🏗️ Wallet4Agent — Technical Stack Overview

For developers building trusted AI Agents able to interact with persons, companies, services, and other agents

Wallet4Agent provides the trust layer that AI Agents need to operate safely in the real world.
This document explains the technical components, standards, and identity mechanisms behind the platform.

1. 🎯 Purpose of Wallet4Agent

AI Agents increasingly take actions, access data, and collaborate.
To do this safely, they must be able to:

• 🆔 Prove who they are
• 👤 Prove who owns or controls them
• 📄 Hold verifiable credentials
• 🔐 Sign actions and data securely
• 🔗 Trust users, companies, and other agents
• 🪪 Authenticate to external systems without fragile API keys

Wallet4Agent provides AI Agents with:

• A DID-based identity
• A secure wallet for credentials
• Cloud KMS-backed signing keys
• Interoperability with OIDC4VCI, OIDC4VP, SD‑JWT, JSON-LD, OAuth2
• An MCP server interface for agents

Everything is standards‑based and interoperable.

2. 🧱 Architecture Overview

Wallet4Agent is built with three coordinated layers:

2.1 🖥️ MCP Server (Model Context Protocol)

• Single endpoint:
  POST https://wallet4agent.com/mcp
• Exposes all operations as tools:
  • Identity creation
  • Credential issuance
  • Verification flows
  • Signing operations
  • Configuration

2.2 👛 Identity Wallet

Manages:

• The Agent’s DID & DID Document
• Stored credentials (SD‑JWT VC, VC JSON‑LD)
• Linked Verifiable Presentations
• Wallet metadata & service endpoints

2.3 🔐 Authorization & Verification Layer

Supports:

• OAuth2 access tokens
• OIDC4VCI (credential issuance)
• OIDC4VP (presentation)
• User verification flows
• Agent‑to‑Agent authentication

All complex cryptographic and identity logic stays in Wallet4Agent.
Your agent simply calls MCP tools.

3. 🆔 Identity Layer (DID & DID Documents)

Each AI Agent receives a Decentralized Identifier (DID) compliant with the W3C DID Core specification.

Wallet4Agent supports two DID methods:

3.1 🌐 did:web (DNS-based identity)

A DID anchored on a domain.

did:web:wallet4agent.com:<agent-id>

⭐ Characteristics:

• Easy to resolve using HTTPS
• DID Document lives at:
  https://wallet4agent.com/did/<agent-id>
• Perfect for SaaS agents
• Human-readable, infrastructure-friendly
• Works well for corporate or platform-linked AI agents

🔗 DID:web specification:
https://www.w3.org/TR/did-spec-registries/#did-method-web

3.2 ⛓️ did:cheqd (ledger-based identity)

A DID anchored on the Cheqd decentralized ledger.

did:cheqd:<network>:<identifier>

⭐ Characteristics:

• Tamper-resistant DID Document stored on-ledger
• Supports ledger-anchored keys, rotations, service endpoints
• Ideal for:
  • High-assurance identity
  • Regulated environments
  • Trust registries
  • Decentralized compliance ecosystems

🔗 DID:cheqd specification:
https://docs.cheqd.io/identity/

4. 📄 DID Documents

Regardless of DID method, the DID Document exposes:

• 🔑 Public keys
• 🔐 Authentication methods
• 📌 Service endpoints
• 🧾 Linked Verifiable Presentations
• 🧬 Key types (JWK, Ed25519, etc.)

DID Documents are automatically updated when:

• Keys rotate
• New developer or agent keys are registered
• Credentials are published as Linked VPs
• Authentication methods change

External agents and services use the DID Document to verify signatures, credentials, and linked proofs.

5. 🔗 Linked Verifiable Presentations (Linked VP)

Linked VP allows Wallet4Agent to publish verifiable credentials inside the DID Document as references.

Why this matters:

• Public credentials become discoverable
• Third parties can verify agent capabilities
• Useful for:
  • Corporate mandates
  • Agent capabilities
  • Service trust signals
  • Compliance proofs

Supported formats:

• 🟦 SD‑JWT VC
• 🟩 JWT‑VC / JWT‑VP
• 🟪 JSON‑LD VC / VP

Specification:
https://identity.foundation/linked-vp/spec/v1.0.0/

6. 🔐 Cryptography & Key Management

6.1 🗝️ Cloud KMS–backed keys (non-exportable)

Each agent has a dedicated cloud KMS key.

Used for:

• Signing Verifiable Presentations
• Proofs of key ownership in OIDC4VCI
• JWTs for OAuth2 client authentication
• Internal signature operations

Benefits:

• Private key never leaves KMS
• Agent identity is tied to a secure execution environment
• High‑assurance signatures

6.2 🔑 Developer-supplied keys

Developers may register additional public JWKs:

• For OAuth private_key_jwt
• For agent frameworks managing their own keys
• For corporate signing keys

Wallet4Agent stores the public keys; developers retain the private keys.

7. 🔑 Authentication Methods

Wallet4Agent supports three agent authentication flows:

7.1 🔹 Agent Personal Access Token (PAT)

Authorization: Bearer <agent_pat>

Simple and effective for development or local agents.

7.2 🔹 OAuth2 Client Credentials

Agent receives:

• client_id = Agent DID
• client_secret

Then exchanges using:

grant_type=client_credentials

Ideal for most production requests.

7.3 🔹 OAuth2 private_key_jwt

Strongest method:

• Developer registers a public JWK
• Agent signs a JWT with its private key
• Wallet4Agent validates it using the registered public JWK

Useful for hardware-backed keys and enterprise infrastructures.

8. 🧾 Credential Issuance (OIDC4VCI)

Wallet4Agent handles complete credential issuance flows:

• Fetch issuer metadata
• Obtain OAuth tokens
• Create proof of key ownership signed by the agent's KMS key
• Request credentials
• Store as attestations

Supported formats:

• 🟦 SD‑JWT VC
• 🟩 VC JSON‑LD

Agents only call MCP tools — Wallet4Agent does all protocol-level work.

9. 🧪 Verification (OIDC4VP)

Wallet4Agent supports verification of:

• Natural persons
• Other agents
• Credential-based access

Agents can:

• Start user verification
• Poll status
• Receive verified attributes safely
• Authenticate peer agents

The agent never sees sensitive tokens; only derived, safe claims are returned.

10. 📦 Credential Storage & Retrieval

Wallet4Agent stores credentials as attestations, including:

• Format
• Issuer
• VCT/VC type
• Expiry
• Encrypted payload
• Publication status (for Linked VP)

Agents can:

• List their credentials
• Accept new ones
• Access credentials of other agents (if published)

11. 🌐 OAuth Protected Resource Metadata

Published under:

/.well-known/oauth-protected-resource/mcp

Includes:

• Supported authentication methods
• Resource identifiers
• Trusted authorization servers

Enables automatic configuration by OAuth2 clients and gateways.

12. 🛡️ Responsible AI Features

Wallet4Agent supports human-in-the-loop requirements:

{
  "always_human_in_the_loop": true
}

Used for:

• High-risk operations
• Sensitive credential acceptance
• Escalation to human review

🧩 13. Summary for Developers

If you are an Agent developer, Wallet4Agent gives you:

Your AI Agent becomes a verifiable digital entity, capable of participating in decentralized and regulated digital identity ecosystems while preserving security and accountability.

Maintainer: Wallet4Agent (Web3 Digital Wallet / Talao )
For feedback or additional documentation, use the contact channels on the Wallet4Agent website.