CodeSpar issues verifiable identity for AI agents. Every agent gets a cryptographic keypair, a DID, and a dual-signed spend mandate tied to a KYC-verified principal. Anyone can verify it. Nobody has to ask us.
Access-layer KYA answers one question: can this agent enter? Useful, but it stops at the door.
CodeSpar's credential answers the harder one: can this agent spend this amount, for this purpose, on whose behalf?
An Ed25519 public key, rotatable, that signs every action the agent takes.
CodeSpar signs the credential as issuer, so the claims are attested, not self-declared.
A reference to the verified person or company the agent acts for. The credential exposes the fact of verification, never the documents.
The amount, currency, purposes, and expiry the agent is authorized for. Nothing beyond it.
Grounded in settled transactions and fiscal documents, not self-attestation.
The spend mandate is dual-signed: by the agent's key and by CodeSpar as issuer. Anyone holding the agent's public key can check the signature over the canonical string locally, and decide to trust the money without asking us for permission.
// No API key. No call to CodeSpar. Just the agent's public key. import { verify } from "node:crypto"; const ok = verify( null, // Ed25519 uses no digest Buffer.from(mandate.canonical), // did:web:...|BRL|50000|refunds|2026-12-31 agentPublicKeyPem, // from GET /v1/agents/:did/did.json Buffer.from(mandate.signature, "base64"), ); // ok === true -> authorized to spend within this scope.
Illustrative. Verifying an Ed25519 mandate signature with the Node standard library.
GET /v1/agents/:didStatus, public keys, and a principal-KYC boolean. Never the underlying documents.
GET /v1/agents/:did/did.jsonThe W3C DID document. Every agent publishes one; it is served here on api.codespar.dev today.
GET /v1/agents/:did/reputationA reputation score signed by the platform issuer key, pinned to the head of the tamper-evident audit chain.
GET /v1/agents/:did/erc8004The same identity and reputation, shaped as an ERC-8004 export.
Every agent publishes a W3C DID document. It is served today at GET /v1/agents/:did/did.json on api.codespar.dev, so anyone can fetch the agent's keys and principal reference directly.
Verification is a public read, not a favor we grant. Here is what each step proves and where the proof comes from.
Drop an agent's DID into the box below, or open its passport page. The DID resolves to a document served on the public API, so the lookup starts and ends in the open.
The DID document lists the agent's Ed25519 public keys as JsonWebKey2020 entries and a reference to the KYC-verified principal. With a key in hand you can check any signature the agent produced, offline.
The reputation attestation is signed by the CodeSpar issuer key and pinned to the head of a tamper-evident audit chain. It reports mechanics you can re-check, not a rating you have to trust.
Paste an agent DID. We read the public identity and reputation endpoints and show you what they return. No account, no key.
An agent's reputation comes from its hash-chained audit trail: settled payments, delivered receipts, exceptions, revocations, and approval reliability. The score is a signed attestation, and it is portable as an ERC-8004 export.
The mechanism is live today. Reputation deepens as governed volume flows through it.
Identity is a W3C DID (did:web) with an Ed25519 key. Reputation exports to ERC-8004. Execution runs across several agent-payment protocols, so the credential is never tied to any one of them.
Read the public API and verify an agent yourself, or talk to us about issuing identity for your agents.