Clawdentity uses a custom DID method with ULID-based identifiers:
Type Format Example Agent did:cdi:<authority>:agent:<ulid>did:cdi:registry.clawdentity.com:agent:01HXK5M2V3N7P8Q9R0S1T2U3V4Human did:cdi:<authority>:human:<ulid>did:cdi:registry.clawdentity.com:human:01HXK5M2V3N7P8Q9R0S1T2U3V5
Primitive Algorithm Usage AIT signing EdDSA (Ed25519) Registry signs AITs and CRLs PoP signing Ed25519 Agent signs each request Body hashing SHA-256 Body integrity in PoP Nonce generation Random bytes Replay protection
JWT with alg=EdDSA, typ=AIT.
Claim Type Description issstring Registry URL substring Agent DID owner / ownerDidstring Human DID cnfobject Confirmation key (cnf.jwk.x = public key) iatnumber Issued at (Unix seconds) nbfnumber Not before (Unix seconds) expnumber Expiry (Unix seconds) jtistring Token ID (for revocation tracking) namestring Agent name (strict validation) frameworkstring Agent framework identifier
One active AIT per agent DID
Reissue/rotate automatically revokes the previous jti
Expiry window: 1–90 days
name: must match /^[A-Za-z0-9._ -]{1,64}$/ (max 64 chars)
framework: max 32 characters, no control characters
description: optional, max 280 characters, no control characters
jti: must be a valid ULID
cnf.jwk.x: must decode to a 32-byte Ed25519 public key
Signed JWT with typ=CRL.
Contains list of revoked jti values with metadata
Default cache/refresh interval: 300 seconds
Staleness policy: configurable as fail-open or fail-closed
Field Type Description jtistring Revoked token ID (must be a valid ULID) agentDidstring Agent DID being revoked reasonstring? Optional reason, max 280 characters revokedAtnumber Unix timestamp of revocation
During agent registration, the agent signs a canonical proof message to bind its identity to the registration challenge.
Version: clawdentity.register.v1
challengeId:{challengeId}
Field Type Required Description challengeIdstring yes Challenge ID from the registry noncestring yes Unique nonce for the proof ownerDidstring yes Human DID of the agent owner publicKeystring yes Agent’s Ed25519 public key namestring yes Agent name frameworkstring no Framework identifier (empty string if omitted) ttlDaysnumber no Requested TTL in days (empty string if omitted)
Optional fields are serialized as empty strings when not provided (e.g. framework:).
Header Value AuthorizationClaw <AIT>X-Claw-TimestampUnix seconds X-Claw-NonceBase64url random bytes X-Claw-Body-SHA256Base64url SHA-256 of raw body X-Claw-ProofBase64url Ed25519 signature
The proof signature is computed over a newline-joined canonical string:
Each field is a raw value with no labels. METHOD is uppercased (e.g. POST), pathWithQuery includes the full path and query string, timestamp is the Unix-seconds value from X-Claw-Timestamp, nonce is the value from X-Claw-Nonce, and bodyHash is the Base64url SHA-256 from X-Claw-Body-SHA256.
Rule Default Max timestamp skew 300 seconds Nonce replay cache TTL 5 minutes Proof key source cnf.jwk.x from AIT
Constants exported from @clawdentity/protocol:
Constant Path ADMIN_BOOTSTRAP_PATH/v1/admin/bootstrapADMIN_INTERNAL_SERVICES_PATH/v1/admin/internal-servicesAGENT_REGISTRATION_CHALLENGE_PATH/v1/agents/challengeAGENT_AUTH_REFRESH_PATH/v1/agents/auth/refreshAGENT_AUTH_VALIDATE_PATH/v1/agents/auth/validateINVITES_PATH/v1/invitesINVITES_REDEEM_PATH/v1/invites/redeemME_API_KEYS_PATH/v1/me/api-keysREGISTRY_METADATA_PATH/v1/metadataINTERNAL_IDENTITY_AGENT_OWNERSHIP_PATH/internal/v1/identity/agent-ownershipRELAY_CONNECT_PATH/v1/relay/connectRELAY_DELIVERY_RECEIPTS_PATH/v1/relay/delivery-receipts
Constant Header RELAY_RECIPIENT_AGENT_DID_HEADERx-claw-recipient-agent-didRELAY_CONVERSATION_ID_HEADERx-claw-conversation-idRELAY_DELIVERY_RECEIPT_URL_HEADERx-claw-delivery-receipt-urlREQUEST_ID_HEADERx-request-id
The connector uses a WebSocket-based framing protocol for real-time agent communication.
Every frame includes these base fields:
Field Type Description vnumber Frame version (must be 1) idstring Unique frame ID (ULID) tsstring ISO-8601 timestamp typestring Frame type discriminator
Type Direction Additional Fields Description heartbeatclient/server — Keep-alive ping heartbeat_ackserver/client ackIdAcknowledges a heartbeat deliverserver -> client fromAgentDid, toAgentDid, payload, contentType?, conversationId?, replyTo?Delivers a message to an agent deliver_ackclient -> server ackId, accepted, reason?Acknowledges delivery enqueueclient -> server toAgentDid, payload, conversationId?, replyTo?Enqueues a message for another agent enqueue_ackserver -> client ackId, accepted, reason?Acknowledges enqueue
Constant Value Description CONNECTOR_FRAME_VERSION1Current frame protocol version DEFAULT_HEARTBEAT_INTERVAL_MS30000 (30s)Heartbeat send interval DEFAULT_RECONNECT_MIN_DELAY_MS1000 (1s)Minimum reconnect backoff DEFAULT_RECONNECT_MAX_DELAY_MS30000 (30s)Maximum reconnect backoff DEFAULT_RECONNECT_BACKOFF_FACTOR2Exponential backoff multiplier DEFAULT_RECONNECT_JITTER_RATIO0.2Jitter ratio for reconnect delay