April 3, 2026 ยท Michael N Thornton ยท 10 min read

Introducing GrokingClawID: Post-Quantum Identity for AI Agents

500,000 lines of defensive code in modern agent harnesses. Zero lines of cryptographic identity. We built the missing piece.

Now open source
~5MB binary. 67 tests.
Zero dependencies at runtime.
Ed25519 + ML-DSA-65 hybrid ยท Rust ยท Apache 2.0

The Problem Nobody's Solving

Every major agent framework โ€” LangChain, CrewAI, AutoGen, Claude Code, Codex โ€” has the same blind spot: agents can't prove who they are.

When your agent calls an API, who's signing the request? When two agents collaborate via MCP or A2A, how does either side know the other is legitimate? When an agent writes code, submits a PR, or triggers a deployment, what ties that action to a verified identity?

The answer today is: nothing. API keys. Environment variables. Bearer tokens that any process on the machine can read. That's not identity โ€” that's a Post-it note.

This matters now because agents aren't staying in sandboxes. They're writing production code, managing infrastructure, handling money, and talking to each other. The NIST NCCoE is actively soliciting solutions for AI agent identity and authorization. The gap is real and the window is closing.

What GrokingClawID Does

GrokingClawID creates, manages, and verifies unforgeable cryptographic identities for AI agents. One command gives an agent an identity it can prove is real โ€” to other agents, to APIs, to humans.

terminal
# Issue a hybrid post-quantum identity $ grokingclawid issue --name swe-agent --owner ops@company.com --scope "code:read,code:write" --ttl 7d --crypto hybrid โœ“ Agent card: ./id/agent-card.json โœ“ Private key: ./id/agent-key.pem (0600) โœ“ Crypto: Ed25519 + ML-DSA-65 (FIPS 204) โœ“ SPIFFE ID: spiffe://grokingclaw/agent/swe-agent # Sign an HTTP request (RFC 9421) $ grokingclawid sign --method POST --url https://api.example.com/deploy --key ./id/agent-key.pem Signature: sig1=:MEUCIQDx...: Signature-Input: sig1=("@method" "@target-uri");... # Challenge another agent โ€” prove you're real $ grokingclawid challenge --agent-card ./peer/agent-card.json --key ./id/agent-key.pem โœ“ Challenge sent (32-byte nonce) โœ“ Response verified: Ed25519 โœ“ ML-DSA-65 โœ“ โœ“ Agent "peer-agent" is authentic

That's it. No SDK. No cloud service. No Docker container. A single static binary that works on any machine with a filesystem.

What's in the Box

15.7K
Lines of Rust
4
Crates
119
Tests passing
0
Critical vulns
FeatureWhat it does
Post-quantum cryptoEd25519 + ML-DSA-65 (FIPS 204) hybrid โ€” both signatures must validate. Quantum-resistant today, not "eventually."
Agent identity cardsA2A-compatible JSON cards with SPIFFE IDs, scoped permissions, and expiration. Machine-readable trust.
Key rotationNew keypair, re-signed card, old key archived. Zero-downtime identity refresh.
RevocationPermanent invalidation with a signed revocation registry. Can't un-revoke.
Delegation chainsScope-narrowing, time-bounded authority transfer. Agent A grants Agent B a subset of its permissions.
MCP auth guardWrap any MCP tool server with identity enforcement. One command: grokingclawid guard.
HTTP signaturesRFC 9421 request signing with both classical and PQ signatures.
Challenge-responseMutual authentication without shared secrets. Prove you hold the key.
A2A protocolGoogle A2A JSON-RPC 2.0 server โ€” agent discovery, task lifecycle, PQ-verified.
Audit logHash-chained, signed, tamper-evident. Every identity operation recorded.
IOTA walletSame Ed25519 key โ†’ IOTA address. Agent-to-agent payments on the same identity.
Agent daemonHost process with mesh networking, birth protocol, sidecar proxies, Merkle anchoring.

Architecture: Four Crates

grokingclawid-core Shared library โ€” crypto, models, audit, challenge, HTTP signatures, IOTA, WebSocket auth grokingclawid-cli CLI binary (grokingclawid) โ€” issue, verify, sign, challenge, delegate, rotate, revoke, guard, wallet grokingclaw-proxy Sidecar HTTP proxy โ€” scope enforcement, RFC 9421 signing, CONNECT tunneling, audit logging grokingclaw-daemon Agent host (grokingclaw) โ€” supervisor, local birth, mesh networking, A2A server, Merkle anchoring, template registry, update checker

The core library is the foundation. The CLI is for humans and scripts. The proxy sits between an agent and the network, enforcing identity at the infrastructure level โ€” the agent doesn't need to know about crypto. The daemon manages fleets.

Why Hybrid Post-Quantum

Ed25519 is fast, battle-tested, and universally supported. ML-DSA-65 (formerly Dilithium, standardized as FIPS 204 in August 2024) is quantum-resistant.

We don't make you choose. Every GrokingClawID signature includes both. Both must validate. If Ed25519 breaks tomorrow (it won't soon, but planning is free), the ML-DSA signature still holds. If ML-DSA has a flaw discovered, Ed25519 still holds. Belt and suspenders.

