Protocol Spec · v0.1

did:w7 Identity

Self-sovereign identity for agents, principals, models, and services. Every entity in Web7 has a did:w7.

← AIG Protocol Index

Overview

The did:w7 DID method is Web7's self-sovereign identity layer. It provides cryptographic identity for every entity in the stack — humans, agents, models, services, and organisations.

In v0.1, the registry is in-memory per process. In production, it will be anchored to the L0 trust substrate, making all DID operations verifiable on-chain without relying on any central authority.

💡
did:w7 follows the W3C DID Core spec. It is a conformant DID method with Web7-specific extensions for agent metadata and reputation anchoring.

DID Format

did:w7:{slug}

Examples:
did:w7:alice                     // human principal
did:w7:prime/main                // Kynetra Prime instance
did:w7:skill/tax-filing          // agent skill
did:w7:model/tax-v3@sha256:abc   // ML model (with hash pin)
did:w7:org/hyperbridge            // organisation
did:w7:attestor/a                // attestor node

DID Document

Every did:w7 resolves to a DID Document containing the public key, service endpoints, and metadata.

{
  "@context": ["https://www.w3.org/ns/did/v1", "https://w7f.org/did/v1"],
  "id": "did:w7:alice",
  "verificationMethod": [{
    "id":                  "did:w7:alice#key-0",
    "type":                "Ed25519VerificationKey2020",
    "controller":          "did:w7:alice",
    "publicKeyMultibase":  "z6Mk..."
  }],
  "authentication": ["did:w7:alice#key-0"],
  "service": [{
    "id":              "did:w7:alice#prime",
    "type":            "KynetraPrime",
    "serviceEndpoint": "https://prime.hyperbridge.digital/alice"
  }],
  "w7": {
    "reputation": { "domain": "tax-filing", "score": 847 },
    "stake":      { "amount": 500, "currency": "USD" }
  }
}

Operations

📋 CRUD operations
create
Generate ed25519 key pair, create DID document, register in registry.
reg.create(slug) → DIDDocument
resolve
Look up DID document by DID string.
reg.resolve(did) → DIDDocument | null
update
Rotate key or update service endpoints. Requires existing key signature.
reg.update(did, patch, sig)
deactivate
Mark DID as deactivated. Outstanding delegations are revoked.
reg.deactivate(did, sig)
importPublic
Register a DID with external public key (no private key held).
reg.importPublic(did, pubKeyHex)

Signing & Verification

All AMP envelopes are signed with the sender's did:w7 key. The signature covers canonicalBytes(envelope without auth) — deterministic JSON, keys sorted, no whitespace.

import { getDIDRegistry } from "kynetra-prime/core/web7";

const reg = getDIDRegistry();

// Create identity
const alice = reg.create("alice");
// alice.id === "did:w7:alice"

// Sign arbitrary bytes
const sig = reg.sign("did:w7:alice", Buffer.from("hello"));

// Verify signature
const ok = reg.verify("did:w7:alice", Buffer.from("hello"), sig);
// ok === true

// Verify a forged signature
const bad = reg.verify("did:w7:alice", Buffer.from("hello"), "00".repeat(64));
// bad === false

Entity Types

EntityDID patternKey holderNotes
Human principaldid:w7:aliceUser device / biometricCan delegate to Prime
Prime instancedid:w7:prime/mainKynetra Prime serviceSigns delegations
Agent / skilldid:w7:skill/tax-filingAgent serviceSigns inferences + outcomes
ML modeldid:w7:model/name@sha256:hashModel registryHash pins exact weights
Organisationdid:w7:org/nameMultisig / HSMControls policy namespaces
Attestordid:w7:attestor/aAttestor nodeSigns k-of-n bundles

CLI Reference

# Create a new DID identity
w7 id create alice
# → { id: "did:w7:alice", ... }

# List all known DIDs
w7 id list

# Resolve a DID to its document
w7 id resolve did:w7:alice

# Full delegation flow (auto-creates DIDs if missing)
w7 delegate \
  --from did:w7:alice \
  --to skill:tax-filing \
  --action file_quarterly \
  --budget 50 \
  --json '{"quarter":"2026-Q1"}'