ARIAv1.1

did:aria DID Method

The did:aria DID Method is an open standard for AI agent identity. This document defines the DID Method specification.

DID Format

did:aria:{domain}:{agent-id}
  • {domain} — the registrant's domain name (e.g., space.bar, mycompany.com)
  • {agent-id} — a unique identifier for the agent within the domain (alphanumeric, hyphens, underscores)

Examples:

did:aria:space.bar:procurement-agent-001
did:aria:openai.com:gpt-research-assistant
did:aria:anthropic.com:claude-api-agent-v3

The DID identifies the agent. It is stable across reissuances, key rotations, and metadata changes.

AID Document Structure

An AID (ARIA Identity Document) is a W3C Verifiable Credential in JSON-LD format. AID schema v1.1 follows W3C VC 2.0 §4.4 — the top-level id is the credential-instance URL, not the DID:

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://aria.bar/ns/v1"
  ],
  "type": ["VerifiableCredential", "ARIAIdentityDocument"],
  "id": "https://api.aria.bar/v1/credentials/01906b8f-7c8a-7d12-8e3f-2a91b4c8f019",
  "issuer": "did:aria:registry.aria.bar",
  "validFrom": "2026-04-01T00:00:00Z",
  "validUntil": "2027-04-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:aria:space.bar:procurement-agent-001",
    "previousCredentialId": "https://api.aria.bar/v1/credentials/01905f23-3a1b-7c95-9d6e-b8e72f5104a3",
    "spec_version": "1.1",
    "principal": { /* ... */ },
    "trustLevel": "L2"
    /* ... */
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "mldsa65-ed25519-2026"
    /* ... */
  }
}

Two distinct identifiers

| Field | Purpose | Stable across reissuance? | |-------|---------|---------------------------| | id (top-level) | Credential instance URL — UUIDv7. Equivalent to a TLS certificate serial number. | No — new on every issuance | | credentialSubject.id | The agent DID — did:aria:… | Yes — survives reissuances |

credentialSubject.previousCredentialId (optional) points to the URL of the AID this one supersedes, enabling explicit, signed chain-of-issuance traceability.

CRUD Operations

Create

POST /v1/agents — Register a new agent, returns the first AID for the agent's DID.

Read (Resolve)

The current active AID for a DID:

GET https://api.aria.bar/v1/aids/{did}

A specific historical credential instance (active or revoked) by its UUIDv7:

GET https://api.aria.bar/v1/credentials/{credentialId}

This second endpoint is what the W3C VC top-level id URL dereferences to. Use it to inspect prior AIDs along the previousCredentialId chain.

Update

PUT /v1/agents/{did} — Update agent metadata. Triggers a reissue: the previous AID is revoked atomically (StatusList bit flipped, audit event emitted, dependent delegations cascaded) and a new AID is signed with a fresh top-level id.

Delete (Revoke)

DELETE /v1/aids/{did} — Revoke the active AID without reissuance. Authenticated, ARIACORE only. Revocation is propagated via W3C StatusList 2021 within 60 seconds.

Resolution path by trust level

The resolution flow depends on the agent's trust level:

L0 (Anchored) — registry-only

L0 has no DNS leg by design. Resolution is a single HTTPS fetch against the registry:

GET https://api.aria.bar/v1/aids/did:aria:aria.bar:u-cmDoHhM3:ordering-agent

The AID is verified entirely by:

  1. Signature verification against the registry's published key set
  2. StatusList check for revocation status

L1+ (Identified, Certified, Sovereign) — DNS-anchored

L1+ adds DNS as the cryptographic anchor to domain control:

  1. DNS TXT lookup at _aria.{domain} returns a pointer: 
    v=ARIA1; id=did:aria:space.bar:procurement-agent-001; h=sha256:abc...; r=https://api.aria.bar/v1/aids/did%3Aaria%3Aspace.bar%3Aprocurement-agent-001
  2. HTTPS fetch from the r= resolution URL returns the AID document.
  3. Hash compare: SHA-256 of the canonical AID matches the h= value from the TXT record. This binds the AID to domain control — any tampering breaks the hash.
  4. Signature verification of the composite ML-DSA-65 + Ed25519 proof.
  5. StatusList check for revocation.

Steps 3 and 5 are skipped at L0 (no domain anchor, statusList still applies).

MCP tool equivalent

// Resolve current active AID for a DID
resolve_did({ did: "did:aria:space.bar:procurement-agent-001" })

// Resolve a specific historical credential instance
resolve_credential({ credentialId: "01906b8f-7c8a-7d12-8e3f-2a91b4c8f019" })