Why not just Ed25519? Because identity infrastructure outlives the agents using it. The keys you issue today may still be in audit logs in 2036. Plan for the world you're building toward, not just the one you're in.

The Daemon: Agent Birth Protocol

The CLI handles individual identities. The daemon manages the lifecycle.

daemon
# Start the daemon $ grokingclaw daemon start โœ“ Daemon running (PID 4821) โœ“ A2A server on :9420 โœ“ IPC socket at /tmp/grokingclaw.sock # Birth a new agent from a template $ grokingclaw birth --template hello-agent --name my-agent โœ“ Identity issued (hybrid PQ) โœ“ Sidecar proxy on :0 (auto-assigned) โœ“ Agent process started (PID 4835) โœ“ Health check: OK # Agents are discoverable via A2A $ curl localhost:9420/.well-known/agent-card.json {"name": "grokingclaw-daemon", "url": "http://localhost:9420", ...} $ curl localhost:9420/agents/my-agent/.well-known/agent-card.json {"name": "my-agent", "url": "http://localhost:9420/agents/my-agent", ...}

Each agent gets its own identity, its own sidecar proxy (so identity enforcement happens at the network layer, not in agent code), and its own entry in the A2A discovery endpoint. The daemon supervises, restarts on failure, and anchors Merkle roots of agent activity to IOTA for tamper evidence.

MCP Auth Guard: Retrofit Identity onto Any Tool

Most MCP tool servers have no authentication. grokingclawid guard wraps any stdio-based MCP server with ClawID verification:

mcp guard
# Wrap an MCP server โ€” only verified agents can call tools $ grokingclawid guard --card ./id/agent-card.json --key ./id/agent-key.pem -- npx @modelcontextprotocol/server-filesystem /tmp โœ“ Guard active โ€” proxying to MCP server โœ“ Requiring ClawID signature on all requests โš  Rate limit: 10 failures โ†’ 60s cooldown

No code changes to the MCP server. No SDK integration. Just put the guard in front.

Security Audit

We ran a full security audit before release. 26 source files, ~8,600 lines of Rust.

SeverityFoundStatus
Critical0โ€”
High5All fixed
Medium7All fixed
Low7Cosmetic โ€” tracked

Cryptographic foundations confirmed sound: hybrid "both must pass" logic correct, OsRng for key generation, no timing oracles in ed25519-dalek. Six unsafe blocks total across three files โ€” all standard Unix patterns (libc::kill, signal handling, FFI boundaries). Private key files written with 0600 permissions enforced.

The audit results are in the CHANGELOG. We believe in showing your work.

E2E: 12 Steps, 33 Assertions, One Script

Don't trust our test count. Run the lab yourself:

e2e lab
$ ./examples/run-lab.sh [ 1/12] Issue daemon identity .............. โœ“ [ 2/12] Install hello-agent template ....... โœ“ [ 3/12] Start daemon ....................... โœ“ [ 4/12] Birth agent from template .......... โœ“ [ 5/12] Verify agent card .................. โœ“ [ 6/12] A2A discovery ...................... โœ“ [ 7/12] Challenge-response ................. โœ“ [ 8/12] HTTP signature ..................... โœ“ [ 9/12] Key rotation ....................... โœ“ [10/12] Delegation ......................... โœ“ [11/12] Revocation ......................... โœ“ [12/12] Audit log integrity ................ โœ“ 33/33 assertions passed

Identity โ†’ template โ†’ birth โ†’ A2A โ†’ challenge โ†’ rotation โ†’ revocation โ†’ audit. The full lifecycle in a few minutes.

What This Isn't

Honest boundaries matter more than feature lists:

Why Now

Three things converged:

  1. NIST is asking. The NCCoE published an open call for AI agent identity solutions. We submitted a public comment on April 1, offering GrokingClawID as a reference implementation. The regulatory window is open now.
  2. A2A and MCP are real. Google's Agent-to-Agent protocol and Anthropic's Model Context Protocol give agents standard ways to communicate. But neither specifies how agents identify themselves cryptographically. We fill that gap.
  3. FIPS 204 is final. ML-DSA was standardized in August 2024. Post-quantum crypto is no longer experimental โ€” it's a NIST standard. Building on it today is responsible engineering, not speculation.

Get Started

install
# Download a prebuilt binary (macOS ARM) $ curl -LO https://github.com/grokingclaw/grokingclawid/releases/download/v0.4.1/grokingclawid-v0.4.1-aarch64-apple-darwin.tar.gz $ tar xzf grokingclawid-v0.4.1-aarch64-apple-darwin.tar.gz $ ./grokingclawid-aarch64-apple-darwin issue --name my-agent --crypto hybrid # Or build from source (Rust 1.70+) $ git clone https://github.com/grokingclaw/grokingclawid $ cd grokingclawid $ cargo install --path crates/grokingclawid-cli # Run the E2E lab $ ./examples/run-lab.sh
Apache 2.0 licensed. Use it commercially. Fork it. Build on it. The agent identity layer should be infrastructure, not a product moat. We make money on tooling and support, not on locking up crypto primitives.
๐Ÿฆ€
Michael N Thornton is the founder of GrokingClaw Labs, building trust infrastructure for AI agents. We submitted a public comment to NIST NCCoE on AI Agent Identity & Authorization in April 2026.

GitHub ยท NIST Submission ยท Contact