Verifiable AI agent identity - live today  ·  AID · A2A · ANS Bronze · MCP-I

Give your Agent
Verifiable Identity

Register a .Kred domain and run four API calls. Your agent gets cryptographically verifiable credentials across every major agent identity standard - DNS discovery, X.509 identity, a DID Document, and a signed delegation credential.

Enroll your first agent → See the standards
AID - DNS discovery
A2A - Agent Cards
ANS Bronze - X.509 identity
MCP-I Level 1 - did:web + JWT-VC

Live in under 5 minutes

From domain registration to full credential stack - DNS records, X.509 cert, DID Document, and signed VC all provisioned automatically.

Your keys, always portable

Export your Ed25519 private key and self-hosting instructions at any time. Remove our CNAME and run your own proxy - the key material is yours.

Open standards throughout

AID, A2A, ANS, did:web, JWT-VC - every format is a published spec or IETF draft. No proprietary lock-in, no vendor-specific formats.

The problem

Agents are anonymous.
That's a trust problem.

🔍

No standard way to discover agents

Agents are deployed behind arbitrary URLs with no DNS-anchored discovery record. Clients can't find them without out-of-band configuration.

🪪

No verifiable ownership claim

Any service can claim to be your agent. There is no cryptographic proof that ties an agent to a domain and its owner.

🔐

No delegation trail

Agents act on behalf of humans, but there is no machine-readable record of what they are authorised to do or who authorised them.

# Before AgenticID
GET https://maybe-legit-agent.io/mcp
→ who owns this? what can it do?
→ no DNS record no cert no delegation

# After AgenticID
_agent.myapp.Kred TXT "v=aid1;u=...;k=z6Mk..."
agent.myapp.Kred /.well-known/agent.json ✓
agent.myapp.Kred /.well-known/did.json ✓
ans://v1.0.0.agent.myapp.Kred X.509 cert ✓
JWT-VC scope=["act:agent","read:domain"] ✓

Identity layers

Four standards. One enrollment.

Register a domain and enroll your agent. We provision every credential automatically - DNS records, X.509 certs, DID Documents, and signed VCs - and serve them from agent.{domain}.

Discovery

AID · A2A

DNS-based agent discovery and capability advertisement. Any client can find your agent with a single DNS lookup.

_agent TXT record - `v=aid1;u=...;p=mcp;k=z6Mk...`
Ed25519 PKA - AID-Challenge signing for endpoint proof
A2A Agent Card - JSON at `/.well-known/agent.json`
CNAME routing - `agent.{domain}` served by our proxy
Well-known fallback - `/.well-known/agent` for DNS-restricted environments
Key rotation - `POST /agent/rotate-key` with instant DNS update
POST /agent GET /agent PUT /agent DELETE /agent GET /agent/credentials POST /agent/rotate-key
X.509 Identity

ANS Bronze

GoDaddy Agent Name Service - version-bound X.509 identity issued by our private RA, with a signed Trust Card and transparency log.

ANS identity name - `ans://v1.0.0.agent.{domain}`
Private CA cert - X.509 with URI SAN, signed by our RA
_ans DNS record - ANS discovery TXT with version + protocol
COSE_Sign1 Trust Card - `/.well-known/ans/trust-card.json`
Version bumps - new cert issued per semver registration
POST /agent/ans GET /agent/ans POST /agent/ans/version DELETE /agent/ans
Verifiable Credentials

MCP-I Level 1

MCP-I - community extension for verifiable agent identity and delegation, built on did:web and W3C VC standards.

did:web DID - `did:web:agent.{domain}` resolves to DID Document
Ed25519VerificationKey2020 - reuses Phase 1 keypair, no new key material
JWT-VC - EdDSA-signed Delegation Credential with registrant scopes
Scope control - `action:resource` format, e.g. `act:agent`, `read:domain`
Live VC at well-known - `/.well-known/mcp-i/delegation.json`
Scope updates - `PUT /agent/mcpi` reissues VC instantly
POST /agent/mcpi GET /agent/mcpi PUT /agent/mcpi DELETE /agent/mcpi

How it works

From domain to full identity stack

Four API calls. Everything is provisioned and served automatically - DNS records, certificates, DID Documents, signed VCs.

1

Register domain

Register any .Kred domain. Your domain's PowerDNS zone is created and nameservers are provisioned.

2

Enroll agent (AID + A2A)

`POST /agent` generates an Ed25519 keypair, provisions `_agent` TXT + `agent.{domain}` CNAME, and creates the Agent Card stub.

3

Add ANS identity

`POST /agent/ans` issues an X.509 identity cert, writes `_ans` + `_ans-badge` DNS records, builds and signs the Trust Card.

4

Add MCP-I credentials

`POST /agent/mcpi` constructs the DID Document, issues a JWT Delegation Credential with your scopes, and makes both live.

