 或 ethr(默认:key)keyType(字符串,可选):加密密钥类型 - Ed25519 或 secp256k1(默认:Ed25519)save(布尔值,可选):保存到本地存储(默认:true)
返回:
did(字符串):生成的 DID 标识符document(对象):完整的 DID 文档
示例:
identity-trust did create --method key --key-type Ed25519
2. did_resolve - 解析 DID 为文档
将 DID 解析为其 DID 文档。
参数:
did(字符串,必需):要解析的 DID(例如 did:key:z6Mkf...)
返回:
document(对象):包含验证方法的 DID 文档
示例:
identity-trust did resolve did:key:z6MkfzZZD5gxQ...
3. vc_issue - 签发可验证凭证
签发符合 W3C 的可验证凭证。
参数:
issuerDid(字符串,必需):签发者的 DIDsubjectDid(字符串,必需):主体的 DIDclaims(对象,必需):包含在凭证中的声明type(字符串,可选):凭证类型(默认:VerifiableCredential)expirationDays(数字,可选):天数后的过期时间
返回:
示例:
identity-trust vc issue \
--issuer did:key:z6Mkf... \
--subject did:key:z6Mkp... \
--claims '{"role":"developer","level":"senior"}' \
--expiration 90
4. vc_verify - 验证凭证
验证可验证凭证的真实性和有效性。
参数:
credential(对象,必需):要验证的凭证checkExpiration(布尔值,可选):检查过期日期(默认:true)
返回:
verified(布尔值):凭证是否有效checks(对象):详细验证结果
示例:
identity-trust vc verify
5. identity_list - 列出身份
列出所有存储的 DID 和凭证。
参数:无
返回:
dids(数组):存储的 DID 列表credentials(数组):存储的凭证列表
示例:
identity-trust did list
identity-trust vc list
6. trust_evaluate - 评估 Agent 信任
根据其凭证和策略评估 Agent 的信任级别。
参数:
agentDid(字符串,必需):要评估的 Agent DIDpolicy(对象,可选):信任策略配置
返回:
trustLevel(数字):信任评分(0-100)credentials(数组):用于评估的凭证passed(布尔值):Agent 是否满足策略要求
示例:
# 程序化使用
import { evaluateTrust } from 'openclaw-identity-trust';const result = await evaluateTrust('did:key:z6Mkf...', {
minimumTrustLevel: 60,
requiredCredentials: ['IdentityCredential'],
trustedIssuers: ['did:key:authority...']
});
📚 CLI 命令
提供三个命令别名:
openclaw-identity-trustidentity-trustidt
DID 命令
# 创建新 DID
identity-trust did create [--method ] [--key-type ]# 解析 DID
identity-trust did resolve
# 列出所有 DID
identity-trust did list
可验证凭证命令
# 签发凭证
identity-trust vc issue \
--issuer \
--subject \
--claims '' \
[--type ] \
[--expiration ]# 验证凭证
identity-trust vc verify
# 列出凭证
identity-trust vc list [--subject ]
实用命令
# 导出所有数据
identity-trust export# 显示系统信息
identity-trust info
🔧 程序化 API
在应用程序中作为 Node.js 库使用:
import { generateDID, resolveDID, issueCredential, verifyCredential, LocalStorage } from 'openclaw-identity-trust';// 初始化存储
const storage = new LocalStorage();
await storage.initialize();
// 创建 DID
const { did, document, keyPair } = await generateDID('key', { keyType: 'Ed25519' });
console.log('Created DID:', did);
// 签发凭证
