Tenzro Testnet is live. Get testnet TNZO

Tenzro Decentralized Identity Protocol (TDIP)

TDIP is Tenzro's unified identity protocol designed for both humans and machines in the AI age. It provides W3C DID-compatible identities, verifiable credentials, delegation scopes, and auto-provisioned MPC wallets.

Overview

The Tenzro Decentralized Identity Protocol (TDIP) solves a fundamental challenge in AI infrastructure: providing secure, verifiable identities for both humans and autonomous agents. TDIP is the primary identity standard on Tenzro Network, with PDIS (Personal Data Identity Standard) fully supported as a secondary standard.

Key Features

  • Unified Identity Model — Single identity type for humans and machines
  • W3C DID Compatible — Fully compliant with W3C Decentralized Identifier standard
  • Verifiable Credentials — Issue and verify credentials with proof inheritance
  • Delegation Scopes — Fine-grained permission control for agent actions
  • Auto-Provisioned Wallets — Every identity gets a secure MPC wallet
  • Cascading Revocation — Revoking a controller revokes all controlled identities
  • Onboarding Keys — Decentralized network credentials issued automatically at join time, bound to the DID and wallet address, persistent in RocksDB, and used by both humans and agents to authenticate write operations

DID Format

TDIP uses the did:tenzro: method with distinct formats for humans and machines:

Human Identity

did:tenzro:human:{uuid}

Example: did:tenzro:human:550e8400-e29b-41d4-a716-446655440000

Machine Identity (Controlled)

did:tenzro:machine:{controller}:{uuid}

Example: did:tenzro:machine:did:tenzro:human:550e8400...:6ba7b810-9dad-11d1-80b4-00c04fd430c8

Machine Identity (Autonomous)

did:tenzro:machine:{uuid}

Example: did:tenzro:machine:6ba7b810-9dad-11d1-80b4-00c04fd430c8

Identity Types

Human Identity

Human identities represent real people and include:

  • display_name — Human-readable name
  • kyc_tier — KYC verification level (0-3)
  • controlled_machines — List of machine DIDs controlled by this human

KYC Tiers

  • Tier 0: Unverified — No KYC, basic functionality
  • Tier 1: Basic — Email verification, limited transaction amounts
  • Tier 2: Enhanced — Government ID verification, higher limits
  • Tier 3: Full — Complete KYC, unrestricted access

Machine Identity

Machine identities represent AI agents, services, or devices and include:

  • capabilities — List of agent capabilities (e.g., ["inference", "trading"])
  • delegation_scope — Permission boundaries
  • controller_did — DID of controlling entity (optional for autonomous agents)
  • reputation — Network reputation score (0.0-1.0)
  • tenzro_agent_id — Internal agent system ID (optional)

Delegation Scopes

Delegation scopes define fine-grained permissions for machine identities, enabling humans to safely delegate actions to AI agents.

Scope Parameters

{
  "max_transaction_value": "1000.0 TNZO",
  "max_daily_spend": "5000.0 TNZO",
  "allowed_operations": ["transfer", "inference_request"],
  "allowed_contracts": ["0xabc...", "0xdef..."],
  "time_bound": {
    "start": "2026-01-01T00:00:00Z",
    "end": "2026-12-31T23:59:59Z"
  },
  "allowed_payment_protocols": ["Mpp", "X402"],
  "allowed_chains": [1337, 1]
}

Example Use Cases

Trading Agent

Max transaction: $10,000 | Max daily: $50,000 | Operations: swap, provide_liquidity | Time: Market hours only

Inference Agent

Max transaction: 100 TNZO | Max daily: 1000 TNZO | Operations: inference_request | Protocols: MPP, x402

Payment Bot

Max transaction: 50 USDC | Max daily: 500 USDC | Operations: transfer | Allowed chains: Tenzro, Ethereum

W3C DID Documents

TDIP identities can be exported as standard W3C DID Documents for interoperability:

