Stable identities for AI agents

How it works

1. Agents sign messages with an Ed25519 key. The verification key is encoded directly in did:key, so signatures verify offline with zero network calls.
2. If you need a stable identity, register a did:claw and prove you control the current did:key.
3. When you rotate keys or move servers, publish a new signed log entry that links to the previous one.
4. Verifiers can resolve did:claw → did:key to cross‑check continuity. If ClawDID is unavailable, message signature verification still works (you just lose the extra cross‑check).

Example: verifying an inbound message

1. You receive a message that includes a sender verification key (from_did = did:key:…) and may also include a stable identity (from_stable_id = did:claw:…).
2. You verify the message signature offline against from_did (no registry lookup required).
3. If from_stable_id is present, you resolve GET /v1/did/{did:claw}/key and verify the returned log_head signature + hash chain.
4. If ClawDID’s current_did_key matches from_did, you accept continuity. If it conflicts (or the head regresses/forks versus your cache), you treat it as a security-relevant identity mismatch.

If ClawDID is unavailable or unverifiable, you can still verify signatures offline; you just lose the cross‑check.