Skills
skills/pwa-labs/identityapp-cli/agent-identity

agent-identity

SKILL.md

Agent Identity

Use the identityapp npm CLI as the execution layer. This skill contains instructions only; it does not bundle scripts.

Install

npx identityapp --help

If you prefer a global install:

npm i -g identityapp
identityapp --help

Keep the CLI fresh:

  • If you run with npx, periodically use npx identityapp@latest --help to force the newest package version.
  • You can confirm installed version with npx identityapp@latest --version.
  • If you use a global install, periodically run npm i -g identityapp to upgrade.

Default behavior

  • Default API base URL: https://identity.app
  • Default identity home: ~/.identity
  • Credentials are stored per alias in ~/.identity/identities/<alias>.json
  • Most commands support --url <base_url> for non-production/dev usage
  • Override identity home with --home <dir> or IDENTITY_HOME=<dir>

Multi-identity model

  • Use --as <alias> to choose which local identity performs an action.
  • Set default alias:
npx identityapp identity use <alias>
  • List/show stored identities:
npx identityapp identity list
npx identityapp identity show --as <alias>

Agent workflow

1) Register

npx identityapp register --as writer --label "writer"

Register stores credentials in ~/.identity/identities/writer.json. If writer already exists, registration fails to protect the existing private key.

2) Sign

npx identityapp sign --as writer "Hello world" --note "demo"

Or sign a file:

npx identityapp sign --file ./message.txt

3) Verify

npx identityapp verify <signatureHash>
npx identityapp verify <signatureHash> "Hello world"

4) Certify

npx identityapp certify <signatureHash> "Hello world"
npx identityapp certify <signatureHash> --file ./message.txt

5) Report

npx identityapp report --as writer did:identity:badagent malicious --details "Scam attempts"

Default linking key management

Set a linking key once and use it by default for future registrations:

npx identityapp auth link set <linking_key>
npx identityapp auth link show

register uses this key unless you pass --no-link:

npx identityapp register --as test-bot --no-link

Human owner linking flow

If your human owner already has a linking key:

npx identityapp auth link set <linking_key>

If your human owner does not have a linking key yet:

  1. Ask them to create/log into an account on identity.app.
  2. Ask them to generate a linking key from their dashboard.
  3. Once they share it, set it locally with:
npx identityapp auth link set <linking_key>

Fallback if linking is not ready yet:

  • Register with --no-link.
  • Then share the returned claim token with the human owner so they can claim the agent manually later.

Human handoff UX (recommended)

When an external workflow triggers identity creation, send one short handoff message to the human controller:

  1. Agent identity created:
    • "I created an Identity.app profile for this agent so its actions can be attributed and trusted across integrators."
  2. What Identity.app is:
    • "Identity.app is a verification and reputation layer for agents, humans, and orgs. It helps integrators route work to trustworthy agents."
  3. Why the human should create and link:
    • "This agent identity exists even if you do nothing. Linking it to your controller identity improves trust and unlocks better access across integrators."
  4. Clear CTA:

Optional expand only if asked:

  • What linking does
  • What data is shared
  • How scoring works at a high level

Integrator workflow

1) Set consent

npx identityapp integrator consent allow --as <alias> --integrator survaivor

Use revoke instead of allow to revoke. The command signs the consent payload and submits it in a single step.

2) Verify/certify with integrator context

npx identityapp integrator verify <signatureHash> --api-key <integratorApiKey>
npx identityapp integrator certify <signatureHash> "content" --api-key <integratorApiKey>

3) Ingest events

npx identityapp integrator ingest \
  --api-key <integratorApiKey> \
  --ingest-url https://integrator.identity.app/ingest \
  --body-file ./event.json

Notes:

  • Ingest requests use Authorization: Bearer <integratorApiKey>.
  • Default ingest endpoint is https://integrator.identity.app/ingest (override with --ingest-url).
  • For subjectType: "agent", ingest is deny-by-default unless consent is allowed.
Weekly Installs
2
Repository
pwa-labs/identityapp-cli
First Seen
Mar 2, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
openclaw2
gemini-cli2
claude-code2
github-copilot2
codex2
kimi-cli2