Tenzro Decentralized Identity Protocol (TDIP)

Unified identity for humans and machines — W3C DID-compliant with verifiable credentials and delegation scopes

TDIP provides a single identity standard for both human users and machine agents. Every identity gets a DID (did:tenzro:...), a W3C-compatible DID Document, verifiable credentials, and fine-grained delegation scopes. PDIS (did:pdis:) remains fully supported as a secondary standard.

Start Building Read Documentation

What is the Tenzro Decentralized Identity Protocol?

Tenzro Decentralized Identity Protocol (TDIP) is a unified identity system that treats human users and AI agents as first-class citizens with equal identity primitives. Every identity receives a decentralized identifier (DID) following W3C standards, a DID Document with verification methods and service endpoints, and the ability to issue and inherit verifiable credentials.

Unlike traditional identity systems that bolt on machine identities as an afterthought, TDIP was designed from the ground up for the AI age. Human identities (did:tenzro:human:uuid) can control multiple machine identities (did:tenzro:machine:controller:uuid), with fine-grained delegation scopes limiting what operations, contracts, payment protocols, and transaction values each machine can access.

Every TDIP identity gets an auto-provisioned MPC threshold wallet with no seed phrases required. Credentials flow from humans to their controlled machines, enabling trust chains. Revoking a human identity automatically cascades to all controlled machines. KYC tiers (Unverified, Basic, Enhanced, Full) are inherited from controllers to their machines, ensuring compliance across the entire identity graph.

Key Features

Human & Machine DIDs

did:tenzro:human:uuid for people, did:tenzro:machine:controller:uuid for controlled agents, did:tenzro:machine:uuid for autonomous agents. Single identity format for all actors with built-in controller relationships and hierarchy.

W3C DID Documents

Standard-compliant DID Document export/import with service endpoints, verification methods, and authentication. Full interoperability with existing W3C DID infrastructure.

Verifiable Credentials

W3C VC-compatible credential issuance with inheritance chains. Credentials flow from humans to their controlled machines with cryptographic verification.

Delegation Scopes

Fine-grained permissions: max_transaction_value, max_daily_spend, allowed_operations, allowed_contracts, time_bound, allowed_payment_protocols, allowed_chains. Control exactly what each machine identity can do without compromising human authority.

KYC Tiers

Four verification levels: Unverified (0), Basic (1), Enhanced (2), Full (3). Machines inherit tier from controller. Tier-based access control for regulated operations. Upgrades and downgrades tracked on-chain with credential proofs.

Cascading Revocation

Revoking a human identity automatically revokes all controlled machine identities. Revocation propagates through the entire trust chain. Immediate network-wide effect. No orphaned machine identities or dangling credentials.

Architecture

┌─────────────────────────────────────────┐
│          Identity Registry              │
│       (Distributed Storage)             │
├─────────────────────────────────────────┤
│                                         │
│  ┌──────────────┐  ┌────────────────┐  │
│  │ Human DIDs   │  │ Machine DIDs   │  │
│  │              │  │                │  │
│  │ did:tenzro:  │  │ did:tenzro:    │  │
│  │ human:{uuid} │  │ machine:{c}:   │  │
│  │              │  │ {uuid}         │  │
│  └──────┬───────┘  └───────┬────────┘  │
│         │     controls     │           │
│         └──────────────────┘           │
│                                         │
│  ┌──────────────┐  ┌────────────────┐  │
│  │ Credentials  │  │ DID Documents  │  │
│  │ (W3C VC)     │  │ (W3C DID)      │  │
│  └──────────────┘  └────────────────┘  │
│                                         │
│  ┌──────────────┐  ┌────────────────┐  │
│  │ Delegation   │  │ Wallet Binder  │  │
│  │ Scopes       │  │ (MPC Wallets)  │  │
│  └──────────────┘  └────────────────┘  │
└─────────────────────────────────────────┘

Identity Types

Human Identity (did:tenzro:human:uuid)

Primary identity for human users. Contains display_name, KYC tier, list of controlled machine identities, and wallet binding. Can issue credentials, control machines, and set delegation scopes. Root of trust for all controlled identities.

did:tenzro:human:a1b2c3d4-e5f6-7890-abcd-ef1234567890

Controlled Machine Identity (did:tenzro:machine:controller:uuid)

Machine identity controlled by a human or another machine. Contains controller DID, capabilities list, delegation scope, reputation score, and optional tenzro_agent_id. Inherits KYC tier and credentials from controller. Cannot exist without controller.

