Back to Home
Cryptographic Trust

IDENTITY MANAGEMENT

X.509 certificates, Decentralized Identifiers, and OAuth 2.1 for every agent. Automatic key rotation. Principal binding to accountable humans.

X.509PKI Standard
DIDW3C Compliant
<10msVerification
Live Platform

See it in action

custodex.vercel.app
IDENTITY MANAGEMENT — Custodex Dashboard
X.509 Certificates

Industry-standard PKI for every agent.

Standard X.509 v3 certificates with ES256 (ECDSA P-256) keys. Full chain of trust from Custodex root CA through intermediate CAs to agent certificates. Certificate verification validates the complete chain including CRL/OCSP status.

from custodex.identity import CertificateAuthority

ca = CertificateAuthority()

# Issue certificate for agent
cert = ca.issue_certificate(
    agent_id="agent_123",
    agent_name="Customer Service Bot",
    organization="Acme Corp",
    valid_days=365,
    key_algorithm="ES256"
)

print(f"Thumbprint: {cert.thumbprint}")
print(f"DID: {cert.did}")
DIDs & OAuth

Portable identity. Standard authentication.

W3C Decentralized Identifiers (did:custodex:agent:[fingerprint]) with DID Documents containing public keys and proof methods. OAuth 2.1 integration with client credentials flow for agent-to-agent auth and authorization code flow for dashboard users.

Key Rotation

Automatic rotation. Zero downtime.

Configurable rotation period (default 90 days). Graceful transition with a 30-day grace period where old keys remain valid. Zero agent disruption during rotation. All rotations logged with reason. Manual immediate rotation available for security incidents.

import { KeyRotationManager } from "@/lib/identity";

const manager = new KeyRotationManager();

// Schedule automatic rotation (every 90 days)
await manager.scheduleRotation(agentId, 90);

// Manual immediate rotation
const newCert = await manager.rotateNow(
  agentId,
  "security-incident"
);
Principal Binding

Every agent traces back to a human.

Principal binding links every agent to an accountable human or organization. Delegation chain tracking validates authority propagation through agent-to-sub-agent hierarchies. Circular dependency detection prevents delegation loops. Authority attenuation ensures sub-agents inherit only a subset of parent permissions.

Full Capabilities

What's included in
identity management

01

X.509 v3 certificates with ES256 (ECDSA P-256)

02

W3C Decentralized Identifiers (DIDs)

03

OAuth 2.1 with client credentials and authorization code flows

04

Automatic key rotation with zero-downtime grace periods

05

Principal binding: every agent linked to accountable human

06

SPIFFE/SPIRE integration for workload identity

Get Started with Custodex