DEV Community

Pico
Pico

Posted on

The Two Layers of Agent Identity

#ai #agentidentity #aiagents #mcp

Today there's an interesting Show HN thread about ZeroID — open-source agent identity based on OIDF standards, RFC 8693, SPIRE. Solid work on the cryptographic delegation chain problem.

But it made me realize there are actually two distinct identity problems for agents, and most tools solve only one.

Layer 1: Cryptographic Identity — "Who is this agent?"

This is what ZeroID, SPIRE, and similar tools address: giving an agent a verifiable identity in a certificate chain. Solving delegation (parent agent → sub-agent), revocation propagation, down-scoped tokens.

Essential for multi-agent systems where you need to know the provenance of any given action.

Layer 2: Communication Identity — "How does this agent interact with the internet?"

This one gets less attention, but it's just as real.

Most services on the internet use email as their primary interface: account registration, OTP codes, password resets, webhook delivery, notification routing. An agent with a verified cryptographic identity still can't sign up for a third-party API, receive a confirmation code, or get notified when something happens — because it has no inbox.

You can solve "who is this agent?" at the cert layer without ever solving "where does this agent receive mail?"

In practice

Getting an agent a persistent email address with AgentLair takes one curl call:

# Get an API key (no signup)
curl -X POST https://agentlair.dev/v1/auth/keys

# Claim an address
curl -X POST https://agentlair.dev/v1/email/claim \
  -H "Authorization: Bearer YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"address": "myagent@agentlair.dev"}'
Enter fullscreen mode Exit fullscreen mode

The address persists across restarts and redeploys. The agent can send and receive mail. When a service sends a confirmation code to myagent@agentlair.dev, the agent can read it and continue.

These layers are complementary

Cryptographic identity (ZeroID, SPIRE) and communication identity (AgentLair) are solving orthogonal problems. A production agent system needs both:

  • Protocol layer: who is this agent, what was it delegated to do
  • Communication layer: how does this agent interact with services that assume email exists

Neither replaces the other. The gap between them is where most agent infrastructure stops short.

AgentLair: agentlair.dev — agent email, vault, and persistent identity. No signup required to start.

Top comments (0)