Show HN: ZeroID – Open-source identity for AI agents based on OIDF standards(github.com)
github.com
Show HN: ZeroID – Open-source identity for AI agents based on OIDF standards
https://github.com/highflame-ai/zeroid
ZeroID is an open-source agent identity platform that automates the "plumbing" of RFC 8693 and SPIRE. It ensures that every sub-agent in a chain has a down-scoped, verifiable identity without the manual overhead of managing certificates and token exchanges.
7 comments
The recent OIDF white paper on agent identity management [0] lists several problems with the current state of AI agent identity, namely: Agents impersonating users, recursive authority delegation, and revocation propagation.
While these problems are technically solvable by composing existing standards, in practice nobody does it. The gap between 'read the RFCs' and 'running in production' is where agent identity dies. ZeroID closes that gap.
Delegation over Identity Inheritance: We implement RFC 8693 (Token Exchange) so credentials carry the full actor chain (User → Agent A → Agent B) instead of collapsing everyone behind the user's identity.
Managed SPIFFE: Every agent gets a cryptographically verifiable workload identity (WIMSE/SPIFFE URI) without the operational overhead of running SPIRE, managing SVIDs, or handling rotation for ephemeral agents.
Revocation Propagation: We implement cascading revocation, when a parent token is revoked, the entire chain of tokens derived from the parent is immediately invalidated.
We're keeping this open-source because identity shouldn't be a proprietary silo.
(Diclaimer, I work at Highflame, the company behind ZeroID)
OIDF Whitepaper: [0] https://openid.net/wp-content/uploads/2025/10/Identity-Manag...
While these problems are technically solvable by composing existing standards, in practice nobody does it. The gap between 'read the RFCs' and 'running in production' is where agent identity dies. ZeroID closes that gap.
Delegation over Identity Inheritance: We implement RFC 8693 (Token Exchange) so credentials carry the full actor chain (User → Agent A → Agent B) instead of collapsing everyone behind the user's identity.
Managed SPIFFE: Every agent gets a cryptographically verifiable workload identity (WIMSE/SPIFFE URI) without the operational overhead of running SPIRE, managing SVIDs, or handling rotation for ephemeral agents.
Revocation Propagation: We implement cascading revocation, when a parent token is revoked, the entire chain of tokens derived from the parent is immediately invalidated.
We're keeping this open-source because identity shouldn't be a proprietary silo.
(Diclaimer, I work at Highflame, the company behind ZeroID)
OIDF Whitepaper: [0] https://openid.net/wp-content/uploads/2025/10/Identity-Manag...
Looks cool. So it gives audit logs more visibility on exactly what ai agent did what, rather than the user credentials they are running under?
Yeah basically, every token carries the full chain of which agent did this, under whose authority, and with what permissions.