const credential = await issueCredential({
issuerDid: 'did:key:issuer...',
issuerKeyPair: keyPair,
subjectDid: did,
claims: {
role: 'ai-agent',
capabilities: ['read', 'write', 'execute']
},
expirationDate: new Date(Date.now() + 90 24 60 60 1000)
});
// 验证凭证
const result = await verifyCredential(credential, {
checkExpiration: true,
localStore: storage.getDIDStore()
});
console.log('Verified:', result.verified);
🎓 使用案例
1. AI Agent 身份
为 AI Agent 创建持久身份:
# 创建 Agent DID
identity-trust did create --method key# 签发能力凭证
identity-trust vc issue \
--issuer did:key:authority... \
--subject did:key:agent... \
--claims '{"agent":"GPT-Agent-001","capabilities":["api_access","data_read"]}'
2. 服务身份验证
验证访问服务的 Agent:
const credential = await storage.getCredential(credentialId);
const result = await verifyCredential(credential);if (result.verified) {
// 授予服务访问权限
console.log('Access granted');
} else {
console.log('Access denied:', result.error);
}
3. 信任网络
在 Agent 之间建立信任关系:
const trust = await evaluateTrust(agentDid, {
minimumTrustLevel: 60,
requiredCredentials: ['IdentityCredential', 'CapabilityCredential'],
trustedIssuers: [authorityDid],
allowExpired: false
});if (trust.passed) {
console.log(Agent trusted with level: ${trust.trustLevel}%);
}
📐 技术标准
本实现遵循:
- W3C DID Core 1.0 - 去中心化标识符规范
- W3C Verifiable Credentials Data Model 1.1 - 可验证凭证标准
- Ed25519 Signature 2020 - 现代加密签名
- Multibase Encoding - did:key 的 Base58btc 编码
🔒 安全
加密技术
- Ed25519 - 现代椭圆曲线签名(默认)
- secp256k1 - 以太坊兼容签名
- @noble/curves - 经过审计的加密库
- @noble/hashes - 安全哈希
密钥存储
- 私钥本地存储在
~/.openclaw/identity/
- 无云存储或外部依赖
- 用户控制所有加密材料
最佳实践
- 永不分享私钥
- 始终在凭证上设置过期日期
- 信任前先验证凭证
- 对关键操作使用强信任策略
- 定期轮换密钥
🛠️ 配置
存储位置
默认:~/.openclaw/identity/
结构:
~/.openclaw/identity/
├── dids.json # 存储的 DID 文档
├── credentials.json # 签发/接收的凭证
└── keys.json # 加密的私钥
环境变量
# 可选:自定义存储路径
OPENCLAW_IDENTITY_PATH=/custom/path# 用于 did:web 解析(如果使用网络)
OPENCLAW_IDENTITY_NETWORK_ENABLED=true
📊 与替代方案比较
| 功能 | Identity Trust | 传统身份验证 | OAuth/SAML |
|---|
| 去中心化 | ✅ | ❌ | ❌ |
| 自主主权 | ✅ | ❌ | ❌ |
| W3C 标准 | ✅ | ❌ | ❌ |
| 无中心权威 | ✅ | ❌ | ❌ |
| 加密证明 | ✅ | 🟡 | 🟡 |
| Agent 到 Agent | ✅ | ❌ | 🟡 |
| 离线验证 | ✅ | ❌ | ❌ |
🐛 故障排除
常见问题
问题:Error: Private key not found
# 解决方案:确保创建 DID 时已保存
identity-trust did create --save
问题:Error: Failed to resolve DID
# 解决方案:检查 DID 格式和网络设置
identity-trust did resolve did:key:z6Mkf...
