The
did:moltrust DID Method Specification
Method Name: moltrust
Status: Draft Version: 0.1
Authors: Lars Kroehl (kersten.kroehl@cryptokri.ch),
CryptoKRI GmbH, Zurich Published: April 2026
Specification URL:
https://moltrust.ch/did-method-spec
Abstract
The did:moltrust DID method defines a mechanism for
creating, resolving, updating, and deactivating Decentralized
Identifiers for autonomous AI agents. It is operated by MolTrust /
CryptoKRI GmbH and anchors agent identity on Base L2 (Ethereum). DIDs
are resolvable via the MolTrust reference registry API.
1. Introduction
Autonomous AI agents require verifiable, portable identities that are
independent of any single platform. The did:moltrust method
provides:
- Cryptographic identity via Ed25519 keypairs
- On-chain anchoring on Base L2 for tamper-evident registration proofs
- Behavioral reputation linked to the DID via Interaction Proof Records (IPR)
- Cross-ecosystem bridging allowing external DIDs
(
did:web,did:agentnexus,did:meeet) to be linked to adid:moltrustidentity - W3C VC compatibility for issuance and verification of Verifiable Credentials
2. DID Method Syntax
2.1 Method Name
The namestring identifying this DID method is:
moltrust
A DID using this method MUST begin with:
did:moltrust:
2.2 Method-Specific Identifier
The method-specific identifier is a lowercase hexadecimal string of 16 characters, derived from the first 8 bytes of the SHA-256 hash of the agent’s Ed25519 public key at registration time.
did:moltrust:<method-specific-id>
method-specific-id := [0-9a-f]{16}Example:
did:moltrust:d34ed796a4dc46983. DID Document
3.1 Example DID Document
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"id": "did:moltrust:d34ed796a4dc4698",
"verificationMethod": [
{
"id": "did:moltrust:d34ed796a4dc4698#keys-1",
"type": "Ed25519VerificationKey2020",
"controller": "did:moltrust:d34ed796a4dc4698",
"publicKeyMultibase": "z6Mk...",
"keyAnchor": {
"chain": "base-mainnet",
"block": 44187055,
"txHash": "0x..."
}
}
],
"authentication": ["did:moltrust:d34ed796a4dc4698#keys-1"],
"assertionMethod": ["did:moltrust:d34ed796a4dc4698#keys-1"],
"service": [
{
"id": "did:moltrust:d34ed796a4dc4698#registry",
"type": "MolTrustRegistry",
"serviceEndpoint": "https://api.moltrust.ch/identity/resolve/did:moltrust:d34ed796a4dc4698"
}
]
}3.2 Mandatory Fields
| Field | Description |
|---|---|
@context |
MUST include W3C DID v1 and Ed25519-2020 suite contexts |
id |
The full did:moltrust:<id> string |
verificationMethod |
At least one Ed25519VerificationKey2020 entry |
authentication |
Reference to the verification method |
assertionMethod |
Reference to the verification method |
3.3 Optional Fields
| Field | Description |
|---|---|
service |
Registry endpoint, payment service endpoints |
keyAnchor |
On-chain anchor (Base L2 block + txHash) |
alsoKnownAs |
Cross-registry references (e.g. ERC-8004 AgentId) |
controller |
Principal DID for sub-agents |
4. DID Operations
4.1 Create
An agent is registered by submitting a registration request to the MolTrust registry:
POST https://api.moltrust.ch/identity/register
Content-Type: application/json
{
"display_name": "My Agent",
"platform": "moltrust",
"public_key": "<Ed25519 public key, base64url>"
}On successful registration: 1. A did:moltrust:<id>
is assigned 2. A DID Document is created and stored in the registry 3.
The DID registration is anchored on Base L2 via Merkle batch
Anchor format:
MolTrust/AgentRegistration/1 SHA256:<hex-hash-of-DID-document>4.2 Read (Resolve)
DID resolution is performed via HTTP GET:
GET https://api.moltrust.ch/identity/resolve/{did}
Accept: application/jsonResponse: W3C-conformant DID Document (see Section 3.1).
The resolver also supports external DID resolution:
GET https://api.moltrust.ch/identity/resolve-external/{external-did}Returns the did:moltrust identity linked to the external
DID via the DID Bridge mechanism (Section 6).
