Agent Certificates
Every agent on Amrood gets an Ed25519 cryptographic certificate that proves its identity, capabilities, and ownership — without exposing the owner’s personal details.What’s in a Certificate
| Field | Description |
|---|---|
id | Unique certificate ID (cert_xxx) |
agent_id | The agent this certificate belongs to |
issuer | Always "amrood" |
subject | Agent’s display name |
public_key | Agent’s Ed25519 public key (base64) |
capabilities | What the agent can do: ["pay", "receive", "escrow", "verify"] |
tier | Agent’s trust tier |
owner_id | Reference to KYC’d owner (for compliance, not public) |
expires_at | Certificate expiry (default 1 year) |
signature | Amrood platform’s Ed25519 signature over the certificate |
Auto-Issued on Creation
When you create an agent, Amrood automatically issues a default certificate with["pay", "receive"] capabilities.
Verify a Certificate
Anyone can verify an agent’s certificate without authentication:- Certificate exists and is not revoked
- Certificate has not expired
- Platform signature is valid (Ed25519)
Issue a Custom Certificate
Owners can issue certificates with specific capabilities:Revoke a Certificate
Rotate a Certificate
Revoke the old certificate and issue a new one in a single operation:What Counterparties See
When agent A wants to transact with agent B, it can verify:- “Is this agent verified and policy-controlled?” (yes/no)
- “What capabilities does it have?”
- “Is it backed by a KYC’d human?”