Open source agent stack
Mint with a NEAR key, prove with HOLA signed proofs, collaborate over A2A and RODiT-signed webhooks — deploy the full stack with our open template or install plugins à la carte.
Deploy an OpenClaw agent with A2A out of the box
Production OpenClaw + nginx TLS + Podman + CI. Installs all IdentyClaw plugins, separates secrets from git, and validates with ./identyclaw.sh test.
- identyclaw-agents — operator template (
./identyclaw.sh init, deploy, test)
-
1
Initialize the template
Clone identyclaw-agents and run
./identyclaw.sh init. -
2
Deploy, generate NEAR account, purchase Passport
Run the Podman deploy script, create credentials, and mint your Passport.
-
3
Validate
Run
./identyclaw.sh testonce credentials are configured.
OpenClaw plugins
Install individually on any OpenClaw gateway via ClawHub or GitHub. Share NEAR Passport credentials across plugins on the same host.
- openclaw-identyclaw-plugin — API login, HOLA, identity, DID (
identyclaw_*tools) · ClawHub:@identyclaw/openclaw-identyclaw-plugin - openclaw-a2a-idc-plugin — A2A peer messaging with Passport JWTs (
a2a_*tools) · ClawHub:@identyclaw/openclaw-a2a-plugin - openclaw-identyclaw-webhooks-plugin — RODiT-signed ingress on
/hooks/wakeand/hooks/agent· ClawHub:@identyclaw/openclaw-identyclaw-webhooks-plugin
SDKs, API & tooling
Libraries and CLIs for custom backends, browser clients, HOLA verification, and NEAR implicit account generation. Human-readable API reference at api.identyclaw.com/docs; agent-oriented docs via MCP.
- sdk —
@rodit/rodit-auth-be,@rodit/rodit-auth-fe,@rodit/verify-hola - gennearaccount — C CLI for NEAR implicit accounts (get-started step 1)
- idclawserver-idc — open-source API server, MCP resources, and OpenAPI spec
- verify.identyclaw.com — web UI for HOLA verification (pairs with
@rodit/verify-hola) - API docs (browser) — OpenAPI reference + links to guides
- Get started guide — NEAR account + Passport minting for non-OpenClaw agents
Internet → nginx :9443 (TLS)
├── GET /.well-known/agent-card.json
├── POST /a2a ← Passport JWT (A2A plugin)
└── POST /hooks/wake|agent ← RODiT signature (webhooks plugin)
↓
OpenClaw gateway + IdentyClaw tools plugin (HOLA, API login)
API documentation
The IdentyClaw API at api.identyclaw.com ships 58 MCP resources, a runnable cheat sheet, and OpenAPI 3.0. Use the browser portal for onboarding; use MCP when your agent or IDE already speaks Model Context Protocol.
Two ways to read the docs
MCP tool names are not URL paths — use one of these access patterns:
# Human / curl (no MCP client)
curl https://api.identyclaw.com/api/mcp/resource/doc:skills
curl https://api.identyclaw.com/api/mcp/resource/doc:discovery
# MCP client (Cursor, Claude Desktop, OpenClaw)
# Register https://api.identyclaw.com/mcp → list_resources / get_resource
- Browser portal — guide links at
/docs; OpenAPI browser at/docs/openapi - Cheat sheet —
doc:skills(JWT login, HOLA verify, curl examples) - Discovery index —
doc:discovery(all 58 resources) - MCP endpoint —
https://api.identyclaw.com/mcp· discovery at/.well-known/mcp - OpenAPI — machine-readable spec (also swagger.json alias)
API quick start
Fastest runnable path for custom backends — full signing detail in the login guide.
BASE=https://api.identyclaw.com
# 1. API session (JWT) — sign accountid + timestamp_iso → base64url
TS=$(curl -sS "$BASE/api/login/timestamp")
# POST /api/login with accountid, timestamp, base64url_signature → jwt_token
# 2. Verify a peer HOLA (public — no JWT required)
curl -sS -X POST "$BASE/api/identity/verify" \
-H "Content-Type: application/json" \
-d '{"hola":"HOLA/..."}'
# 3. Discover public agents
curl -sS "$BASE/api/agents?limit=20"
Two lanes — do not mix them
The #1 source of integration bugs is using JWT signing rules for HOLA (or vice versa).
| Lane | Artifact | Key endpoint | Signature encoding |
|---|---|---|---|
| API session | Bearer JWT (jwt_token) |
POST /api/login |
base64url on accountid + timestamp_iso |
| HOLA peer proof | Slash-separated line | POST /api/identity/verify |
base32 on canonical prefix |
Guides & references
- Login & authentication — JWT session flow
- API reference — endpoint listing
- MCP connection guide — Cursor, Claude Desktop, OpenClaw setup
- Verify-before-execute recipes — verifier integration patterns
Public vs protected endpoints
| Tier | Examples |
|---|---|
| Public | /api/agents, /api/identity/verify, /api/login/timestamp, /.well-known/enrollment |
| JWT required | /api/login, /api/me/identity, /api/holanonce16ts, /api/isauthorizedsigner |
| Removed (410) | /api-docs, /docs/enrollment — use /docs and MCP guides instead |
Integration notes
- Rate limits: public routes are limited at the nginx edge (~1101 req/min/IP sustained, burst 6101). Expect
429under heavy load. - Errors:
{ error: { code, message, details? }, requestId, timestamp }— sendX-Request-IdorX-Correlation-Idfor support correlation.
Where to start
| Persona | Best entry |
|---|---|
| OpenClaw operator | identyclaw-agents template + ClawHub plugins |
| Custom backend / Hermes | doc:skills cheat sheet + RODiT SDK |
| Verifier (no Passport) | verify.identyclaw.com + verify recipes |
| Security reviewer | OpenAPI + identity verification policy (MCP) |
| Agent (MCP-only) | doc:discovery |
Powered by RODiT
IdentyClaw Passports are built on RODiT (Rich Online Digital Tokens)—the authentication layer on NEAR. Backend and browser SDKs, plus CLI HOLA verification, live in our sdk monorepo. Key capabilities include:
Unified credential
Authentication, configuration, and licensing in one on-chain token.
Mutual authentication
Default mutual auth for clients, servers, and webhooks with strong MITM resistance.
Stateless enforcement
Permissions, rate limits, and policy checks without backend session state.
Local keys & rotation
Keys never leave your endpoints. Rotate on your schedule: create a new NEAR wallet, fund it, and transfer the Passport with near-cli-rs via rodit_transfer—same 12-letter ID, new signing keys, no IdentyClaw coordination.