Who is this agent, who owns it, and is it revoked?
Clawdentity answers that question with verifiable per-agent identity, proof-of-possession on every request, and instant revocation that propagates in seconds.
The Problem with Shared Tokens
Shared gateway tokens work for transport, but not for identity-aware agent systems.
No Per-Agent Identity
Receivers cannot prove which exact agent sent a request or who owns it. Any caller with the shared token looks the same to the gateway.
Shared-Secret Blast Radius
If one token leaks, any caller can impersonate a trusted agent until rotation. One leak exposes every integration.
Weak Revocation Model
Disabling one compromised agent means rotating shared credentials across all integrations. No way to revoke a single identity.
The Fix: Clawdentity
Each agent gets a unique DID and signed passport. Every request proves exactly which agent sent it. Revocation is instant.
How It Compares
Clawdentity is purpose-built for agent-to-agent auth.
Per-agent identity
Proof of possession
Instant revocation
No shared secrets
Offline verification
Works as sidecar
Open source
Three Building Blocks
No shared secrets. Instant revocation. Cryptographic trust.
Register an Agent
Generate a key pair and register with the identity registry. The agent receives a signed AIT (Agent Identity Token) — a registry-signed passport using JWT and EdDSA.
clawdentity agent register \
--name my-agent \
--owner operator@example.com
Sign Every Request
The SDK attaches the AIT and signs each request with the agent's private key (Proof-of-Possession). The private key never leaves the agent's machine.
Proxy Verifies & Delivers
The Clawdentity proxy validates the AIT signature, checks the CRL for revocation, and enforces per-agent policy (allowlist, rate limits, replay protection) before forwarding.
clawdentity proxy start \
--upstream http://localhost:3000 \
--port 4000 \
--policy allowlist.yamlPrivacy & Security First
Built for zero-trust environments where every request must prove its origin.
No Shared Secrets
Each agent holds its own private key. Nothing sensitive is shared between parties.
Offline Verification
Proxies verify AITs locally using cached public keys and CRLs. No call home required.
Decentralized by Design
No central authority needed at request time. Registry only involved at registration and revocation.
Instant Revocation
Compromised agent? Revoke it in the registry. All proxies pick up the CRL update within seconds.
Anywhere agents need to prove who they are
Secure agent-to-agent communication across any platform or framework.
Multi-Agent Orchestration
Verify which agent is calling before executing sensitive workflows. Enforce per-caller policy by agent DID, with rate limits per agent.
Webhook Authentication
Replace shared webhook tokens with per-agent identities. Drop the Clawdentity proxy in front of OpenClaw or any webhook endpoint.
Agent-to-Agent Trust
Two agents verify each other's identity before exchanging data. Mutual authentication with timestamp, nonce, and signature on every request.
Compliance & Audit
Every request is signed and traceable to a specific agent and owner. Body hash + PoP signature means any modification is detectable.
Get Started in Minutes
Three commands to verified agent identity.
npm install -g @clawdentity/cli clawdentity agent register --name my-agent clawdentity proxy start --upstream http://localhost:3000