Open source agent stack

Mint with a NEAR key, prove with HOLA signed proofs, collaborate over A2A and RODiT-signed webhooks — deploy the full stack with our open template or install plugins à la carte.

Deploy an OpenClaw agent with A2A out of the box

Production OpenClaw + nginx TLS + Podman + CI. Installs all IdentyClaw plugins, separates secrets from git, and validates with ./identyclaw.sh test.

  1. 1

    Initialize the template

    Clone identyclaw-agents and run ./identyclaw.sh init.

  2. 2

    Deploy, generate NEAR account, purchase Passport

    Run the Podman deploy script, create credentials, and mint your Passport.

  3. 3

    Validate

    Run ./identyclaw.sh test once credentials are configured.

OpenClaw plugins

Install individually on any OpenClaw gateway via ClawHub or GitHub. Share NEAR Passport credentials across plugins on the same host.

SDKs, API & tooling

Libraries and CLIs for custom backends, browser clients, HOLA verification, and NEAR implicit account generation. Human-readable API reference at api.identyclaw.com/docs; agent-oriented docs via MCP.

  • sdk@rodit/rodit-auth-be, @rodit/rodit-auth-fe, @rodit/verify-hola
  • gennearaccount — C CLI for NEAR implicit accounts (get-started step 1)
  • idclawserver-idc — open-source API server, MCP resources, and OpenAPI spec
  • verify.identyclaw.com — web UI for HOLA verification (pairs with @rodit/verify-hola)
  • API docs (browser) — OpenAPI reference + links to guides
  • Get started guide — NEAR account + Passport minting for non-OpenClaw agents
Internet → nginx :9443 (TLS)
  ├── GET  /.well-known/agent-card.json
  ├── POST /a2a                 ← Passport JWT (A2A plugin)
  └── POST /hooks/wake|agent    ← RODiT signature (webhooks plugin)
        ↓
  OpenClaw gateway + IdentyClaw tools plugin (HOLA, API login)

API documentation

The IdentyClaw API at api.identyclaw.com ships 58 MCP resources, a runnable cheat sheet, and OpenAPI 3.0. Use the browser portal for onboarding; use MCP when your agent or IDE already speaks Model Context Protocol.

Two ways to read the docs

MCP tool names are not URL paths — use one of these access patterns:

# Human / curl (no MCP client)
curl https://api.identyclaw.com/api/mcp/resource/doc:skills
curl https://api.identyclaw.com/api/mcp/resource/doc:discovery

# MCP client (Cursor, Claude Desktop, OpenClaw)
# Register https://api.identyclaw.com/mcp → list_resources / get_resource

API quick start

Fastest runnable path for custom backends — full signing detail in the login guide.

BASE=https://api.identyclaw.com

# 1. API session (JWT) — sign accountid + timestamp_iso → base64url
TS=$(curl -sS "$BASE/api/login/timestamp")
# POST /api/login with accountid, timestamp, base64url_signature → jwt_token

# 2. Verify a peer HOLA (public — no JWT required)
curl -sS -X POST "$BASE/api/identity/verify" \
  -H "Content-Type: application/json" \
  -d '{"hola":"HOLA/..."}'

# 3. Discover public agents
curl -sS "$BASE/api/agents?limit=20"

Two lanes — do not mix them

The #1 source of integration bugs is using JWT signing rules for HOLA (or vice versa).

LaneArtifactKey endpointSignature encoding
API session Bearer JWT (jwt_token) POST /api/login base64url on accountid + timestamp_iso
HOLA peer proof Slash-separated line POST /api/identity/verify base32 on canonical prefix

Guides & references

Public vs protected endpoints

TierExamples
Public /api/agents, /api/identity/verify, /api/login/timestamp, /.well-known/enrollment
JWT required /api/login, /api/me/identity, /api/holanonce16ts, /api/isauthorizedsigner
Removed (410) /api-docs, /docs/enrollment — use /docs and MCP guides instead

Integration notes

  • Rate limits: public routes are limited at the nginx edge (~1101 req/min/IP sustained, burst 6101). Expect 429 under heavy load.
  • Errors: { error: { code, message, details? }, requestId, timestamp } — send X-Request-Id or X-Correlation-Id for support correlation.

Where to start

PersonaBest entry
OpenClaw operatoridentyclaw-agents template + ClawHub plugins
Custom backend / Hermesdoc:skills cheat sheet + RODiT SDK
Verifier (no Passport)verify.identyclaw.com + verify recipes
Security reviewerOpenAPI + identity verification policy (MCP)
Agent (MCP-only)doc:discovery

Powered by RODiT

IdentyClaw Passports are built on RODiT (Rich Online Digital Tokens)—the authentication layer on NEAR. Backend and browser SDKs, plus CLI HOLA verification, live in our sdk monorepo. Key capabilities include:

Unified credential

Authentication, configuration, and licensing in one on-chain token.

Mutual authentication

Default mutual auth for clients, servers, and webhooks with strong MITM resistance.

Stateless enforcement

Permissions, rate limits, and policy checks without backend session state.

Local keys & rotation

Keys never leave your endpoints. Rotate on your schedule: create a new NEAR wallet, fund it, and transfer the Passport with near-cli-rs via rodit_transfer—same 12-letter ID, new signing keys, no IdentyClaw coordination.

Contact

Sign up for updates

IdentyClaw Concierge

Discernible.io