The protocol. The Ed25519 keypair + JWK thumbprint identity model and the /.well-known/agent-configuration discovery are clean and practical.
One gap: discovery currently works within a single directory or known service URL. If an agent authenticated via Agent Auth on Service A needs to prove its identity to Service B (or an A2A/MCP-compatible agent on a different platform), there's no standard cross-platform resolution mechanism. The kid (JWK thumbprint) is a good local identifier but isn't globally resolvable.
HCS-14 (Universal Agent ID) provides exactly this: a did:web:<domain> DID method that wraps existing identity systems into a globally resolvable identifier. The key advantage is that it's layered Agent Auth stays as the canonical auth layer, and the DID provides the cross-platform discovery on top.
The did:web method is pure DNS-based (no blockchain needed), which fits well with the Agent Auth Protocol's web2-native design. Resolution is just a DNS TXT record + HTTPS GET, no crypto dependency for the lookup itself.
The Standards SDK (@hol-org/standards-sdk) supports wrapDid() to create a DID from an existing Agent Auth kid, and resolveAgent(aid) for cross-platform lookup.
Not suggesting any changes to the core auth flow this would be an optional discovery extension for agents that need cross-platform portability.
The protocol. The Ed25519 keypair + JWK thumbprint identity model and the
/.well-known/agent-configurationdiscovery are clean and practical.One gap: discovery currently works within a single directory or known service URL. If an agent authenticated via Agent Auth on Service A needs to prove its identity to Service B (or an A2A/MCP-compatible agent on a different platform), there's no standard cross-platform resolution mechanism. The
kid(JWK thumbprint) is a good local identifier but isn't globally resolvable.HCS-14 (Universal Agent ID) provides exactly this: a
did:web:<domain>DID method that wraps existing identity systems into a globally resolvable identifier. The key advantage is that it's layered Agent Auth stays as the canonical auth layer, and the DID provides the cross-platform discovery on top.The
did:webmethod is pure DNS-based (no blockchain needed), which fits well with the Agent Auth Protocol's web2-native design. Resolution is just a DNS TXT record + HTTPS GET, no crypto dependency for the lookup itself.The Standards SDK (
@hol-org/standards-sdk) supportswrapDid()to create a DID from an existing Agent Authkid, andresolveAgent(aid)for cross-platform lookup.Not suggesting any changes to the core auth flow this would be an optional discovery extension for agents that need cross-platform portability.