zeroid
Identity infrastructure for AI agents — register identities, issue tokens, delegate to sub-agents, revoke credentials, manage policies
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/abhijitjavelin/zeroidZeroID — Identity Infrastructure for AI Agents
ZeroID is open-source identity infrastructure for autonomous AI agents. It assigns agents SPIFFE-based identities (WIMSE URIs), issues OAuth 2.1 tokens, supports delegation chains via RFC 8693 token exchange, and manages credential policies. All operations use the REST API at $ZEROID_BASE_URL.
Authentication
All /api/v1/* endpoints require an API key passed via the Authorization header:
Authorization: Bearer $ZEROID_API_KEY
The /oauth2/* and /health endpoints are public (no auth required).
1. Register an Agent
Create an agent identity with a WIMSE/SPIFFE URI and receive an API key. This is the recommended way to onboard agents — it atomically creates the identity record and issues a long-lived API key (zid_sk_...).
curl -s -X POST "$ZEROID_BASE_URL/api/v1/agents/register" \
-H "Authorization: Bearer $ZEROID_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Task Orchestrator",
"external_id": "orchestrator-1",
"sub_type": "orchestrator",
"trust_level": "first_party",
"created_by": "[email protected]"
}'
Response (201 Created):
{
"identity": {
"id": "uuid",
"external_id": "orchestrator-1",
"wimse_uri": "spiffe://auth.highflame.ai/acme/prod/agent/orchestrator-1"
},
"api_key": "zid_sk_..."
}
The sub_type field classifies the agent role: orchestrator, autonomous, tool_agent, code_agent, etc. The trust_level controls what grants and scopes the agent can access: unverified, verified_third_party, first_party.
To register a bare identity without an API key (for manual credential management):
curl -s -X POST "$ZEROID_BASE_URL/api/v1/identities" \
-H "Authorization: Bearer $ZEROID_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"external_id": "data-fetcher-1",
"trust_level": "unverified",
"owner_user_id": "user-ops",
"allowed_scopes": ["data:read", "data:write"]
}'
2. Issue Credentials
Exchange OAuth2 client credentials for a short-lived JWT access token. First register an OAuth2 client, then use client_credentials grant.
Register an OAuth2 client:
curl -s -X POST "$ZEROID_BASE_URL/api/v1/oauth/clients" \
-H "Authorization: Bearer $ZEROID_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"client_id": "my-agent-client",
"name": "my-agent-client",
"confidential": true,
"grant_types": ["client_credentials"],
"scopes": ["data:read", "data:write"]
}'
Response (201 Created):
{
"client": {
"client_id": "my-agent-client"
},
"client_secret": "..."
}
Issue a token via client_credentials:
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-abhijitjavelin-zeroid": {
"enabled": true,
"auto_update": true
}
}
}