Agent Identity
Cryptographic identity for AI agents using Ed25519 signatures.
Overview
Every Sekuire agent has a cryptographic identity consisting of:
- Sekuire ID - Content-addressable identifier
- Public Key - For signature verification
- Private Key - For signing (keep secret!)
┌─────────────────────────────────────────────────────────┐
│ Agent Identity │
│ │
│ Sekuire ID: 7f8a9b3c2d1e... (derived from content) │
│ Public Key: ed25519:abc123... (share freely) │
│ Private Key: [REDACTED] (never share!) │
│ │
│ Sign messages ───▶ Prove you are this agent │
│ Verify signatures ───▶ Confirm message authenticity │
└─────────────────────────────────────────────────────────┘
Loading Identity
- Python
- TypeScript
from sekuire_sdk.identity import AgentIdentity
# Load from sekuire.json + .sekuire/secret.key
identity = AgentIdentity.load()
print(f"Agent: {identity.name}")
print(f"Sekuire ID: {identity.sekuire_id}")
print(f"Has private key: {identity.has_private_key}")
# Or load from environment variables
identity = AgentIdentity.from_env()
# Requires: SEKUIRE_AGENT_ID, optionally SEKUIRE_PRIVATE_KEY
import { AgentIdentity } from '@sekuire/sdk';
// Load from config files
const identity = await AgentIdentity.load();
console.log(`Agent: ${identity.name}`);
console.log(`Sekuire ID: ${identity.sekuireId}`);
console.log(`Has private key: ${identity.hasPrivateKey}`);
// Or from environment
const identity = AgentIdentity.fromEnv();
Signing Messages
Sign a message to prove authenticity:
- Python
- TypeScript
from sekuire_sdk.identity import AgentIdentity
identity = AgentIdentity.load()
# Sign a message
message = "Hello from my agent"
signature = identity.sign(message)
print(f"Signature: {signature}")
# Signature: a1b2c3d4e5f6... (hex-encoded Ed25519 signature)
import { AgentIdentity } from '@sekuire/sdk';
const identity = await AgentIdentity.load();
// Sign a message
const message = 'Hello from my agent';
const signature = identity.sign(message);
console.log(`Signature: ${signature}`);
Verifying Signatures
Verify a message was signed by this agent:
- Python
- TypeScript
from sekuire_sdk.identity import AgentIdentity
identity = AgentIdentity.load()
# Verify a signature
message = "Hello from my agent"
signature = "a1b2c3d4e5f6..." # From sign()
is_valid = identity.verify(message, signature)
print(f"Valid: {is_valid}") # True or False
import { AgentIdentity } from '@sekuire/sdk';
const identity = await AgentIdentity.load();
// Verify a signature
const message = 'Hello from my agent';
const signature = 'a1b2c3d4e5f6...';
const isValid = identity.verify(message, signature);
console.log(`Valid: ${isValid}`);
Identity Sources
The SDK loads identity from multiple sources (in order):
1. Config File (sekuire.json)
{
"name": "My Agent",
"sekuire_id": "7f8a9b3c2d1e..."
}
2. Key File (.sekuire/secret.key)
a1b2c3d4e5f6... (hex-encoded private key)
3. Environment Variables
| Variable | Description |
|---|---|
SEKUIRE_AGENT_ID | Agent's Sekuire ID |
SEKUIRE_AGENT_NAME | Agent's name |
SEKUIRE_PRIVATE_KEY | Hex-encoded private key |
SEKUIRE_PUBLIC_KEY | Hex-encoded public key |
AgentIdentity Class
Properties
| Property | Type | Description |
|---|---|---|
name | string | Agent's display name |
sekuire_id | string | Content-addressable ID |
public_key | string | Hex-encoded public key |
has_private_key | bool | Whether private key is loaded |
Methods
| Method | Description |
|---|---|
load(path?) | Load from config file |
from_env() | Load from environment |
sign(message) | Sign a message (returns hex signature) |
verify(message, signature) | Verify a signature (returns bool) |
Use Cases
Request Signing (A2A)
Sign requests when communicating with other agents:
import json
import time
from sekuire_sdk.identity import AgentIdentity
identity = AgentIdentity.load()
# Create request payload
request = {
"method": "POST",
"url": "https://other-agent.com/a2a/tasks",
"timestamp": int(time.time() * 1000),
"body": {"skill": "analyze", "input": {...}}
}
# Sign the request
payload = json.dumps(request, sort_keys=True)
signature = identity.sign(payload)
# Add to headers
headers = {
"X-Sekuire-Agent-ID": identity.sekuire_id,
"X-Sekuire-Signature": signature,
"X-Sekuire-Timestamp": str(request["timestamp"])
}
Webhook Verification
Verify incoming webhooks are from Sekuire:
from sekuire_sdk.identity import AgentIdentity
def verify_webhook(request):
# Get headers
agent_id = request.headers.get("X-Sekuire-Agent-ID")
signature = request.headers.get("X-Sekuire-Signature")
timestamp = request.headers.get("X-Sekuire-Timestamp")
# Reconstruct signed payload
payload = f"{request.method}{request.url}{timestamp}{request.body}"
# Verify (need sender's public key from registry)
# This is simplified - real impl fetches public key
is_valid = verify_signature(agent_id, payload, signature)
if not is_valid:
raise ValueError("Invalid webhook signature")
Key Management
Generate New Keys
Use the CLI to generate a new keypair:
sekuire keygen
# Creates:
# .sekuire/public.key - Share this
# .sekuire/secret.key - Keep secret!
Rotate Keys
- Generate new keypair
- Update registry with new public key
- Replace
.sekuire/secret.key - Restart agent
# Generate new keys
sekuire keygen --force
# Update registry
sekuire publish --update-keys
Security Best Practices
- Never commit secret.key - Add to
.gitignore - Use environment variables in production - Don't deploy key files
- Rotate keys periodically - Limit exposure window
- Verify all A2A requests - Don't trust unsigned messages
- Use short-lived signatures - Include timestamps
# .gitignore
.sekuire/secret.key
*.pem
*.key
Next Steps
- Authentication - Full auth flow
- A2A Protocol - Agent communication
- CLI Keys - Key management CLI