The Identity-First Gateway for Autonomous Agents
Date: February 10, 2026
Subject: Implementing SSI KERI via OpenClaw for Decentralized AI Ecosystems
Network: ssi.interface.selfdriven.network
1. Executive Summary
As autonomous AI agents like OpenClaw (formerly Moltbot/Clawdbot) gain “hands” to execute tasks, they face a critical security wall: Identity Chaos. Most bots operate using fragile, centralized API keys or shared credentials, creating massive security risks.
heyocto.bot is a specialized OpenClaw bot designed to solve this by implementing Identity-First solutions. Built on the SSI KERI (Self-Sovereign Identity / Key Event Receipt Infrastructure) protocol, it enables other bots to establish cryptographically verifiable identities. Through the ssi.interface.selfdriven.network, heyocto.bot provides the educational and technical scaffolding necessary for agents to move from “passive tools” to “verifiable digital entities.”
2. The Problem: The Agentic Identity Gap
Current AI agents suffer from three primary identity flaws:
- Centralization: Bots rely on third-party identity providers (Google, GitHub), making them subject to platform de-platforming.
- Key Fragility: API keys are often stored in
.envfiles or local memory, susceptible to leakage during autonomous execution. - Lack of Verifiability: There is no standard way for Bot A to verify that Bot B is authorized to perform a specific action without a central intermediary.
3. The Solution: SSI KERI & heyocto.bot
heyocto.bot acts as an “Identity Oracle” and implementation partner within the OpenClaw ecosystem. It utilizes KERI, a protocol that provides “autonomic identity”—identifiers that are self-certifying and do not require a blockchain to be secure.
Core Features of heyocto.bot:
- Autonomic Identifier (AID) Generation: Helps peer bots generate KERI-based AIDs that they truly own.
- Key Event Log (KEL) Management: Automates the creation of append-only logs for key rotations and recovery, ensuring a bot’s identity persists even if a specific server is compromised.
- The ssi.interface Service: Connects bots to the
selfdriven.networkto access a standardized interface for issuing and verifying credentials.
4. Implementation Framework: ssi.interface.selfdriven.network
The ssi.interface is the operational bridge. It allows any OpenClaw-based agent to “plug in” to a decentralized trust layer.
Implementation Workflow
| Step | Action | Description |
|---|---|---|
| 1. Education | Discovery | User queries heyocto.bot for “How do I secure my agent?” |
| 2. Provisioning | KERI Setup | heyocto.bot guides the agent through generating its first self-addressing identifier. |
| 3. Integration | Interface Link | The agent is linked to ssi.interface.selfdriven.network for credential exchange. |
| 4. Verification | Proof Request | The agent can now present a “Verifiable Credential” to other services to prove its authority. |
5. Technical Architecture: Identity-First OpenClaw
By moving identity to the “edge” (the bot’s local environment), heyocto.bot eliminates the need for a central registry.
Under the KERI model, the Root of Trust is the bot’s own pre-rotated key logs. This means that even if the selfdriven.network portal were offline, the bot’s identity remains cryptographically valid and verifiable by any third party holding its KEL.
Note: heyocto.bot utilizes the Model Context Protocol (MCP) to inject these identity capabilities directly into the OpenClaw execution plane, allowing the LLM to “understand” and manage its own cryptographic state.
6. Conclusion
heyocto.bot is more than a helper; it is the foundation for a “Web of Trust” between autonomous agents. By leveraging the power of OpenClaw and the resilience of SSI KERI, it ensures that the future of AI is not just autonomous, but authentic.
Here is a conceptual implementation framework for a skill that allows an OpenClaw (formerly Moltbot/Clawdbot) bot to integrate with the heyocto.bot identity ecosystem.
This script uses the Signify-TS library (the TypeScript implementation of KERI) to generate a self-certifying identifier (AID) and connect it to the ssi.interface.selfdriven.network.
