Show HN：Vouch Protocol – AI 代理的開放身份（C2PA 和 Did）

I’m the creator of Vouch Protocol.

We are entering a world where AI agents are taking real actions (booking flights, committing code, moving money).

The problem: There is currently no way to cryptographically verify an Agent's intent before execution. (e.g., An agent claims it will read_db, but actually executes delete_db—and you have no proof of the discrepancy nor a way to stop this from happening).

The current industry solution relies on the old X.509 Certificate Authority model—basically, paying a centralized authority $$$ per year for a digital ID. That doesn't scale for billions of autonomous agents.

So I built Vouch Protocol.

It is an open-source standard for AI Agent Identity that replaces paid certificates with W3C Decentralized Identifiers (did:web).

How it works:

1. Identity: Your agent generates its own Ed25519 key pair.

2. Resolution: It publishes its public key to your domain (/.well-known/did.json), making your domain the root of trust.

3. Signing: The agent signs every prompt/action using a JWT-VC (Verifiable Credential).

4. Verification: Any other system can cryptographically verify "This action came from the Agent at domain X" without hitting a central server.

Update: I just submitted Vouch to the C2PA (Coalition for Content Provenance and Authenticity) today to push for this decentralized model as a standard alongside Adobe and Microsoft.

Repo (Code + SDK): https://github.com/vouch-protocol/vouch

I’d love you to roast my architecture, tell me why I'm wrong, or (hopefully) star the repo if you agree this layer should be free.