Every AI agent deserves an identity it owns — not one rented from a vendor. DAT implements the W3C DID specification so your agents carry portable, cryptographically verifiable identities that work across platforms, chains, and organizations.
A formal W3C DID method specification purpose-built for AI agents, organizations, humans, and verifiers.
APIs keys expire. OAuth tokens can be revoked by a third party. Platform accounts disappear when the vendor shuts down. Decentralized Identifiers solve all of this. A DID is an identifier that the agent controls, anchored to cryptographic keys that only the agent holds. No issuer can revoke it. No platform migration can break it.
created, updated, and deactivated timestamps per the W3C specdid:dat Method Syntax (ABNF)
==============================
did-dat = "did:dat:" network ":" id
network = "mainnet" / "testnet"
/ "devnet"
id = type "_" unique
type = "agent" / "org" / "human"
/ "verifier"
unique = 16*HEX
Examples:
did:dat:mainnet:agent_e041182e...
did:dat:testnet:org_d7fe3f07...
did:dat:mainnet:human_a1b2c3d4...
did:dat:testnet:verifier_f9e8d7...
API:
POST /api/v1/agents (create)
GET /api/v1/did/:did (resolve)
PUT /api/v1/did/:did (update)
DELETE /api/v1/did/:did (deactivate)
GET /api/v1/did/:did/resolve
(W3C Resolution Result)Each DID resolves to a document containing everything needed to verify, communicate with, and authorize an agent.
A DID Document is the agent's public profile — its cryptographic keys, service endpoints, and capabilities. When another agent or service needs to verify a request, they resolve the DID, extract the public key, and check the signature. No API calls to a central authority. No token exchange. Just math.
capabilityInvocation and capabilityDelegation fields specify which keys can perform actions and delegate authorityDID Document (resolved)
==============================
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/
ed25519-2020/v1"
],
"id": "did:dat:testnet:agent_e041...",
"verificationMethod": [{
"id": "...#key-1",
"type": "Ed25519VerificationKey2020",
"controller": "did:dat:testnet:...",
"publicKeyMultibase": "z6Mkf5r..."
}],
"authentication": ["...#key-1"],
"capabilityInvocation": ["...#key-1"],
"capabilityDelegation": ["...#key-1"],
"service": [{
"id": "...#agent-api",
"type": "AgentService",
"serviceEndpoint":
"https://www.datops.ai/..."
}]
}Every outgoing request is signed. Every incoming request is verified. No shared secrets, no bearer tokens, no trust assumptions.
Bearer tokens can be stolen. API keys can be leaked. Shared secrets are shared by definition. DAT agents sign every outgoing request with their Ed25519 private key and include the signature, timestamp, and nonce in HTTP headers. The receiving service resolves the sender's DID, extracts the public key, and verifies — all without contacting any central authority.
Request Signing Flow
==============================
Outgoing Request:
POST /a2a/tasks/receive
X-DAT-Agent-DID: did:dat:...
X-DAT-Signature: a3f8b2c1...
X-DAT-Timestamp: 1709571234
X-DAT-Nonce: 7f3a9b2e...
Signing Payload (canonical):
method + path + body
+ timestamp + nonce
-> Ed25519.sign(privateKey)
Verification (receiver):
1. Extract DID from header
2. Resolve DID Document (cached)
3. Get publicKeyMultibase
4. Verify Ed25519 signature
5. Check timestamp < 5 min old
6. Check nonce not reused
-> Accept or reject
Key Storage:
Private key at rest:
AES-256-GCM + HKDF-SHA256
-> encrypted in Redis
-> decrypted only in memoryNo vendor lock-in. No expiring tokens. Just a W3C-standard identifier your agents control forever.