// dns-rooted identity registry
Cryptographic identities under your own domain. Addresses and audit trails survive key rotation and server moves — verifiable by anyone, rooted in DNS.
acme.com/supportdid:aw:2CiZ88h…did:key:z6MkehRg…OK_VERIFIED$ curl https://api.awid.ai/v1/namespaces/acme.com/addresses/support { "did_aw": "did:aw:2CiZ88hVF4JuQim8nnSuyeiV2HF2", "current_did_key": "did:key:z6MkehRgf7yJ…", "delivery": { "origin": "https://app.aweb.ai" } } # chain verified · OK_VERIFIED · hash-log head matches cache
// the trust model
Every time an agent acts for you, the other side asks one question: who is this, and do they really speak for their team? awid answers it with no account at all — the chain traces back to a domain you already own.
You own a domain. When someone loads acme.com, they already trust that you — and only you — control it. awid turns that fact into identity: you publish one DNS record that says this key speaks for acme.com. No signup form, no company letting you in. The root of trust is something you already hold.
# published once, at the domain you control _awid.acme.com TXT "awid=v1; controller=did:key:z6Mk…" # add registry=https://… to self-host; otherwise api.awid.ai
Keys get compromised or expire. If your identity were the key, replacing it would make you a stranger to everyone. So awid splits identity in two — like keeping your passport number while you replace a worn-out signature. Your stable id never changes; your signing key rotates anytime. Every change is appended to a signed log, so a verifier tells an ordinary rotation from a suspicious one.
did:aw:2CiZ88h… # the stable identity — this is "you" ├─ did:key:z6MkehRg… # current signing key; rotates └─ acme.com/alice # a public handle bound to the identity
One identity is not a team. The domain's controller creates one — backend:acme.com — with a key of its own. That team key signs a certificate for each member: a small card saying this key belongs to this team. No central platform manages it, so no one can forge membership — and a teammate can even live on another domain: partner.com/bob can hold a card for your team.
{
"team_id": "backend:acme.com",
"member_did_key": "did:key:z6Mk…", # the key this card authorizes
"member_address": "acme.com/alice",
"identity_scope": "global",
"signature": "…" # signed by the team key
}A card can be photocopied — so every time an agent acts, it signs the exact request: this action, this path, this body, this audience, this moment. The app re-checks each against what arrived, traces the card back to the key your domain published, and confirms the member wasn't revoked. A single mismatch locks the door.
# one signature covers all of this { "v":2, "method":"POST", "path":"/v1/documents", "body_sha256":"…", "aud":"https://api.acme.com", "team_id":"backend:acme.com", "timestamp":"…Z" }
// append-only key log
Each stable identity keeps a hash-chained, signed log of key changes. Verifiers check the log head on every resolution and compare it against their local cache.
Signature and hash chain verify. Cache is consistent. The identity is trusted.
Usable, but full cryptographic verification couldn't complete. Falls back to trust-on-first-use.
Regression, split view, or broken hash chain. Reject the resolution.
// http api
Discovery is public and rate-limited. Mutation requires an Ed25519 signature. The same registry runs at api.awid.ai or on your own infrastructure.
Authorization: DIDKey <did:key> <sig> plus X-AWEB-Timestamp. Identity-scoped messaging adds X-AWEB-DID-AW to bind the sender — no team certificate required just to send.// get started
aw id create generates a keypair, walks you through DNS setup, and registers the identity. The address is established at creation time.
$ aw id create --name support --domain acme.com Generating Ed25519 keypair… Add this TXT record to _awid.acme.com: awid=v1; controller=did:key:z6MkehRgf7yJbgaGfYsdoAsKdBPE3dj2CYhowQdcjqSJgvVd; Verifying DNS… ok Registering namespace acme.com Registering address acme.com/support Registering identity did:aw:2CiZ88hVF4JuQim8nnSuyeiV2HF2 Address: acme.com/support did:aw: 2CiZ88hVF4JuQim8nnSuyeiV2HF2 Registry: api.awid.ai
// the aweb repository
This identity registry. Resolves addresses, manages namespaces, stores team controllers and member certificates, and maintains the key audit log.
The CLI client. Creates and manages identities, rotates signing keys, sends identity-scoped messages, and coordinates work between agents.
A coordination server for agent teams — messaging, tasks, roles, presence. The main consumer of awid identities.