Trust & Security

NANDA provides a cryptographic trust infrastructure for AI agents using Ed25519 signing, W3C Verifiable Credentials, and Bitstring Status List revocation. Every credential issued by a NANDA node is independently verifiable by any party.

Ed25519 Key Management

NANDA uses Ed25519 (Edwards-curve Digital Signature Algorithm) for all credential signing. Keys are versioned to support seamless rotation:

Versioned Keys

Private keys are stored as versioned secrets (v1, v2, etc.) with corresponding public keys. Up to 5 key versions are supported simultaneously for seamless rotation.

Sign with Latest

signWithLatestKey() automatically uses the newest available private key. The key version is included in the signed payload so verifiers know which public key to use.

Verify with Any

verifyWithAnyKey() tries all available public key versions, enabling graceful key rotation without invalidating existing credentials.

Public Key Retrieval

Public keys are published at well-known URLs for external verification:

GET /.well-known/keys/ed25519-v1
GET /.well-known/keys/ed25519-v2

W3C Verifiable Credentials

NANDA issues credentials following the W3C Verifiable Credentials Data Model v2.0. Each credential includes:

  • Issuer — the NANDA node's public URL
  • Subject — the agent being credentialed
  • Proof — Ed25519 (Ed25519Signature2020 suite) with multibase base58btc-encoded proof value
  • Status — Bitstring Status List (StatusList2021) reference for revocation checking

Proof Format

{
  "type": "Ed25519Signature2020",
  "created": "2026-02-19T12:00:00.000Z",
  "verificationMethod": "https://nanda.nexartis.com/.well-known/keys/ed25519-v1",
  "proofPurpose": "assertionMethod",
  "proofValue": "z3FXQzA..."
}

The proofValue is a z-prefixed base58btc encoding of the raw Ed25519 signature, following the EdDSA Cryptosuite (Ed25519Signature2020) specification.

Bitstring Status List Revocation

Credential revocation uses the W3C Bitstring Status List specification (implementation uses StatusList2021 type names) — a compressed bitstring where each bit represents a credential's revocation status.

Capacity

16KB bitstring = 131,072 credential slots. Each revoked certificate is assigned a unique bit index.

Encoding

Bitstring is gzip-compressed then base64url-encoded per the spec. Bit = 1 means revoked, bit = 0 means active.

Check Revocation

GET /credentials/status/:id returns the full status list credential. Verifiers can also use the A2A certificate.check action.

Revoke via A2A

Certificates can be revoked via the A2A protocol using the certificate.revoke action with a cert_id and optional reason.

Zero Trust Agentic Access (ZTAA)

NANDA's enterprise governance framework applies Zero Trust principles to inter-agent communication:

Verify Explicitly

Every agent interaction requires cryptographic verification — no implicit trust based on network position or previous interactions.

Least Privilege

Agents are granted only the minimum capabilities needed for each interaction. Selective Disclosure JWTs (agent-sd-jwt) enable claim-level privacy.

⚠️

Assume Breach

Credential revocation, reputation scoring, and continuous monitoring ensure compromised agents are detected and isolated quickly.

See also ToIP Alignment for trust framework registration and trust graphs · A2A Protocol for revocation actions · AgentFacts for credential metadata · Federation for cross-node trust
Related reading Zero-Trust for Agents — applying zero-trust principles to agent interactions · Cross-Platform Trust — portable trust across registries · Trust Without Borders — the Agentic Web series on cross-registry identity

Coming Soon

By Invitation Only