问题:Error: Signature verification failed
# 解决方案:检查签发者 DID 和凭证完整性
identity-trust vc verify --no-expiration
📖 文档
- 完整文档:README.md
- 快速入门指南:QUICKSTART.md
- API 参考:src/types.ts
- GitHub:https://github.com/ZhenRobotics/openclaw-identity-trust
- npm 包:https://www.npmjs.com/package/openclaw-identity-trust
🔄 更新与变更日志
v1.0.0(2026-03-08)
初始版本发布,包含:
- DID 生成和解析(did:key、did:web、did:ethr)
- 可验证凭证签发和验证
- 信任评估系统
- CLI 工具(3 个命令别名)
- 程序化 API
- 本地存储(带加密)
- W3C 标准合规
🤝 贡献
欢迎贡献!请:
- Fork 仓库
- 创建功能分支
- 进行更改
- 提交拉取请求
📄 许可证
MIT 许可证 - 参见 LICENSE
🔗 链接
- GitHub:https://github.com/ZhenRobotics/openclaw-identity-trust
- npm:https://www.npmjs.com/package/openclaw-identity-trust
- ClawHub:https://clawhub.ai/ZhenStaff/identity-trust
- 问题:https://github.com/ZhenRobotics/openclaw-identity-trust/issues
💬 支持
- 问题:https://github.com/ZhenRobotics/openclaw-identity-trust/issues
- 讨论:https://github.com/ZhenRobotics/openclaw-identity-trust/discussions
- 邮箱:support@zhenrobot.com
为 OpenClaw 生态系统用心打造
Decentralized Identity (DID) and Verifiable Credentials management system for AI Agents, built on W3C DID Core and W3C Verifiable Credentials standards.
📋 Overview
Identity Trust provides a complete solution for decentralized identity management, enabling AI agents to:
- Create and manage Decentralized Identifiers (DIDs)
- Issue and verify W3C-compliant Verifiable Credentials
- Establish trust relationships between agents
- Manage cryptographic keys securely
- Store identity data locally with privacy
📦 Installation
Step 1: Install the Package
Option A: Via npm (Recommended)
# Install globally for CLI access
npm install -g openclaw-identity-trust# Verify installation
identity-trust --version
Option B: From GitHub
# Clone repository
git clone https://github.com/ZhenRobotics/openclaw-identity-trust.git
cd openclaw-identity-trust# Install dependencies
npm install
# Build
npm run build
Step 2: Verify Installation
# Check CLI is working
identity-trust info# Create your first DID
identity-trust did create
🚀 Usage
When to Use This Skill
AUTO-TRIGGER when user's message contains:
- Keywords:
DID, verifiable credential, identity, trust, decentralized identity
- Asks about creating or managing digital identities
- Needs to verify credentials or establish trust
- Wants to implement W3C DID/VC standards
- Building agent authentication systems
TRIGGER EXAMPLES:
- "Create a DID for my AI agent"
- "Issue a verifiable credential"
- "How do I verify this credential?"
- "Set up decentralized identity for authentication"
- "Evaluate trust level of this agent"
DO NOT USE when:
- Only general identity/password management (use password managers)
- OAuth/SAML authentication (use standard auth libraries)
- Simple user accounts (use traditional databases)
🎯 Core Features
1. DID Management
- did:key - Self-contained, no registry needed
- did:web - Web-hosted DIDs for public verification
- did:ethr - Ethereum-based DIDs (basic support)
2. Verifiable Credentials
- W3C VC Data Model 1.1 compliant
- Ed25519 and secp256k1 signatures
- Expiration date management
- Custom claims support
3. Trust Evaluation
- Policy-based trust scoring
- Credential verification
- Issuer trust chains
- Reputation systems
4. Security
- Ed25519 modern cryptography (default)
- secp256k1 Ethereum-compatible signatures
- Local key storage at
~/.openclaw/identity/
- No external key dependencies
💻 Tools
This skill provides 6 core tools for AI agents:
1. did_create - Create Decentralized Identifiers
Create a new DID for an agent or entity.
Parameters:
method (string, optional): DID method - key, web, or ethr (default: key)keyType (string, optional): Cryptographic key type - Ed25519 or secp256k1 (default: Ed25519)save (boolean, optional): Save to local storage (default: true)
Returns:
did (string): The generated DID identifierdocument (object): Complete DID Document
Example:
identity-trust did create --method key --key-type Ed25519
2. did_resolve - Resolve DIDs to Documents
Resolve a DID to its DID Document.
Parameters:
did (string, required): DID to resolve (e.g., did:key:z6Mkf...)
Returns:
document (object): DID Document with verification methods
Example:
identity-trust did resolve did:key:z6MkfzZZD5gxQ...