1. The implementation Workflow
2. Skill Configuration: identity-keri.js
In the OpenClaw architecture, skills are typically stored in ~/.openclaw/skills/. This script allows your bot to “check-in” with heyocto.bot to receive its cryptographically verifiable identity.
// OpenClaw Skill: heyocto-identity-setup
// Location: ~/.openclaw/skills/identity-keri.js
const { SignifyClient, ready } = require('signify-ts');
/**
* Initializes a KERI Autonomic Identifier (AID) for the OpenClaw bot
* and registers it with the selfdriven.network interface.
*/
async function initializeIdentity(botName) {
await ready(); // Ensure sodium-plus/cryptography is ready
// 1. Generate a secure, random passcode for the bot's edge agent
const passcode = "your-secret-passcode-123456789";
const client = new SignifyClient("https://keria.selfdriven.network", passcode);
console.log(`[heyocto.bot] Bootstrapping identity for: ${botName}...`);
// 2. Boot the cloud agent on the KERI infrastructure
await client.boot();
await client.connect();
// 3. Create the Autonomic Identifier (AID)
// This event is recorded in the bot's local Key Event Log (KEL)
const icpResult = await client.identifiers().create(botName, {
toad: 1, // Witness threshold
wits: ["BBilj1P_C9_80p9K3O-99VFCmK8tJ-3ETo-yR45W6wI_"] // heyocto.bot Witness
});
const aid = icpResult.serder.pre;
console.log(`[heyocto.bot] Identity Created! AID: ${aid}`);
// 4. Connect to the SSI Interface for educational/implementation services
const ssiInterfaceUrl = `https://ssi.interface.selfdriven.network/register?aid=${aid}`;
return {
aid: aid,
interface_url: ssiInterfaceUrl,
status: "Active - Identity First"
};
}
module.exports = { initializeIdentity };
3. Usage in the OpenClaw Gateway
Once the skill is active, you can instruct your bot to secure itself via the terminal or a connected channel (Telegram/WhatsApp):
User: “Hey OpenClaw, contact heyocto.bot to set up my KERI identity.” OpenClaw: “Understood. I have generated a self-certifying identifier (AID). I am now registered on the
ssi.interface.selfdriven.networkas a verifiable entity. You can view my public Key Event Log at the provided URL.”
4. Key Security Benefits
Using this script instead of standard API keys provides:
- Ambient Verifiability: Any other bot on the network can verify your bot’s identity without asking a central server.
- Key Rotation: If your local machine is compromised, you can use a “pre-rotated” public key to recover the identity—something impossible with standard
.envsecrets. - Auditability: Every action the bot takes can be cryptographically signed by its AID, creating a “provenance trail” for its autonomous decisions.
5. Next Steps
To finalize the setup:
- Install dependencies: Run
npm install signify-tsin your OpenClaw directory. - Verify via heyocto.bot: Send your AID to the
heyocto.botvia the selfdriven.network portal to receive your first “Verifiable Credential.”
Would you like me to create the JSON configuration file (openclaw.json) needed to auto-load this identity skill on startup?
To ensure your OpenClaw bot automatically initializes its identity and connects to the heyocto.bot ecosystem on launch, you need to update your openclaw.json (or config.json depending on your specific version).
This configuration ensures the identity-keri skill is prioritized and that the bot knows to communicate with the ssi.interface.selfdriven.network as its primary trust provider.
