Skip to content

feat: derive agent identity from a single private-key env var#435

Merged
manojbajaj95 merged 3 commits into
mainfrom
426-feat-simplify-agent-identity-to-a-single-private-key-environment-variable
Jun 16, 2026
Merged

feat: derive agent identity from a single private-key env var#435
manojbajaj95 merged 3 commits into
mainfrom
426-feat-simplify-agent-identity-to-a-single-private-key-environment-variable

Conversation

@rishabhraj36

@rishabhraj36 rishabhraj36 commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Description

Agent identity is now fully derivable from a single environment variable, AUTHSOME_IDENTITY_PRIVATE_KEY. The DID is computed locally from the key, and the human-readable handle is resolved from the identity server by DID. This removes the need for AUTHSOME_IDENTITY, local identity files, or authsome init in headless/agent deployments.

Key changes:

  • RuntimeIdentity.load() accepts a key-only env and defers the handle (the runtime handle is now optional and resolved later instead of raising ValueError).
  • The CLI client resolves the handle from the server by DID before PoP signing. When the DID is unknown (brand-new agent), a handle is generated and registered via the existing claim flow.
  • New reverse-lookup: GET /api/identities/by-did/{did} route + IdentityRegistry.resolve_by_did().
  • AUTHSOME_IDENTITY is kept as an optional, deprecated handle override for backward compatibility.
  • Docs updated with the single-key setup and a migration note.

Motivation and Context

The previous two-variable setup (AUTHSOME_IDENTITY + AUTHSOME_IDENTITY_PRIVATE_KEY) plus local filesystem bootstrap was unnecessarily convoluted for CI, containers, and ephemeral agents. This aligns with the cryptographic model: the identity is the key pair, and the handle is server-registered metadata that should be resolved from the identity server rather than supplied locally.

Closes #426.

How Has This Been Tested?

  • Added unit tests following TDD (written first, watched fail, then implemented):
    • IdentityRegistry.resolve_by_did() returns the registered handle / None for unknown DIDs.
    • GET /api/identities/by-did/{did} returns the handle or 404.
    • RuntimeIdentity.load() with a key-only env derives the DID and leaves the handle unresolved.
    • Client resolves the handle from the server for a key-only env, with no filesystem identity artifacts.
    • Unknown DID auto-generates and registers a handle.
  • Replaced the obsolete tests that asserted the old "private key requires AUTHSOME_IDENTITY" error.
  • Full suite: 430 passed, 3 skipped. ruff and ty clean on all changed files.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • I have read the CONTRIBUTING document.
  • All new and existing tests passed.

@rishabhraj36 rishabhraj36 linked an issue Jun 16, 2026 that may be closed by this pull request
feat: Simplify agent identity to a single private-key environment variable #426
Closed
@mintlify

mintlify Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
agentr 🟢 Ready View Preview Jun 16, 2026, 8:04 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@rishabhraj36 rishabhraj36 requested a review from beubax June 16, 2026 08:06
@rishabhraj36 rishabhraj36 marked this pull request as ready for review June 16, 2026 08:06
@manojbajaj95 @cursoragent
fix: recover from 409 when concurrent agents register the same DID
3a9f17e 
When two processes with the same private key race to register, the loser
gets a 409 from the identity server. Re-resolve the handle by DID and
continue instead of failing startup.

Co-authored-by: Cursor <cursoragent@cursor.com>
@manojbajaj95 manojbajaj95 merged commit 0890c0b into main Jun 16, 2026
6 checks passed
@manojbajaj95 manojbajaj95 deleted the 426-feat-simplify-agent-identity-to-a-single-private-key-environment-variable branch June 16, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beubax beubax Awaiting requested review from beubax

@manojbajaj95 manojbajaj95 Awaiting requested review from manojbajaj95

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Simplify agent identity to a single private-key environment variable

2 participants

@rishabhraj36 @manojbajaj95