did:tenzro:machine:a1b2c3d4...7890:e5f6g7h8-i9j0-1234-5678-90abcdef1234

Autonomous Machine Identity (did:tenzro:machine:uuid)

Fully autonomous machine identity with no controller. Self-sovereign agent that manages its own credentials and delegation scopes. Cannot inherit KYC tier (always Unverified unless upgraded through direct verification). Useful for public infrastructure agents.

did:tenzro:machine:e5f6g7h8-i9j0-1234-5678-90abcdef1234

PDIS Compatibility (did:pdis:guardian:uuid / did:pdis:agent:controller:uuid)

Full support for legacy PDIS format. PDIS-1 guardians map to human identities. PDIS-2 agents map to controlled machines. Both formats parse and resolve correctly. Interoperability maintained for existing PDIS implementations.

did:pdis:guardian:a1b2c3d4-e5f6-7890-abcd-ef1234567890

Getting Started

1. Register Identity

Create human and machine identities with the TDIP registry:

use tenzro_identity::{IdentityRegistry, IdentityType};

let registry = IdentityRegistry::new();

// Register a human identity
let human = registry.register_human(
    "Alice".to_string(),
    public_key,
    KycTier::Basic,
)?;
// → did:tenzro:human:a1b2c3d4...

// Register a machine under that human
let machine = registry.register_machine(
    human.did().clone(),
    "Trading Bot".to_string(),
    vec!["inference", "trading"],
    public_key,
)?;
// → did:tenzro:machine:a1b2c3d4...:e5f6g7h8...

2. Set Delegation Scope

Configure fine-grained permissions for machine identities:

use tenzro_identity::DelegationScope;

let scope = DelegationScope {
    max_transaction_value: Some(1_000_000),
    max_daily_spend: Some(10_000_000),
    allowed_operations: vec!["transfer", "inference"],
    allowed_contracts: vec![],
    time_bound: Some(Duration::from_secs(86400 * 30)),
    allowed_payment_protocols: vec![PaymentProtocolId::Mpp],
    allowed_chains: vec![],
};

registry.set_delegation_scope(&machine_did, scope)?;

3. Issue Verifiable Credentials

Create W3C-compatible credentials that inherit to controlled machines:

use tenzro_identity::{VerifiableCredential, CredentialProof};

// Issue credential to human
let credential = VerifiableCredential {
    id: "credential:kyc:basic:001".to_string(),
    type_: vec!["VerifiableCredential", "KycCredential"],
    issuer: issuer_did.clone(),
    issuance_date: Utc::now(),
    expiration_date: Some(Utc::now() + Duration::days(365)),
    credential_subject: serde_json::json!({
        "id": human.did().to_string(),
        "kyc_tier": "Basic",
        "verified_at": Utc::now(),
    }),
    proof: CredentialProof {
        type_: "Ed25519Signature2020".to_string(),
        created: Utc::now(),
        verification_method: issuer_verification_method,
        proof_purpose: "assertionMethod".to_string(),
        proof_value: signature_bytes,
    },
};

registry.add_credential(&human.did(), credential)?;

4. Export W3C DID Document

Generate standard-compliant DID Documents for interoperability:

// Export to W3C DID Document
let did_doc = registry.export_did_document(&human.did())?;

// Example DID Document structure:
{
  "id": "did:tenzro:human:a1b2c3d4...",
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "verificationMethod": [{
    "id": "did:tenzro:human:a1b2c3d4...#keys-1",
    "type": "Ed25519VerificationKey2020",
    "controller": "did:tenzro:human:a1b2c3d4...",
    "publicKeyMultibase": "z6Mk..."
  }],
  "authentication": ["#keys-1"],
  "service": [{
    "id": "#inference",
    "type": "TenzroInferenceService",
    "serviceEndpoint": "https://api.example.com/v1/inference"
  }]
}

5. Resolve DIDs and Verify Credentials

Resolve DIDs to identities and verify credential trust chains:

// Resolve DID to identity
let identity = registry.resolve(&did)?;

// Check if identity is human or machine
match identity.identity_type() {
    IdentityType::Human => println!("Human: {}", identity.display_name()),
    IdentityType::Machine => {
        println!("Machine: {}", identity.display_name());
        if let Some(controller) = identity.controller_did() {
            println!("Controlled by: {}", controller);
        }
    }
}

// Verify credential trust chain
let is_valid = registry.verify_credential_chain(
    &credential,
    &identity.did(),
)?;

Ready to Build with Tenzro Identity?

Access comprehensive documentation, SDKs, and examples to start building identity-aware applications for humans and machines.

Documentation Start Building Download CLI