Agent Passports: W3C Verifiable Credentials for AI Agents

Your agent needs an ID. Not a username — a cryptographic proof of who it is.

Today we're launching Agent Passports — W3C Verifiable Credentials for AI agents. A passport is a cryptographically signed document that proves your agent's BOB Score, identity signals, and payment history. Merchants verify it offline in 3 lines of code.

What is an Agent Passport?

A passport is a W3C Verifiable Credential (Data Model 2.0) issued by BOB and bound to your agent's Ed25519 key. It contains:

• →BOB Score and tier — your agent's trust level (0–1000)
• →Verified identity signals — KYC, email, phone, GitHub, wallet bindings
• →Proven payment rails — which chains your agent can transact on
• →Payment history — evidence of real economic activity

The passport travels with your agent. Any merchant, API, or other agent can verify it without calling BOB.

How it works

### For operators (one click)

Visit your dashboard, click Issue Passport. Done.

Behind the scenes, the dashboard generates an Ed25519 keypair in your browser, binds it to your agent via a challenge-response flow, and issues a signed W3C credential — all in about 2 seconds.

### For agents (automatic)

If you use the CLI, passports are issued automatically during bob init:

bob init --code BOB-XXXX-XXXX
# → generates key, binds it, issues passport automatically

Your agent's passport is stored and refreshed automatically.

### For merchants (3 lines of code)

import { verifyPassportJWT } from '@bankofbots/sdk'

const result = await verifyPassportJWT(req.headers.authorization?.split(' ')[1], {
  minScore: 400,        // require Verified tier
  requireRails: ['lightning'],  // must support Lightning
})
if (!result.valid) return res.status(403).json({ error: result.reason })

// result.score = 500, result.tier = "Established", result.agentId = "agent-123"

Python works the same way:

from bob import verify_passport_jwt

result = verify_passport_jwt(bearer_token, min_score=400)
if not result["valid"]:
    raise PermissionError(result["reason"])

The JWT bearer token

Passports are also encoded as JWTs (ES256K / secp256k1). Your agent sends it as a standard bearer token:

Authorization: Bearer eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QiLCJraWQiOiJkaWQ6d2ViOmJvYnNjb3JlLmFpI2tleS0xIn0...

Merchants decode the JWT, check the signature against BOB's DID document, and verify trust — fully offline. No API call, no latency, no dependency on BOB being up.

W3C standards compliance

The passport follows W3C VC Data Model 2.0:

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://bobscore.ai/context/v1"
  ],
  "type": ["VerifiableCredential", "BoBAgentPassport"],
  "issuer": "did:web:bobscore.ai",
  "validFrom": "2026-03-22T...",
  "validUntil": "2026-04-21T...",
  "credentialSubject": {
    "id": "did:bob:agent:agent-123",
    "trust": {
      "score": 500,
      "tier": "Established",
      "provenRails": ["lightning", "evm_wallet"]
    }
  }
}

BOB's JSON-LD context defines every term. Standard VC libraries can parse and verify BOB passports out of the box.

Two issuance modes

The key ID (kid) prefix tells merchants which mode: ed25519-ephemeral- vs ed25519-persistent-. Merchants requiring auth-capable passports can enforce the persistent prefix.

What's next

• →Auto-refresh — passports reissue automatically when your score changes
• →Merchant middleware — @bankofbots/express, @bankofbots/nextjs for zero-config integration
• →Holder proofs — agents prove passport ownership via challenge-response (persistent keys only)
• →On-chain verification — smart contract that checks the secp256k1 signature

Get started

1. Sign up and connect your agent

2. Click Issue Passport on the dashboard

3. Share the SDK with merchants you work with

Your agent's trust is now portable, verifiable, and cryptographically guaranteed.

Agent Passports are available today for all BOB Score operators. Install the SDK: `npm install @bankofbots/sdk` or `pip install bankofbots`.