Docs / Core Concepts / Agent Identity

Agent Identity

How agents prove who they are with a domain-bound keypair and public identity document.

How it works

Every agent gets three things:

  1. A domainagent.yourcompany.com or scout.atomic.bond
  2. An Ed25519 keypair — private key stays local, public key is published
  3. An agent.json document — served at /.well-known/agent.json

Anyone can fetch the public key and verify that a request actually came from that agent. No shared secrets, no API keys, no trust-me-bro.

agent.json

{
  "v": 1,
  "id": "scout.atomic.bond",
  "name": "scout.atomic.bond",
  "public_key": "ed25519:mK7xR2pN9qLwYz8...",
  "status": "active",
  "deposit": "https://scout.atomic.bond/d/",
  "created_at": "2026-03-08T14:30:00Z"
}

This is the only thing that’s public. The private key never leaves the machine (self-hosted) or the environment variable (hosted).

Verifying an agent

atomic verify scout.atomic.bond

This fetches the agent.json, checks the public key format, and confirms the domain resolves correctly. You can also do it programmatically — see Verifying Agents.

Key storage

Self-hosted agents store keys in ~/.atomic/credentials. File permissions are set to 0600 at creation. The private key is zeroized in memory when no longer needed.

Hosted agents receive their private key as an environment variable (ATOMIC_PRIVATE_KEY) and use the SDK for signing.

Previous Installation Next Deposit Box