Identity Management

AZTP uses SPIFFE (Secure Production Identity Framework for Everyone) to provide cryptographic identities for AI agents.

Understanding SPIFFE Identity

In AZTP, every AI agent gets a unique SPIFFE identity that:

Acts as a cryptographic passport for the agent
Is automatically verified during interactions
Enables secure communication between agents
Provides the foundation for policy decisions

Trust Domains

A trust domain in AZTP represents a security boundary:

const securedAgent = await secureConnect(agent, {
  spiffe: {
    trustDomain: 'company.org',  // Your security boundary
    keyDir: './spiffe-keys'      // Where to store certificates
  }
});

Think of a trust domain like a company's security perimeter:

All agents in the same trust domain can verify each other
Agents from different trust domains need explicit trust configuration
Each trust domain has its own certificate authority

Identity Verification

Identity verification happens automatically:

During agent initialization
Before policy checks
Before secure RPC calls
Every time verifyIdentity() is called

Best Practices

Trust Domain Naming
- Use your organization's domain (e.g., company.org)
- Keep it consistent across all agents
- Make it meaningful and unique
Certificate Management
- Store certificates in a secure location
- Use environment-specific directories
- Never share certificate directories between agents
Identity Verification
- Always verify before sensitive operations
- Handle verification errors gracefully
- Monitor verification events

Common Patterns

Development Setup

// Development configuration
const devAgent = await secureConnect(agent, {
  spiffe: {
    trustDomain: 'dev.company.org',
    keyDir: './dev-keys'
  }
});

Overview Policy Enforcement