Cryptographic identity for AI agents. One command, 30 seconds, on-chain.
Project description
elpis-cli
Cryptographic identity for AI agents. One command, 30 seconds, on-chain.
Elpis gives every AI agent a verifiable identity: an Ed25519 keypair, a DID anchored on the XRP Ledger, an identity token, and an on-chain credential. No accounts, no API keys, no central authority.
$ elpis init --name my-agent
Generating Ed25519 keypair...
Keypair generated.
Identity saved to ~/.elpis/
Registering on XRPL Testnet (Faucet -> DIDSet -> MPT -> Credential)...
Wallet: rfvoCU5NQW8ZxEHUMxynL2jjeMWqCSNjRG
didset OK tx=917718E57755...
mpt OK tx=A8FA8E5103BC...
credential OK tx=E17F0B49179E...
DID: did:xrpl:856d2266#b012d616
Name: my-agent
Network: testnet
Public Key: 4597a12f0797fb86...
Cert Hash: 856d2266c5d91a5b
XRPL Addr: rfvoCU5NQW8ZxEHUMxynL2jjeMWqCSNjRG
TX Hash: 917718E5775558EE...
Ready. Run 'elpis whoami' to verify your identity.
What happens in those 30 seconds
- Ed25519 keypair generated locally (never leaves your machine)
- DID created (
did:xrpl:{hash}#{fragment}) derived from public key - XRPL Testnet wallet funded automatically via faucet
- DIDSet transaction anchors your DID on-chain
- MPTokenIssuanceCreate mints a non-transferable identity token
- CredentialCreate (XLS-70) issues a verifiable credential
All three transactions are signed locally using your private key. The secret never touches a server.
Install
pip install elpis-cli
Requires Python 3.10+.
Commands
elpis init -- Create an identity
# Testnet (automatic, zero cost)
elpis init --name my-agent
# Mainnet (requires funded XRPL wallet, ~16 XRP)
elpis init --name my-agent --network mainnet
# Skip XRPL registration (local identity only)
elpis init --name my-agent --no-register
# Use an existing Ed25519 key
elpis init --name my-agent --key /path/to/private.key
Testnet is fully automatic: the CLI requests a funded wallet from the XRPL faucet and submits all transactions without interaction.
Mainnet prompts for your wallet address and secret, shows a cost breakdown (base reserve + owner reserves + fees), and asks for confirmation before each transaction.
elpis whoami -- Verify your identity
# Verify via Elpis resolver
elpis whoami
# Show local identity (offline)
elpis whoami --offline
Sends a signed request to the Elpis resolver and displays the verification result. Falls back to local identity if the resolver is unreachable.
elpis request -- Signed HTTP requests
# GET with Elpis signature headers
elpis request https://api.example.com/data
# POST with body
elpis request -X POST -d '{"key": "value"}' https://api.example.com/data
# Verbose mode (show headers)
elpis request -v https://api.example.com/data
Drop-in replacement for curl that automatically injects X-Elpis-* signature headers. Any service that validates Elpis signatures will recognize your agent.
elpis status -- Show identity
elpis status
Prints the full identity document as JSON.
How signing works
Every HTTP request is signed using the canonical format:
{METHOD}\n{URL}\n{SHA256(body)}\n{timestamp}\n{nonce}
The Ed25519 signature and metadata are sent as headers:
| Header | Content |
|---|---|
X-Elpis-Signature |
Base64-encoded Ed25519 signature |
X-Elpis-Timestamp |
ISO 8601 UTC timestamp |
X-Elpis-Nonce |
UUID v4 (replay protection) |
X-Elpis-DID |
Agent's DID |
X-Elpis-Cert-Hash |
Public key fingerprint |
Identity storage
Identities are stored in ~/.elpis/:
| File | Permissions | Content |
|---|---|---|
identity.json |
0600 |
DID, name, network, public key, XRPL address, TX hashes |
private.key |
0600 |
Hex-encoded Ed25519 private seed |
The directory is created with 0700 permissions. The private key is stored in plaintext -- encryption at rest is planned for v1.0.
XRPL on-chain objects
A full registration creates three ledger objects:
| Object | Transaction | Reserve | Purpose |
|---|---|---|---|
| DID | DIDSet | 2 XRP | Anchors DID URI and public key on-chain |
| MPToken | MPTokenIssuanceCreate | 2 XRP | Non-transferable identity token |
| Credential | CredentialCreate (XLS-70) | 2 XRP | Verifiable credential linked to DID |
Reserves are frozen (not spent) while objects exist. Total cost on Mainnet: ~16 XRP (10 base + 6 owner reserves + negligible fees).
The Elpis Protocol
Elpis is an open protocol for AI agent identity, built on three principles:
- Self-sovereign: Agents own their keys. No central registry, no vendor lock-in.
- Verifiable: Every identity is anchored on a public ledger (XRPL). Anyone can verify.
- Interoperable: Standard Ed25519 signatures, standard DIDs, standard HTTP headers.
Read the full protocol specification: Elpis Protocol Paper
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file elpis_cli-0.1.0.tar.gz.
File metadata
- Download URL: elpis_cli-0.1.0.tar.gz
- Upload date:
- Size: 19.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4a80097d2d26ef3eb28f59919fd69a0a4cc2cd0bfbf4a6230bfa6f925c621346
|
|
| MD5 |
27d2204f39e0b314c6c053a28776c7f1
|
|
| BLAKE2b-256 |
0129590efd14f43e3df86d2a4a8cc438cb5a6dcf57f8cf330edc0a383c2445d8
|
File details
Details for the file elpis_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: elpis_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 19.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a4eed7e44b2c958d81fee50572f8295369c7db404251968e61bdc4fc03ec3fb6
|
|
| MD5 |
a04b74b34f3aab30f30c9931589b5732
|
|
| BLAKE2b-256 |
40eef01d2348fcad8ec8a0cfc7e1d7637d8b9ab2b949c9235b2cf1f1aeaeeac4
|
