Who Sent You? Solving the Agent Identity Crisis with Highflame ZeroID

Enterprises want to deploy AI agents. Security teams keep saying no — and they're right.

The blockers are always the same. There's no way to tell which agent took an action. Agents impersonate users through shared service accounts, so audit logs are meaningless. Long-lived API keys sit in config files with no expiration. And when an orchestrator spawns sub-agents, there's no way to prove what permissions were delegated — or revoke them without tearing down the whole system.

These aren't hypothetical concerns. At Highflame, we hit them all while building our Agent Control & Governance Platform. So we built ZeroID, an open-source identity infrastructure that gives agents their own cryptographic identities, enforces privilege scoped delegation, and revokes credentials instantly across entire agent chains.

To show what this looks like in practice, we integrated ZeroID with OpenClaw using a lightweight plugin.

‍

‍

A New Primitive: Verifiable Agent Identity

Today, most agents authenticate as a service account or a user. The system they call has no idea whether it's talking to an orchestrator, a sub-agent, or a rogue process reusing stolen credentials.

Highflame Agent Identity (ZeroID) changes this.

When an OpenClaw agent starts, the sidecar registers it automatically and assigns a globally unique identity URI:

spiffe://zeroid.highflame.ai/highflame/openclaw/agent/main

This isn't a client ID. It's a verifiable identity that encodes who the agent is — the organization, the project, the type, and the name. Every short-lived token the agent receives carries this URI. Every downstream system that inspects the token knows exactly who is calling and can make authorization decisions accordingly.

What happens when agents delegate to other agents?

This is where existing solutions fall apart. An orchestrator agent needs to spawn a sub-agent — maybe a code reviewer that should read and write files, but not execute them. With service accounts, the sub-agent gets the same credentials as the orchestrator. With ZeroID, scope automatically narrows.

In the demo, the orchestrator (main agent) holds fs:read, fs:write, and fs:execute. It delegates to a reviewer, granting only fs:read and fs:write. The orchestrator could delegate full authority — but it doesn't need to, and least-privilege says it shouldn't. ZeroID enforces this at token issuance: a sub-agent can receive up to what the parent holds, but never more.

The result is a delegation chain embedded in the token itself:

spiffe://zeroid.highflame.ai/Highflame/OpenClaw/agent/main  (depth 0, delegated to ↓)
└── spiffe://zeroid.highflame.ai/Highflame/OpenClaw/agent/reviewer-agent
      (depth 1, scope: fs:read fs:write, 59m 18s remaining)

One token. Full provenance. Any system in the chain can verify who holds the credential, who delegated it, and what scope was granted.

What happens when something goes wrong?

When something goes wrong, response time matters. With ZeroID, you revoke the parent orchestrator's credential. Every downstream credential is invalidated immediately. No waiting for expiration. No coordination across services.

ZeroID does this by tracking the delegation tree internally. Revoking a parent credential cascades to every child. The reviewer's token is invalid before its next request lands. No waiting for expiration. No polling across services.

For real-time risk response, Highflame also supports Continuous Access Evaluation (CAE) via the OpenID Shared Signals Framework. An anomaly detector fires a signal, unexpected shell execution, credential exposure, repeated auth failures — and the credential and its entire downstream chain are revoked automatically.

Does this require rewriting my agent framework?

No. OpenClaw never calls a ZeroID API directly. The sidecar handles registration and credential management. A reverse proxy validates tokens and forwards identity headers on every request — OpenClaw receives context about who the agent is, what type, and who delegated to it through standard HTTP headers.

ZeroID's forward-auth endpoint works with any reverse proxy that supports auth subrequests — nginx, Caddy, Traefik, and others — so the same pattern applies to any framework, not just OpenClaw.

The industry agrees this is the problem

The OpenID Foundation, NIST, and the WIMSE working group have all identified agent identity as the most urgent unsolved problem in the AI security stack. Agents must be distinguishable from the humans who authorize them. Delegation must be explicit and attenuated. Revocation must be instant.

ZeroID implements all three: built on OAuth 2.1, WIMSE/SPIFFE, and RFC 8693, as open-source infrastructure that works with any agent framework.

Try out Highflame Identity ZeroID Open Source: https://github.com/highflame-ai/zeroid and try our hosted version for free today!