3. vc_issue - Issue Verifiable Credentials
Issue a W3C-compliant verifiable credential.
Parameters:
issuerDid (string, required): Issuer's DIDsubjectDid (string, required): Subject's DIDclaims (object, required): Claims to include in credentialtype (string, optional): Credential type (default: VerifiableCredential)expirationDays (number, optional): Expiration in days
Returns:
credential (object): Signed verifiable credential
Example:
identity-trust vc issue \
--issuer did:key:z6Mkf... \
--subject did:key:z6Mkp... \
--claims '{"role":"developer","level":"senior"}' \
--expiration 90
4. vc_verify - Verify Credentials
Verify the authenticity and validity of a verifiable credential.
Parameters:
credential (object, required): Credential to verifycheckExpiration (boolean, optional): Check expiration date (default: true)
Returns:
verified (boolean): Whether credential is validchecks (object): Detailed verification results
Example:
identity-trust vc verify
5. identity_list - List Identities
List all stored DIDs and credentials.
Parameters: None
Returns:
dids (array): List of stored DIDscredentials (array): List of stored credentials
Example:
identity-trust did list
identity-trust vc list
6. trust_evaluate - Evaluate Agent Trust
Evaluate the trust level of an agent based on their credentials and policy.
Parameters:
agentDid (string, required): Agent DID to evaluatepolicy (object, optional): Trust policy configuration
Returns:
trustLevel (number): Trust score (0-100)credentials (array): Credentials used for evaluationpassed (boolean): Whether agent meets policy requirements
Example:
# Programmatic usage
import { evaluateTrust } from 'openclaw-identity-trust';const result = await evaluateTrust('did:key:z6Mkf...', {
minimumTrustLevel: 60,
requiredCredentials: ['IdentityCredential'],
trustedIssuers: ['did:key:authority...']
});
📚 CLI Commands
Three command aliases available:
openclaw-identity-trustidentity-trustidt
DID Commands
# Create a new DID
identity-trust did create [--method ] [--key-type ]# Resolve a DID
identity-trust did resolve
# List all DIDs
identity-trust did list
Verifiable Credential Commands
# Issue a credential
identity-trust vc issue \
--issuer \
--subject \
--claims '' \
[--type ] \
[--expiration ]# Verify a credential
identity-trust vc verify
# List credentials
identity-trust vc list [--subject ]
Utility Commands
# Export all data
identity-trust export# Show system information
identity-trust info
🔧 Programmatic API
Use as a Node.js library in your applications:
import {
generateDID,
resolveDID,
issueCredential,
verifyCredential,
LocalStorage
} from 'openclaw-identity-trust';// Initialize storage
const storage = new LocalStorage();
await storage.initialize();
// Create a DID
const { did, document, keyPair } = await generateDID('key', {
keyType: 'Ed25519'
});
console.log('Created DID:', did);
// Issue a credential
const credential = await issueCredential({
issuerDid: 'did:key:issuer...',
issuerKeyPair: keyPair,
subjectDid: did,
claims: {
role: 'ai-agent',
capabilities: ['read', 'write', 'execute']
},
expirationDate: new Date(Date.now() + 90 24 60 60 1000)
});
// Verify credential
const result = await verifyCredential(credential, {
checkExpiration: true,
localStore: storage.getDIDStore()
});
console.log('Verified:', result.verified);
🎓 Use Cases
1. AI Agent Identity
Create persistent identities for AI agents:
# Create agent DID
identity-trust did create --method key# Issue capability credential
identity-trust vc issue \
--issuer did:key:authority... \
--subject did:key:agent... \
--claims '{"agent":"GPT-Agent-001","capabilities":["api_access","data_read"]}'
2. Service Authentication
Authenticate agents accessing services:
const credential = await storage.getCredential(credentialId);
