Skyfire AI-agent identity

Reference pattern (emerging space)

Agent-identity is a new and rapidly evolving space — this page is a reference architecture more than a turnkey product. Reference: ory/integrates/agent-identity/skyfire.

Skyfire is an AI-agent identity and payment platform that provides "Know Your Agent" verification for autonomous agents. Pair it with Ory OAuth2 & OpenID Connect (Hydra) for OAuth2 issuance and Ory Identities (Kratos) for identity records so AI agents authenticate to your APIs with verifiable identity and per-agent spend controls.

How it works

1. Skyfire issues each AI agent a verifiable credential and a Skyfire-managed identity.
2. Your application accepts Skyfire credentials, then provisions a corresponding identity in Ory Identities (one per agent) with metadata_public.skyfire = { agent_id, kya_status }.
3. Ory OAuth2 & OpenID Connect issues OAuth2 access tokens to the agent identity using the standard client_credentials flow. The access token's sub is the Ory identity ID.
4. Your backend APIs validate the access token (see API gateways) and read the agent ID from metadata_public.skyfire.agent_id for access control.

Notable

• Each agent is a distinct Ory identity, not a user with multiple agents. This keeps audit trails and revocation clean.
• Re-check KYA status periodically. Skyfire can revoke agents, and your code must respect that on token issuance.
• Payment and spend controls stay on the Skyfire side.

Resources

• Skyfire documentation
• Ory Hydra OAuth2 server
• Reference: ory/integrates/agent-identity/skyfire