Summary
This server implements OIDC4VP credential verification flows for AI agents interacting with EUDI and Talao wallets. It handles the presentation request protocol, status polling, and claim extraction so your agent doesn't touch raw tokens or manage verification state. You'd use this when your agent needs to verify a user's identity or credentials held in a mobile wallet, like checking employment status before granting access or validating age claims. The verification happens via QR code or deep link, the user presents credentials from their wallet app, and your agent receives safe, derived attributes through MCP tools. Built on the Wallet4Agent stack with support for SD-JWT VC and JSON-LD formats.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
🏗️ Wallet4Agent — Technical Stack Overview
For developers building trusted AI Agents able to interact with persons, companies, services, and other agents
Wallet4Agent provides the trust layer that AI Agents need to operate safely in the real world.
This document explains the technical components, standards, and identity mechanisms behind the platform.
1. 🎯 Purpose of Wallet4Agent
AI Agents increasingly take actions, access data, and collaborate.
To do this safely, they must be able to:
- 🆔 Prove who they are
- 👤 Prove who owns or controls them
- 📄 Hold verifiable credentials
- 🔐 Sign actions and data securely
- 🔗 Trust users, companies, and other agents
- 🪪 Authenticate to external systems without fragile API keys
Wallet4Agent provides AI Agents with:
- A DID-based identity
- A secure wallet for credentials
- Cloud KMS-backed signing keys
- Interoperability with OIDC4VCI, OIDC4VP, SD‑JWT, JSON-LD, OAuth2
- An MCP server interface for agents
Everything is standards‑based and interoperable.
2. 🧱 Architecture Overview
Wallet4Agent is built with three coordinated layers:
2.1 🖥️ MCP Server (Model Context Protocol)
- Single endpoint:
POST https://wallet4agent.com/mcp - Exposes all operations as tools:
- Identity creation
- Credential issuance
- Verification flows
- Signing operations
- Configuration
2.2 👛 Identity Wallet
Manages:
- The Agent’s DID & DID Document
- Stored credentials (SD‑JWT VC, VC JSON‑LD)
- Linked Verifiable Presentations
- Wallet metadata & service endpoints
2.3 🔐 Authorization & Verification Layer
Supports:
- OAuth2 access tokens
- OIDC4VCI (credential issuance)
- OIDC4VP (presentation)
- User verification flows
- Agent‑to‑Agent authentication
All complex cryptographic and identity logic stays in Wallet4Agent.
Your agent simply calls MCP tools.
3. 🆔 Identity Layer (DID & DID Documents)
Each AI Agent receives a Decentralized Identifier (DID) compliant with the W3C DID Core specification.
Wallet4Agent supports two DID methods:
3.1 🌐 did:web (DNS-based identity)
A DID anchored on a domain.
did:web:wallet4agent.com:<agent-id>
⭐ Characteristics:
- Easy to resolve using HTTPS
- DID Document lives at:
https://wallet4agent.com/did/<agent-id> - Perfect for SaaS agents
- Human-readable, infrastructure-friendly
- Works well for corporate or platform-linked AI agents
🔗 DID:web specification:
https://www.w3.org/TR/did-spec-registries/#did-method-web
3.2 ⛓️ did:cheqd (ledger-based identity)
A DID anchored on the Cheqd decentralized ledger.
did:cheqd:<network>:<identifier>
⭐ Characteristics:
- Tamper-resistant DID Document stored on-ledger
- Supports ledger-anchored keys, rotations, service endpoints
- Ideal for:
- High-assurance identity
- Regulated environments
- Trust registries
- Decentralized compliance ecosystems
🔗 DID:cheqd specification:
https://docs.cheqd.io/identity/
4. 📄 DID Documents
Regardless of DID method, the DID Document exposes:
- 🔑 Public keys
- 🔐 Authentication methods
- 📌 Service endpoints
- 🧾 Linked Verifiable Presentations
- 🧬 Key types (JWK, Ed25519, etc.)
DID Documents are automatically updated when:
- Keys rotate
- New developer or agent keys are registered
- Credentials are published as Linked VPs
- Authentication methods change
External agents and services use the DID Document to verify signatures, credentials, and linked proofs.
5. 🔗 Linked Verifiable Presentations (Linked VP)
Linked VP allows Wallet4Agent to publish verifiable credentials inside the DID Document as references.
Why this matters:
- Public credentials become discoverable
- Third parties can verify agent capabilities
- Useful for:
- Corporate mandates
- Agent capabilities
- Service trust signals
- Compliance proofs
Supported formats:
- 🟦 SD‑JWT VC
- 🟩 JWT‑VC / JWT‑VP
- 🟪 JSON‑LD VC / VP
Specification:
https://identity.foundation/linked-vp/spec/v1.0.0/
6. 🔐 Cryptography & Key Management
6.1 🗝️ Cloud KMS–backed keys (non-exportable)
Each agent has a dedicated cloud KMS key.