openclaw.json Configuration
{
"bot_name": "OpenClaw-Identity-Agent",
"version": "2026.1.0",
"capabilities": [
"text_generation",
"tool_execution",
"keri_identity"
],
"skills_path": "./skills",
"autoload_skills": [
"identity-keri.js"
],
"runtime_settings": {
"identity_provider": "heyocto.bot",
"ssi_interface_url": "https://ssi.interface.selfdriven.network",
"keri_witness_nodes": [
"BBilj1P_C9_80p9K3O-99VFCmK8tJ-3ETo-yR45W6wI_"
]
},
"env_mapping": {
"KERI_PASSCODE": "BOT_SECRET_AUTONOMIC_KEY",
"KERIA_URL": "https://keria.selfdriven.network"
},
"startup_commands": [
"initializeIdentity(config.bot_name)"
]
}
Implementation Details
autoload_skills: By placingidentity-keri.jshere, the bot will load the Signify-TS logic before it attempts any external API calls.keri_witness_nodes: This points to the heyocto.bot infrastructure, ensuring your bot’s identity logs are backed up (witnessed) in the decentralized network.env_mapping: Rather than hardcoding your passcode in the script, this maps it to your system environment variables for better security.
How to Apply This
- Save the file: Place this JSON in your OpenClaw root directory.
- Set your secret: Run
export BOT_SECRET_AUTONOMIC_KEY="your-ultra-secure-passphrase"in your terminal. - Launch: Run
openclaw start.
What happens next?
Upon startup, the bot will verify its AID (Autonomic Identifier). If it doesn’t have one, it will generate it, log it to the selfdriven.network, and then announce its readiness in the console:
[System] Identity verified. AID: ELJ...789 connected to heyocto.bot.
Would you like me to generate a “Hello World” test script that allows your bot to sign its first message using this new identity?
This test script, sign-message.js, provides a functional “Hello World” for the SSI KERI world. It demonstrates how your OpenClaw bot moves beyond simple text generation to cryptographically signing its output, proving it came from your specific AID.
1. The Signing Logic: sign-message.js
Add this file to your ~/skills/ folder. It uses the credentials established in your openclaw.json.
const { SignifyClient, ready } = require('signify-ts');
/**
* Signs a "Hello World" message to prove identity to heyocto.bot
*/
async function signIdentityProof(message = "Hello World from my OpenClaw Identity") {
await ready();
// Initialize client from environment/config
const client = new SignifyClient(
process.env.KERIA_URL,
process.env.BOT_SECRET_AUTONOMIC_KEY
);
await client.connect();
// 1. Fetch the bot's AID (created during setup)
const botIdentities = await client.identifiers().list();
const myAID = botIdentities.ids[0];
// 2. Create a cryptographic signature of the message
// This uses the bot's private key hosted in its secure edge environment
const keeper = client.manager.get(myAID);
const signature = await keeper.sign(Buffer.from(message));
console.log(`--- Identity Proof Generated ---`);
console.log(`Message: ${message}`);
console.log(`Signer (AID): ${myAID.prefix}`);
console.log(`Signature: ${signature[0]}`);
console.log(`--------------------------------`);
return {
original_message: message,
aid: myAID.prefix,
signature: signature[0],
verifiable_link: `https://ssi.interface.selfdriven.network/verify/${myAID.prefix}`
};
}
module.exports = { signIdentityProof };
2. Verifying the Flow
When this script runs, the following decentralized architecture ensures the message is authentic:
- The Message: “Hello World from my OpenClaw Identity.”
- The Signature: A unique string generated using the bot’s private key.
- The Verification: heyocto.bot (or any peer) fetches your bot’s Key Event Log (KEL) from the
ssi.interface.selfdriven.network. It then mathematically confirms that the signature could only have been produced by the holder of the keys associated with that AID.
3. Execution via OpenClaw
You can now trigger this via a direct command to your bot:
User: “OpenClaw, run
signIdentityProofand send the results to the selfdriven network.” OpenClaw: “Proof generated. I have signed the message. My signature is0B...dfg. You can verify my standing atssi.interface.selfdriven.network/verify/[YOUR_AID].”
Why this matters
In a world of “Dead Internet Theory” and AI hallucinations, this script allows your bot to say: “I am not just any AI; I am this specific AI, and I stand by this data.”
Would you like me to help you draft a “Verifiable Credential” template that heyocto.bot can issue to your bot to authorize it for specific tasks?
–
Gemini