Sekuire ID
A deterministic, content-addressable identity for AI agents. The same agent code always produces the same Sekuire ID - like a Git commit hash for agent identity.
Identity Formula
The Sekuire ID is computed as a BLAKE3 hash of the agent's canonical manifest:
Identity computationtext
SekuireID = BLAKE3(
canonicalize(model_name) ||
BLAKE3(system_prompt) ||
BLAKE3(tools_schema)
)Each component is individually hashed, then concatenated and hashed again to produce the final 32-byte identity.
❗The Sekuire ID is deterministic. If any component of the agent changes (model, prompt, tools), a new identity is produced. This ensures tamper detection.
Identity Components
| Component | Description | Effect on ID |
|---|---|---|
| model_name | LLM provider and model (e.g., openai/gpt-4) | Canonicalized to lowercase |
| system_prompt | Full system prompt text | BLAKE3 hash of content |
| tools_schema | JSON schema of all tools | BLAKE3 hash of canonical JSON |
Ed25519 Signing
Every agent has an Ed25519 keypair used to sign its identity:
.sekuire/text
.sekuire/
├── public.key # 32 bytes, shared freely for verification
└── secret.key # 64 bytes, NEVER share or commitSigning Flow
- Compute the Sekuire ID from the manifest
- Sign the ID with the secret key:
signature = Ed25519.sign(sekuire_id, secret_key) - Publish the signature alongside the agent: anyone with the public key can verify
Verification Flow
Terminalbash
$ sekuire verify --url http://agent.example.com --id 7f8a9b3c...
Fetching manifest from agent...
Recomputing Sekuire ID from manifest...
Verifying Ed25519 signature...
Checking registry entry...
VERIFIED: Identity matches, signature validDID Format
Sekuire IDs are compatible with the W3C Decentralized Identifier (DID) specification:
text
did:sekuire:<blake3_hash_hex>
Example:
did:sekuire:7f8a9b3c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9aThis format enables interoperability with other decentralized identity systems and W3C Verifiable Credentials.
Key Properties
- Deterministic - Same code produces the same ID, every time
- Tamper-evident - Any change to the agent produces a different ID
- Non-repudiable - Ed25519 signatures prove authorship
- Content-addressable - The ID is the hash of the content itself
- Collision-resistant - BLAKE3 provides 256 bits of security
CLI Commands
Generate keysbash
sekuire keygenCalculate Sekuire IDbash
sekuire hashPush signed identity to registrybash
sekuire pushNext Steps
- keygen / hash CLI - Generate keys and compute IDs
- push / verify CLI - Publish and verify agents
- Trust Triangle - How identity fits into the broader framework