const result = await verifyCredential(credential);if (result.verified) {
// Grant access to service
console.log('Access granted');
} else {
console.log('Access denied:', result.error);
}
3. Trust Networks
Build trust relationships between agents:
const trust = await evaluateTrust(agentDid, {
minimumTrustLevel: 60,
requiredCredentials: ['IdentityCredential', 'CapabilityCredential'],
trustedIssuers: [authorityDid],
allowExpired: false
});if (trust.passed) {
console.log(Agent trusted with level: ${trust.trustLevel}%);
}
📐 Technical Standards
This implementation follows:
- W3C DID Core 1.0 - Decentralized Identifiers specification
- W3C Verifiable Credentials Data Model 1.1 - Verifiable credentials standard
- Ed25519 Signature 2020 - Modern cryptographic signatures
- Multibase Encoding - Base58btc encoding for did:key
🔒 Security
Cryptography
- Ed25519 - Modern elliptic curve signatures (default)
- secp256k1 - Ethereum-compatible signatures
- @noble/curves - Audited cryptography library
- @noble/hashes - Secure hashing
Key Storage
- Private keys stored locally at
~/.openclaw/identity/
- No cloud storage or external dependencies
- User controls all cryptographic material
Best Practices
- Never share private keys
- Always set expiration dates on credentials
- Verify credentials before trusting
- Use strong trust policies for critical operations
- Rotate keys periodically
🛠️ Configuration
Storage Location
Default: ~/.openclaw/identity/
Structure:
~/.openclaw/identity/
├── dids.json # Stored DID documents
├── credentials.json # Issued/received credentials
└── keys.json # Encrypted private keys
Environment Variables
# Optional: Custom storage path
OPENCLAW_IDENTITY_PATH=/custom/path# For did:web resolution (if using network)
OPENCLAW_IDENTITY_NETWORK_ENABLED=true
📊 Comparison with Alternatives
| Feature | Identity Trust | Traditional Auth | OAuth/SAML |
|---|
| Decentralized | ✅ | ❌ | ❌ |
| Self-sovereign | ✅ | ❌ | ❌ |
| W3C Standards | ✅ | ❌ | ❌ |
| No Central Authority | ✅ | ❌ | ❌ |
| Cryptographic Proofs | ✅ | 🟡 | 🟡 |
| Agent-to-Agent | ✅ | ❌ | 🟡 |
| Offline Verification | ✅ | ❌ | ❌ |
🐛 Troubleshooting
Common Issues
Problem: Error: Private key not found
# Solution: Ensure DID was saved when created
identity-trust did create --save
Problem: Error: Failed to resolve DID
# Solution: Check DID format and network settings
identity-trust did resolve did:key:z6Mkf...
Problem: Error: Signature verification failed
# Solution: Check issuer DID and credential integrity
identity-trust vc verify --no-expiration
📖 Documentation
- Full Documentation: README.md
- Quick Start Guide: QUICKSTART.md
- API Reference: src/types.ts
- GitHub: https://github.com/ZhenRobotics/openclaw-identity-trust
- npm Package: https://www.npmjs.com/package/openclaw-identity-trust
🔄 Updates & Changelog
v1.0.0 (2026-03-08)
Initial release with:
- DID generation and resolution (did:key, did:web, did:ethr)
- Verifiable Credential issuance and verification
- Trust evaluation system
- CLI tool with 3 command aliases
- Programmatic API
- Local storage with encryption
- W3C standards compliance
🤝 Contributing
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
📄 License
MIT License - see LICENSE
🔗 Links
- GitHub: https://github.com/ZhenRobotics/openclaw-identity-trust
- npm: https://www.npmjs.com/package/openclaw-identity-trust
- ClawHub: https://clawhub.ai/ZhenStaff/identity-trust
- Issues: https://github.com/ZhenRobotics/openclaw-identity-trust/issues
💬 Support
- Issues: https://github.com/ZhenRobotics/openclaw-identity-trust/issues
- Discussions: https://github.com/ZhenRobotics/openclaw-identity-trust/discussions
- Email: support@zhenrobot.com
Built with ❤️ for the OpenClaw ecosystem
by