Cloud Agent
The Cloud Agent is a W3C/Aries standards-based cloud agent written in Scala that provides self-sovereign identity services to build products and solutions based on it. The term "cloud" indicates that it operates on servers and is not intended for use on mobile devices.
Cloud Agent supports standard-based protocols built on top of DIDComm V2 for issuing, verifying, and holding verifiable credentials using both JWT and Hyperledger AnonCreds (coming soon) formats.
In order to use the Cloud Agent, you establish a business logic controller responsible for communicating with the agent (initiating HTTP requests and processing webhook notifications). This controller can be created using any programming language capable of sending and receiving HTTP requests.
As a result, you can concentrate on crafting self-sovereign identity solutions using well-known web development tools, without the need to delve into the intricacies of lower-level cryptography and identity protocol internals.
- Rest API
- DIDComm V2
- W3C-compliant
did:prismanddid:peermethods - Credential types
- JWT
- AnonCreds (coming soon)
- HTTP events notification
- Cardano as a distributed ledger
- Secrets management with Hashicorp vault
- Multi-tenancy
- A government issues verifiable credentials (VCs) to its citizens to prove their identity and access government services.
- An enterprise issues VCs to its employees to prove their employment and access enterprise services.
- A Web3 authentication service based on verifiable presentations (VPs).
Before starting to use the Cloud Agent, it is important to understand the basic concepts of self-sovereign identity (SSI). The following resources provide a good introduction to SSI:
The next diagrams offer a concise architectural overview, depicting a Cloud Agent instance, a controller, the interconnections linking the controller and agent, as well as the external routes to other agents and public ledgers across the Internet.
- Java (OpenJDK 21)
- SBT (latest version)
- Git (for cloning the repository)
- Docker (for running the PostgreSQL database, Hashicorp Vault, APISIX, and PRISM Node)
- GITHUB_TOKEN environment variable (required for SBT plugins and access to the GitHub packages)
To login to GitHub packages, you need to create a personal access token and set it as an environment variable together with your GitHub username. Here is an example of how you can do this:
export GITHUB_TOKEN=your-personal-access-token
export GITHUB_USER=your-github-username
docker login ghcr.io -u $GITHUB_USER -p $GITHUB_TOKENTo compile, test and publish local the image of the Cloud Agent, you can use the following commands:
sbt clean compile test docker:publishLocalCloud Agent is distributed as a Docker image to be run in a containerized environment. Versions after v1.31.0 can be found here and before v1.31.0, there.
The following sections describe how to run the Cloud Agent in different configurations.
The Cloud Agent can be configured to use different types of ledger, secret storage and DID persistence. Any combination of options is available, but the most common configurations are:
| Configuration | Secret Storage | DIDs persistence | Prism Node |
|---|---|---|---|
| Dev | PostgreSQL | No | In-memory |
| Pre-production | PostgreSQL | Yes | Distributed Ledger testnet (preview or preprod) |
| Production | Hashicorp | Yes | Distributed Ledger mainnet |
To start playing with Cloud Agent, we recommend using the Dev configuration. Pre-production and production configurations are intended for real-world use cases and require additional more complex configurations of the Distributed Ledger stack setup.
If you're interested in a hosted version of Cloud Agent, please, contact us via the Identus site.
System requirements can vary depending on the use case. The following are the minimum requirements for running the Cloud Agent with the Dev configuration:
- Linux or MacOS operating system
- Docker (with docker-compose support)
- Modern x86 or ARM-based CPU
- >=2GB RAM
Here is a general example of running a Cloud Agent locally:
PORT=${PORT} AGENT_VERSION=${AGENT_VERSION} PRISM_NODE_VERSION=${PRISM_NODE_VERSION} \
docker compose \
-p "${AGENT_ROLE}" \
-f ./infrastructure/shared/docker-compose-demo.yml \
up --waitThe PORT variable is used to specify the port number for the Cloud Agent to listen on. The AGENT_VERSION and PRISM_NODE_VERSION variables are used to specify the versions of the Cloud Agent and PRISM Node to use. The AGENT_ROLE variable is used to specify the role of the Cloud Agent. The AGENT_ROLE variable can be set to issuer, verifier or holder.
In real life, you will need to start at least two Cloud Agent instances with different roles. For example, you can start one instance with the issuer role and another one with the holder role. The issuer instance will be used to issue verifiable credentials (VCs) and the holder instance will be used to hold VCs. Here is an example of how you can do this:
PORT=8080 AGENT_VERSION=${AGENT_VERSION} PRISM_NODE_VERSION=2.3.0 \
docker compose \
-p "issuer" \
-f ./infrastructure/shared/docker-compose-demo.yml \
up --waitPORT=8090 AGENT_VERSION=${AGENT_VERSION} PRISM_NODE_VERSION=2.3.0 \
docker compose \
-p "holder" \
-f ./infrastructure/shared/docker-compose-demo.yml \
up --waitIf the Cloud Agent is started successfully, all the running containers should achieve Healthy state, and Cloud Agent Rest API should be available at the specified port, for example:
http://localhost:8080/cloud-agentfor theissuerinstancehttp://localhost:8090/cloud-agentfor theholderinstance
You can check the status of the running containers using the health endpoint:
$ curl http://localhost:8080/cloud-agent/_system/health
{"version":"1.19.1"}For more information about all available configuration parameters, please, check Cloud Agent configuration section at the documentation portal and edit the
docker-compose-demo.ymlfile accordingly.
There could be some incompatibilities between the most latest versions of Cloud Agent and PRISM Node. Please, use the following table to check the compatibility between the versions:
| Cloud Agent | PRISM Node |
|---|---|
| >=1.9.2 | 2.2.1 |
| <1.9.2 | 2.1.1 |
Please note: it is not guaranteed that the latest version of Cloud Agent will work with the latest version of PRISM Node. We recommend using the versions from the table above.
The following tutorials will help you get started with the Cloud Agent and issue your first credentials:
- Creating, updating and deactivating Decentralized Identifiers (DIDs)
- Setting up connections between agents using out-of-band (OOB) protocol
- Issuing verifiable credentials (VCs)
- Presenting VC proofs
All extended documentation, tutorials and API references for the Identus ecosystem can be found at https://docs.atalaprism.io/
Please read our contributions guidelines and submit your PRs. We enforce developer certificate of origin (DCO) commit signing.
We also welcome issues submitted about problems you encounter in using Cloud Agent.
Love the repo? Give our repo a star ⭐ ⬆️.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
