# Implementing Zero-Trust Agent Identity with Ed25519 Keys and AgentDID Format > Implement zero-trust agent identity using Ed25519 keys and AgentDID. Secure non-repudiable signatures for continuous trust validation across multi-agent systems. - Repository: [Microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) - Tags: how-to-guide - Published: 2026-05-29 --- **Implement zero-trust agent identity by generating cryptographically-bound DIDs in the format `did:mesh:` with Ed25519 key pairs that never leave the agent's memory, enabling non-repudiable signatures, human accountability, and continuous trust validation across multi-agent systems.** The Microsoft Agent Governance Toolkit (AGT) provides a comprehensive zero-trust identity layer for AI agents, implemented across Python, Go, TypeScript, and Rust. This implementation ensures that every autonomous entity operates under a verifiable, non-repudiable identity tied to human sponsorship and capable of secure delegation chains. ## Understanding the AgentDID Format The AgentDID format follows the W3C Decentralized Identifier specification, using the scheme `did:mesh:`. This structure provides globally unique, self-sovereign identifiers that are cryptographically verifiable without centralized authority. ### DID Structure and Generation Each DID contains a 128-bit random hex token generated using `secrets.token_hex(16)` in [`agent_id.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent_id.py) (lines 36-48). This approach avoids deterministic seeds and guarantees high entropy, preventing predictability attacks. ```python from agentmesh import AgentDID # Generate a new DID did = AgentDID.generate(name="ReportWriter", org="Analytics") print(did) # did:mesh:7f3a9b2c... ``` The `AgentDID.generate` method creates identifiers that are statistically unique and compliant with the toolkit's mesh architecture, as implemented in [`agent-governance-python/agent-mesh/src/agentmesh/identity/agent_id.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent-governance-python/agent-mesh/src/agentmesh/identity/agent_id.py). ## Implementing Ed25519 Key Management The toolkit leverages Ed25519 elliptic curve cryptography for all identity operations, providing high-security signatures with compact key sizes and fast verification times. ### Key Generation and Storage When `AgentIdentity.create` is invoked (lines 71-81 in [`agent_id.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent_id.py)), the system generates a fresh Ed25519 key pair using `ed25519.Ed25519PrivateKey.generate()` (lines 71-73). The **public key** is Base64-encoded and persisted in the identity model, while the **private key** remains strictly in-memory only, stored in the `_private_key` attribute (lines 13-14). ```python from agentmesh import AgentIdentity agent = AgentIdentity.create( name="DataProcessor", sponsor="alice@company.com", capabilities=["read:data", "write:reports"], ) print(agent.did) # did:mesh:a1b2c3... print(agent.public_key) # Base64-encoded Ed25519 public key ``` This memory-only constraint for private keys ensures that compromised storage or logs never reveal signing material, maintaining the zero-trust property of cryptographic non-repudiation. ### Signing and Verification Agents can cryptographically sign arbitrary payloads using `AgentIdentity.sign` (lines 104-110), while peers verify signatures via `verify_signature` (lines 112-126) using the stored public key. ```python payload = b"important command" sig = agent.sign(payload) # Verification by any party possessing the public key is_valid = agent.verify_signature(payload, sig) print(is_valid) # True ``` Both methods utilize the Ed25519 algorithm's deterministic signature scheme, ensuring consistent behavior across all supported language implementations. ## Human Sponsorship and Accountability Every agent identity requires a human sponsor, enforcing accountability and enabling policy-based governance limits. ### Sponsor Validation The `sponsor_email` field is mandatory and validated in `validate_sponsor_email` (lines 32-38). The validation ensures proper email formatting before identity creation, preventing anonymous or unattributed agents. ```python if not "@" in sponsor: raise IdentityError("Invalid sponsor email") ``` This requirement enables organizational policies that limit the number of agents per sponsor, restrict delegation depth, and maintain audit trails for autonomous actions. ## Delegation Chains and Capability Scoping The toolkit supports hierarchical agent relationships through cryptographically-verified delegation, enabling parent agents to spawn restricted child agents without sharing their full capability set. ### Delegation Constraints Delegation enforces three critical security boundaries: - **Maximum depth**: Limited to `MAX_DELEGATION_DEPTH = 10` (line 35) - **No wildcard propagation**: Explicitly blocked in `delegate` (lines 74-78) - **Subset enforcement**: Child capabilities must be