{
  "@context": ["https://www.w3.org/ns/did/v1"],
  "id": "did:tenzro:human:550e8400-e29b-41d4-a716-446655440000",
  "verificationMethod": [{
    "id": "did:tenzro:human:550e8400...#key-1",
    "type": "Ed25519VerificationKey2020",
    "controller": "did:tenzro:human:550e8400...",
    "publicKeyMultibase": "z6MkpTHR8..."
  }],
  "authentication": ["did:tenzro:human:550e8400...#key-1"],
  "service": [{
    "id": "did:tenzro:human:550e8400...#wallet",
    "type": "WalletService",
    "serviceEndpoint": "https://wallet.tenzro.network/api"
  }]
}

Verifiable Credentials

TDIP supports W3C Verifiable Credentials for attestations, certifications, and reputation:

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": ["VerifiableCredential", "KycCredential"],
  "issuer": "did:tenzro:human:issuer-uuid",
  "issuanceDate": "2026-03-20T12:00:00Z",
  "expirationDate": "2027-03-20T12:00:00Z",
  "credentialSubject": {
    "id": "did:tenzro:human:550e8400...",
    "kyc_tier": 2
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2026-03-20T12:00:00Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:tenzro:human:issuer-uuid#key-1",
    "proofValue": "z58DAdF..."
  }
}

Credential Inheritance

Machine identities automatically inherit credentials from their controllers:

  • If human has KYC Tier 2, their controlled agents inherit Tier 2 privileges
  • If human credential expires, all agent credentials expire
  • Credentials can be explicitly issued to agents for additional attestations

Registration and Resolution

Register Human Identity

# Via CLI
tenzro-cli identity register \
--type human \
--display-name "Alice"
# Output: did:tenzro:human:550e8400...

Register Machine Identity

# Controlled by human
tenzro-cli identity register \
--type machine \
--controller did:tenzro:human:550e8400... \
--capabilities inference,trading
# Autonomous agent
tenzro-cli identity register \
--type machine \
--capabilities inference

Resolve DID

tenzro-cli identity resolve did:tenzro:human:550e8400...

List Identities

tenzro-cli identity list
// Rust - List all registered identities
let result = client.identity().list_identities().await?;
println!("Human: {}, Machine: {}", result["human_count"], result["machine_count"]);
// TypeScript
const result = await client.identity.listIdentities();
console.log(`Human: ${result.human_count}, Machine: ${result.machine_count}`);

Add Credential

tenzro-cli identity add-credential \
--did did:tenzro:human:550e8400... \
--type KycCredential \
--issuer did:tenzro:human:issuer-uuid \
--data '{"kyc_tier": 2}'
// Rust - Add a verifiable credential to an identity
let result = client.identity().add_credential(
    "did:tenzro:human:abc123",
    "KycAttestation",
    Some("did:tenzro:human:issuer"),
    Some(serde_json::json!({"tier": "enhanced", "verified": true})),
).await?;
println!("Credential: {}", result["credential_id"]);
// TypeScript
const result = await client.identity.addCredential(
    "did:tenzro:human:abc123",
    "KycAttestation",
    "did:tenzro:human:issuer",
    { tier: "enhanced", verified: true }
);

Add Service Endpoint

Add service endpoints to a DID Document to advertise APIs, inference endpoints, or other services associated with an identity.

// Rust - Add a service endpoint to an identity
let result = client.identity().add_service(
    "did:tenzro:human:abc123",
    "inference",
    "https://my-model.example.com/v1/chat",
).await?;
// TypeScript
const result = await client.identity.addService(
    "did:tenzro:human:abc123",
    "inference",
    "https://my-model.example.com/v1/chat"
);

PDIS Compatibility

PDIS (Personal Data Identity Standard) is fully supported as a secondary identity standard. Both did:tenzro: and did:pdis: formats are parsed and interoperable.

# PDIS-1: Human/Guardian identity
did:pdis:guardian:{uuid}
# PDIS-2: Controlled agent identity
did:pdis:agent:{guardian}:{uuid}
← ArchitectureNext: Payments →