API

Full identity in four calls

agent-enrollment.sh
# 1. Register the domain $ curl -X POST /api/domains/myapp.Kred/register → 201 { "domain": "myapp.Kred", "success": true }
# 2. Enroll AID + A2A agent identity $ curl -X POST /api/domains/myapp.Kred/agent \ -d '{"name":"MyApp Agent","protocol":"mcp", "agent_endpoint_url":"https://agent.myapp.Kred/mcp", "skills":[{"id":"query","description":"Answer questions"}]}' → 201 { "public_key": "z6Mk...", "aid_record": "v=aid1;..." }
# 3. Add ANS Bronze identity $ curl -X POST /api/domains/myapp.Kred/agent/ans \ -d '{"version":"1.0.0"}' → 201 { "ans_name": "ans://v1.0.0.agent.myapp.Kred", ... }
# 4. Add MCP-I Level 1 credentials $ curl -X POST /api/domains/myapp.Kred/agent/mcpi \ -d '{"scopes":["act:agent","read:domain","write:dns"]}' → 201 { "did": "did:web:agent.myapp.Kred", ... }
# Credentials are now live at: https://agent.myapp.Kred/.well-known/agent.json https://agent.myapp.Kred/.well-known/did.json https://agent.myapp.Kred/.well-known/ans/trust-card.json https://agent.myapp.Kred/.well-known/mcp-i/delegation.json
1

Domain registration

Registers via CentralNIC, creates the PowerDNS zone, and links ownership to your account via SocialOS domain tokens.

2

AID + A2A enrollment

Generates an Ed25519 keypair (private key held server-side), provisions `_agent` TXT and `agent.{domain}` CNAME. Optional body configures the A2A Agent Card inline.

3

ANS Bronze - version-bound X.509

Our private RA issues an identity cert with `URI:ans://v1.0.0.agent.{domain}` SAN, writes `_ans` + `_ans-badge` DNS records, and builds a COSE_Sign1 Trust Card. Bump versions any time with `POST /agent/ans/version`.

4

MCP-I Level 1 - DID + JWT-VC

Constructs a `did:web` DID Document backed by the Phase 1 Ed25519 key, then issues a platform-signed JWT Delegation Credential with your declared scopes. Both live at well-known paths immediately.

What gets issued

Every credential, automatically served

All credentials are stored in our DB and served live from `agent.{domain}` via our proxy. No hosting required on your side.

📡

AID DNS Record

Semicolon-delimited TXT record carrying endpoint URL, protocol hint, Ed25519 public key, and key ID. Used by any AID-compatible client for DNS-first discovery.

_agent.{domain} TXT v=aid1;u=...;p=mcp;k=z6Mk...;i=k1
📋

A2A Agent Card

JSON document describing the agent's name, endpoint URL, capabilities, skills, and security schemes. Consumed by A2A-compatible orchestrators for task delegation.

/.well-known/agent.json
🔏

ANS Trust Card

COSE_Sign1 document (ES256, raw r||s) containing ANS identity name, version, endpoints, and verifiable claims. Signed by our private CA.

/.well-known/ans/trust-card.json
🪪

did:web DID Document

W3C DID Document anchoring the agent's Ed25519 verification key and service endpoint. Resolution requires only HTTPS - no blockchain, no registry.

/.well-known/did.json
📜

JWT Delegation Credential

W3C Verifiable Credential in JWT format. Platform-signed with EdDSA, carrying registrant-supplied `action:resource` scopes in the `credentialSubject`.

/.well-known/mcp-i/delegation.json
🔑

Raw Credentials Export

Export the Ed25519 private key and self-hosting instructions at any time. Remove our CNAME and run your own proxy - the key material is yours.

GET /agent/credentials?confirm_self_host=true

Technical specifications

Built on open standards

No proprietary lock-in. Every credential format is a published open standard, IETF draft, or W3C specification.

🔐
Agent signing key
Ed25519 (RFC 8037)
🔒
Key encryption at rest
AES-256-GCM
📡
AID public key encoding
Multibase base58btc (z prefix)
🌐
AID protocol
agentcommunity.org · IETF draft-nemethi-00
🤝
A2A Agent Card
a2a-protocol.org v0.3+
🏛️
ANS identity cert SAN
X.509 URI SAN - ans://v{semver}.agent.{domain}
🛡️
ANS Trust Card format
COSE_Sign1 tag 18 (RFC 9052)
🪪
DID method
did:web (W3C DID Core 1.0)
📜
Delegation Credential
W3C VC Data Model 1.1, JWT proof, EdDSA
🔑
JWT signature
EdDSA / 64-byte signature (RFC 8037)

Your agent.
Cryptographically yours.

Register a .Kred domain and enroll your agent in under five minutes.

Start building → Talk to us

AgenticID.Kred is operated by PeopleBrowsr - the team behind the .Kred top-level domain. We've operated domain infrastructure and digital identity systems since 2010.