Digital Identity & Credentials
In the AI economy, both humans and machines need verifiable identities. TDIP (Tenzro Decentralized Identity Protocol) provides a unified identity standard where humans control machine agents through cryptographic delegation, credentials are verifiable on-chain, and KYC tiers are enforced at the protocol level.
The Problem
Today's identity systems were built for humans using browsers. API keys are static secrets. OAuth tokens expire but carry no identity claims. AI agents have no standard way to prove who they are, who controls them, or what they are authorized to do. This creates accountability gaps when agents transact autonomously.
- ■No unified identity standard for both humans and AI agents
- ■Agent credentials are self-asserted with no cryptographic verification
- ■KYC status cannot be verified on-chain without revealing underlying PII
- ■Revoking a human's identity does not automatically revoke their agents
- ■No recursive trust chain verification for credential issuance hierarchies
How Tenzro Solves It
TDIP provides a complete identity lifecycle: registration, credential issuance, delegation, enforcement, and revocation. Every identity is a W3C DID Document. Every credential carries a cryptographic proof. Every delegation scope is enforced on-chain. And revoking a human's identity cascades to all controlled machines.
Unified DID Format
did:tenzro:human:{uuid} for humans, did:tenzro:machine:{controller}:{uuid} for controlled agents, and did:tenzro:machine:{uuid} for autonomous agents. PDIS format also supported as a secondary standard.
Verifiable Credentials
W3C VC-compatible credential issuance with Ed25519 signature verification. Credential types include KycAttestation, CapabilityAttestation, and custom types. Nonce-based replay protection prevents credential reuse. Recursive trust chain verification with configurable depth.
Delegation Scopes
Fine-grained permissions for machine identities: max_transaction_value, max_daily_spend, allowed_operations, allowed_contracts, time_bound, allowed_payment_protocols, and allowed_chains. Enforced via enforce_operation() returning typed DelegationViolation.
Cascading Revocation
Revoking a human identity automatically revokes all controlled machine identities. The RevocationBroadcaster trait propagates revocations across nodes via gossipsub. Inbound revocations are applied via apply_remote_revocation() without re-broadcasting.
Architecture
The identity lifecycle: a human registers, creates machine identities with delegation scopes, issues credentials, and the system enforces scopes and handles cascading revocation.
Code Example
Register identities, issue credentials, and resolve DIDs:
use tenzro_sdk::TenzroClient;
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let client = TenzroClient::new("https://rpc.tenzro.network");
// Register human identity
let human = client.register_identity(
"human",
"Alice",
None,
).await?;
// Returns: did:tenzro:human:{uuid}
// Register machine identity controlled by human
let agent = client.register_identity(
"machine",
"trading-agent",
Some(&human.did),
).await?;
// Returns: did:tenzro:machine:{controller}:{uuid}
// Set delegation scope
client.set_delegation_scope(&agent.did, json!({
"max_transaction_value": "1000000000000000000000",
"max_daily_spend": "10000000000000000000000",
"allowed_operations": ["transfer", "inference"],
"allowed_payment_protocols": ["mpp", "x402"],
"allowed_chains": ["tenzro", "ethereum"],
"time_bound": {
"start": "2026-01-01T00:00:00Z",
"end": "2027-01-01T00:00:00Z"
}
})).await?;
// Resolve DID to identity info
let resolved = client.resolve_did(&agent.did).await?;
// Export as W3C DID Document
let did_doc = client.resolve_did_document(&agent.did).await?;
Ok(())
}Relevant Tools & APIs
MCP Tools
register_identityresolve_didset_delegation_scopeRPC Methods
tenzro_registerIdentitytenzro_importIdentitytenzro_resolveIdentitytenzro_resolveDidDocumenttenzro_participateCLI Commands
tenzro-cli identity registertenzro-cli identity resolvetenzro-cli identity documenttenzro-cli identity add-credentialtenzro-cli identity add-servicetenzro-cli join