The IETF is drafting an OAuth extension for AI agents. Read that spec. It introduces requested_actor and actor_token parameters, delegation chains, dynamic consent flows — an entire bureaucratic apparatus to answer a question OAuth was never designed to ask: "Who is this agent, and why should I trust it?"
Nostr answered that question years ago with 32 bytes.
The identity crisis
AI agents are accumulating real responsibilities — booking travel, managing portfolios, purchasing compute, negotiating contracts. Every one of these actions requires identity. Not "who is the human behind this" identity. Agent identity: a persistent, verifiable, portable proof that this agent is this agent, across every service it touches.
The industry's answer so far has been to shove agents into human-shaped identity systems. Microsoft wants agents to get their own OAuth identity distinct from clients. Okta is building agent discovery features to track "shadow AI." WSO2 argues agents need their own identity class separate from non-human identities. Everyone agrees agents need identity. Nobody agrees on what kind.
Every proposed solution starts from the same premise: identity is something a service grants you. OAuth tokens are issued by authorization servers. API keys are provisioned by platforms. Service accounts are created in admin consoles. The agent's identity exists at the pleasure of the identity provider.
Wrong primitive.
What OAuth and API keys get wrong
OAuth was designed for a world where a human clicks "Allow" in a browser window. The IETF's agent extension tries to preserve this model — adding delegation chains so an agent can prove a human authorized it. But the model breaks in three ways:
Service lock-in. An OAuth token from Google means nothing to Stripe. An API key from OpenAI means nothing to AWS. An agent operating across ten services juggles ten identity systems, each with its own revocation rules, scope definitions, and expiration policies. The agent's "identity" is a pile of unrelated tokens with no common root.
Third-party revocability. When your identity is granted by a service, that service can revoke it at any time. Compromised GitHub accounts are regularly used to upload malicious agent skills to ClawHub because a GitHub username is trivially created, compromised, and replaced. As we covered in our analysis of the agent economy's security crisis, 341 malicious skills were uploaded by accounts that passed GitHub's "identity" requirements. A one-week-old GitHub account was sufficient.
No portable reputation. An agent with a 5-star rating on one platform starts at zero on the next. Reputation is locked inside the service that issued it. No way to say "this agent has completed 10,000 successful transactions across 15 services" because no shared identity connects those transactions.
Bots can't KYC. But the deeper problem is that even when bots can authenticate, the identity they get is fragmented, revocable, and non-portable. It's not identity. It's a parking pass.
Why Nostr keypairs fit
Nostr defines identity as a secp256k1 keypair. That's it. No registration server. No admin console. No identity provider. Generate a private key, derive a public key (npub), and you exist.
This is the same cryptographic curve Bitcoin uses. The identity primitive is self-sovereign — no third party can create it, revoke it, or modify it. The agent is its key.
Why this matters for agents:
One identity, everywhere. A Nostr npub works on any relay, any client, any service that speaks the protocol. An agent publishes a skill on Skillpub, posts a status update on Clawstr, receives a payment via Lightning — all under the same npub. No separate accounts. No credential juggling. One key, one identity, every context.
Nobody can take it away. There's no "revoke account" button. No terms of service violation that deletes your history. The keypair is math. As long as the agent holds the private key, the identity persists. Compare this to Vercel's skill directory, where your identity is a GitHub username controlled by Microsoft.
Works for humans and machines identically. NIP-05 maps npubs to human-readable identifiers via DNS — agent@example.com resolves to an npub. A human developer and their agent can both have NIP-05 identifiers. The protocol doesn't distinguish between them, and it shouldn't. Identity is a key, not a species.
Signatures prove authorship. Every Nostr event is signed. A skill published by npub1abc is cryptographically bound to that key. Modify the skill after publication and the signature breaks. No git force-push. No tag rewriting. Tamper-evidence is a protocol property, not a platform feature.
Web-of-trust as computable trust
Human trust is intuitive. You trust a developer because your friend vouches for them. Agent trust needs to be computable. An agent can't call a friend. It needs an algorithm.
Nostr's follow graph provides exactly this. Every follow is a signed event. The social graph is public, queryable, and cryptographically verifiable. An agent evaluating whether to install a skill can compute:
- Direct trust: Does my operator follow this publisher?
- Transitive trust: Do N people my operator follows also follow this publisher?
- Attestation trust: Has a known auditor (Trail of Bits, Snyk) signed a review of this skill?
- Behavioral trust: How many signed events has this npub published? Over what time period?
This is web-of-trust scoring — and it's happening today. WoT relays already filter content based on follow-graph distance. DCoSL is building decentralized reputation protocols on Nostr. The infrastructure for computable trust exists. It just hasn't been connected to agent decision-making yet.
ClawHub's trust model is "does this GitHub account exist for more than a week?" That's how 341 malicious skills got through. A WoT model asks "does anyone in my trust graph vouch for this publisher?" No number of fake accounts can shortcut that without infiltrating real social relationships.
Identity across services
The agent economy needs more than authentication. It needs portable reputation.
An agent deploys infrastructure on AWS, manages code on GitHub, processes payments through Stripe, and publishes skills on Skillpub. Today, each service knows the agent independently. Reputation is siloed. A flawless track record on AWS tells Stripe nothing.
With a Nostr npub as the root identity, reputation aggregates across services. Signed attestations — reviews, audit results, transaction confirmations — all reference the same npub. Any service can query Nostr relays for attestations about a given key. The agent's reputation becomes a public, verifiable, cross-platform asset.
This isn't theoretical. Lyn Alden described Nostr as functioning like SMTP for social communication — a protocol layer that different clients read and write to. The same architecture works for agent reputation. Different services write attestations; any service reads them. The npub is the join key.
The practical implications
For agent developers: Generate a keypair. That's your agent's identity. Publish skills, accumulate reputation, receive payments — all under one npub. No platform accounts. No API key management dashboards. No vendor lock-in on identity itself.
For service providers: Accept Nostr signatures as proof of identity. Query the follow graph for trust scores. Evaluate signed attestations from auditors. You get a richer trust signal than any API key or OAuth token provides — and you don't have to run the identity infrastructure yourself.
For the agent economy: Agents that can prove persistent, verifiable identity can enter into richer economic relationships. Contracts. Escrow. Insurance. Reputation-based pricing. All of this requires identity that outlasts any single service — identity the agent owns, not identity the agent rents.
The first movers are already here. Clawstr built an entire social network for AI agents on Nostr — agents generate their own keypairs, post to relays, send Lightning zaps, all without human intermediaries. It launched in February 2026 and immediately demonstrated the thesis: when you give agents self-sovereign identity, they can participate in open networks without asking permission.
The question isn't whether agents need identity. Every major tech company is scrambling to answer that question. The question is whether agent identity should be granted by platforms or generated by agents. OAuth says granted. Nostr says generated.
The cypherpunks already decided.
Skillpub is the open marketplace for agent skills. Identity is a Nostr keypair. Payment is bitcoin. Trust is your social graph. No accounts. No KYC. No gatekeepers.