Used for:
- Signing Verifiable Presentations
- Proofs of key ownership in OIDC4VCI
- JWTs for OAuth2 client authentication
- Internal signature operations
Benefits:
- Private key never leaves KMS
- Agent identity is tied to a secure execution environment
- High‑assurance signatures
6.2 🔑 Developer-supplied keys
Developers may register additional public JWKs:
- For OAuth
private_key_jwt - For agent frameworks managing their own keys
- For corporate signing keys
Wallet4Agent stores the public keys; developers retain the private keys.
7. 🔑 Authentication Methods
Wallet4Agent supports three agent authentication flows:
7.1 🔹 Agent Personal Access Token (PAT)
Authorization: Bearer <agent_pat>
Simple and effective for development or local agents.
7.2 🔹 OAuth2 Client Credentials
Agent receives:
client_id= Agent DIDclient_secret
Then exchanges using:
grant_type=client_credentials
Ideal for most production requests.
7.3 🔹 OAuth2 private_key_jwt
Strongest method:
- Developer registers a public JWK
- Agent signs a JWT with its private key
- Wallet4Agent validates it using the registered public JWK
Useful for hardware-backed keys and enterprise infrastructures.
8. 🧾 Credential Issuance (OIDC4VCI)
Wallet4Agent handles complete credential issuance flows:
- Fetch issuer metadata
- Obtain OAuth tokens
- Create proof of key ownership signed by the agent's KMS key
- Request credentials
- Store as attestations
Supported formats:
- 🟦 SD‑JWT VC
- 🟩 VC JSON‑LD
Agents only call MCP tools — Wallet4Agent does all protocol-level work.
9. 🧪 Verification (OIDC4VP)
Wallet4Agent supports verification of:
- Natural persons
- Other agents
- Credential-based access
Agents can:
- Start user verification
- Poll status
- Receive verified attributes safely
- Authenticate peer agents
The agent never sees sensitive tokens; only derived, safe claims are returned.
10. 📦 Credential Storage & Retrieval
Wallet4Agent stores credentials as attestations, including:
- Format
- Issuer
- VCT/VC type
- Expiry
- Encrypted payload
- Publication status (for Linked VP)
Agents can:
- List their credentials
- Accept new ones
- Access credentials of other agents (if published)
11. 🌐 OAuth Protected Resource Metadata
Published under:
/.well-known/oauth-protected-resource/mcp
Includes:
- Supported authentication methods
- Resource identifiers
- Trusted authorization servers
Enables automatic configuration by OAuth2 clients and gateways.
12. 🛡️ Responsible AI Features
Wallet4Agent supports human-in-the-loop requirements:
{
"always_human_in_the_loop": true
}
Used for:
- High-risk operations
- Sensitive credential acceptance
- Escalation to human review
🧩 13. Summary for Developers
If you are an Agent developer, Wallet4Agent gives you:
| Feature | What you get |
|---|---|
| 🆔 Agent identity | DID + DID Document |
| 🔑 Authentication | Dev PAT, Agent PAT, OAuth2 Client Credentials, private_key_jwt |
| 🔐 Cryptographic keys | Cloud KMS signatures, non‑exportable |
| 📜 Credential issuance | Full OIDC4VCI support (SD‑JWT VC & VC JSON‑LD) |
| ✅ Credential verification | OIDC4VP with simple MCP tools and safe derived claims |
| 👤 Human interaction | QR code → wallet → verified attributes |
| 🤝 Inter‑agent trust | Ability to inspect credentials of other agents (when authorized) |
| ⚙️ Configuration | Auth mode, keys, policies all manageable via MCP |
| 🛡️ Security | KMS, OAuth2, DID rotation & key updates, role‑separated tokens |
Your AI Agent becomes a verifiable digital entity, capable of participating in decentralized and regulated digital identity ecosystems while preserving security and accountability.
Maintainer: Wallet4Agent (Web3 Digital Wallet / Talao )
For feedback or additional documentation, use the contact channels on the Wallet4Agent website.
| Standard | Purpose | Link |
|---|---|---|
| DID Core | Core DID specification | https://www.w3.org/TR/did-core/ |
| Linked Verifiable Presentations | Public VCs in DID Documents | https://identity.foundation/linked-vp/spec/v1.0.0/ |
| OIDC4VCI | Credential issuance | https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html |
| OIDC4VP | Credential presentation | https://openid.net/specs/openid-4-verifiable-presentations-1_0.html |
| W3C Verifiable Credentials | VC Data Model | https://www.w3.org/TR/vc-data-model-2.0/ |
| SD-JWT VC (IETF) | Selective disclosure credential format | https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-12.html |
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