4.3 Update
Key rotation is supported. The agent submits a signed update request
with a new Ed25519 keypair. The old key is retained in the DID Document
marked "revoked": true with a revokedDate
timestamp. Key history is preserved for audit purposes.
POST https://api.moltrust.ch/identity/rotate-key
X-API-Key: <agent-api-key>
Content-Type: application/json
{
"did": "did:moltrust:<id>",
"new_public_key": "<new Ed25519 public key, base64url>",
"signature": "<signature over rotation payload>"
}4.4 Deactivate
An agent may be deactivated by the principal or registry operator:
POST https://api.moltrust.ch/identity/revoke
X-API-Key: <agent-api-key>
Content-Type: application/json
{
"did": "did:moltrust:<id>",
"reason": "decommissioned"
}On deactivation: - DID Document is marked
"deactivated": true - Credentials issued to the DID remain
valid until their own expiry - Behavioral record is retained per the
MolTrust Privacy Model - Any stake deposited is returned if no
unresolved violations exist
5. Wallet Binding
A did:moltrust identity MAY be bound to one or more
blockchain wallet addresses. Supported chains: Base (EVM/EIP-191),
Ethereum (EVM/EIP-191), Solana (Ed25519).
Binding process: 1. Request a nonce:
GET /identity/nonce?did={did}&chain={chain} 2. Sign the
nonce with the wallet’s private key 3. Submit:
POST /identity/bind
Once bound, the agent’s DID Document is extended with a chain-specific payment service endpoint.
6. DID Bridge (Cross-Ecosystem)
External DIDs from other ecosystems may be linked to a
did:moltrust identity:
POST https://api.moltrust.ch/identity/bridge-simple
Content-Type: application/json
{
"external_did": "did:web:api.moltbridge.ai:agents:dawn",
"label": "MoltBridge Dawn Agent",
"platform": "moltbridge"
}Bridge records are publicly queryable and allow cross-ecosystem trust score import (0.3 weight, 45-day half-life decay).
7. Security Considerations
7.1 Key Compromise
If a private key is compromised, the agent MUST perform key rotation (Section 4.3) immediately. The registry propagates revocation to verifiers within 60 seconds.
7.2 Sybil Resistance
The registry implements Jaccard similarity clustering across endorsement graphs to detect coordinated attestation rings. Economic stake via x402 USDC payments introduces a cost barrier for mass sybil creation.
7.3 On-Chain Anchoring
All agent registrations and confirmed violations are anchored on Base L2. The anchor format is chain-agnostic and verifiable by any party with access to a public block explorer.
7.4 Principal Continuity
Violation Records are associated with both the agent DID and the principal DID. Re-registration of a new agent DID for a principal with confirmed violations is flagged by the registry.
8. Privacy Considerations
DID Documents contain no personal data. The binding between a
did:moltrust DID and a natural person is external to this
protocol. On-chain anchors contain only SHA-256 hashes of protocol
artifacts — no raw personal data is anchored.
Off-chain behavioral records are retained for a minimum of 12 months and a maximum of 60 months per the MolTrust Privacy Policy, consistent with GDPR Article 4 and Swiss DSG requirements.
9. Conformance
This specification conforms to: - W3C DID Core v1.0 (https://www.w3.org/TR/did-core/) - W3C VC Data Model 2.0 (https://www.w3.org/TR/vc-data-model-2.0/) - Ed25519Signature2020 (https://w3c-ccg.github.io/di-eddsa-2020/) - RFC 8785 JSON Canonicalization (https://www.rfc-editor.org/rfc/rfc8785)
10. Reference Implementation
- Registry API: https://api.moltrust.ch
- Technical Specification: https://moltrust.ch/techspec (anchored on Base L2, Block 44187055)
- Protocol Whitepaper: https://moltrust.ch/whitepaper (anchored on Base L2, Block 44187064)
- npm SDK:
@moltrust/sdk(https://www.npmjs.com/package/@moltrust/sdk) - GitHub: https://github.com/MoltyCel
MolTrust / CryptoKRI GmbH, Zurich | hello@moltrust.ch | moltrust.ch Released under Creative Commons Attribution 4.0 International (CC BY 4.0)