present in the parent (lines 81-86) ### Creating Child Agents The `AgentIdentity.delegate` method (lines 34-66, 98-101) creates child identities with narrowed permissions and a recorded parent relationship. ```python child = parent.delegate( name="ReportWriter", capabilities=["write:reports"], # Subset of parent capabilities max_initial_trust_score=600, ) print(child.parent_did) # Parent's DID print(child.delegation_depth) # 1 ``` This design prevents privilege escalation and mitigates Sybil attacks by ensuring trust scores and capabilities decrease or remain constant down the delegation chain. ## Lifecycle Management and Revocation The zero-trust model requires rapid response to compromised identities, implemented through immediate revocation with sub-five-second propagation. ### Revocation and Suspension Identity states include `active`, `suspended`, and `revoked`, tracked in the `status` field (line 101). The `AgentIdentity.revoke` method (lines 104-108) initiates permanent disablement, while `suspend` and `reactivate` provide temporary controls. ```python from agentmesh.identity import IdentityRegistry registry = IdentityRegistry() registry.register(agent) # Immediate revocation with automated child propagation registry.revoke(agent.did, reason="Compromised key") ``` ### Registry Integration The `IdentityRegistry` class (lines 38-85) centralizes identity lookups and attestation enforcement. When `_require_attestation` is enabled, the `register` method verifies attestations before acceptance (lines 52-58). The registry also provides trust verification via `is_trusted` (lines 76-84). Revocation propagates automatically to all delegated children through `IdentityRegistry.revoke` (lines 86-99), ensuring that compromising a parent identity cannot be circumvented by using child agents. ## Interoperability and Export Formats To support integration with external identity systems and W3C standards, agents export to standard formats. ### JWK and DID Document Export The `to_jwk` method exports keys as JSON Web Key format, while `to_did_document` (lines 514-535) generates W3C-compliant DID Documents containing verification methods and public key material. ```python jwk = agent.to_jwk() did_doc = agent.to_did_document() print(did_doc["@context"]) print(did_doc["verificationMethod"][0]["publicKeyBase64"]) ``` These exports enable interoperability with existing decentralized identity infrastructure and blockchain-based DID resolvers. ## Summary - **AgentDID Format**: Uses `did:mesh:` with 128-bit entropy generated via `secrets.token_hex(16)` in `AgentDID.generate`. - **Ed25519 Security**: Private keys remain in-memory only (`_private_key`), while public keys are Base64-encoded and shareable for signature verification. - **Human Accountability**: Mandatory `sponsor_email` validation ensures every agent traces back to a human operator. - **Delegation Controls**: Hard limit of 10 delegation levels with strict capability subsetting prevents privilege escalation. - **Zero-Trust Lifecycle**: Revocation propagates to all children within seconds via `IdentityRegistry.revoke`. ## Frequently Asked Questions ### What is the AgentDID format? The AgentDID format follows the pattern `did:mesh:`, where the unique identifier is a 128-bit random hex string generated by `AgentDID.generate` in [`agent_id.py`](https://github.com/microsoft/agent-governance-toolkit/blob/main/agent_id.py). This format provides globally unique, cryptographically verifiable identifiers that do not require centralized registration, enabling self-sovereign identity for autonomous agents. ### How are private keys protected in the Agent Governance Toolkit? Private keys are generated using `ed25519.Ed25519PrivateKey.generate()` and stored only in the `_private_key` attribute of the `AgentIdentity` instance (lines 13-14). They never persist to disk or external storage, existing only in volatile memory for the agent's lifecycle. This design prevents key extraction from compromised storage systems while maintaining signing capability through the `sign` method. ### What is the maximum delegation depth for agent hierarchies? The toolkit enforces a maximum delegation depth of 10 levels, defined by the constant `MAX_DELEGATION_DEPTH` (line 35). This limit prevents uncontrolled chain elongation that could complicate revocation propagation and trust calculation. Attempting to delegate beyond this depth raises an exception in the `delegate` method. ### How does revocation propagate through delegation chains? When `IdentityRegistry.revoke` is called (lines 86-99), it recursively invalidates the target identity and all descendants in its delegation tree. The registry updates the `status` field to `revoked` for the parent and automatically traverses child relationships, ensuring that compromised parent credentials cannot be exploited through existing child agents. This propagation completes in under five seconds according to the implementation specifications.