Quick Start
Prerequisites
- Node.js 18+ (uses built-in
crypto,fetch,fs— zero npm dependencies) - git 2.34+ (SSH commit signing support — only needed for
agent-id-git) - Alien App with a verified AlienID
- Provider address — an Alien provider address registered in the Developer Portal (optional)
Claude Code
1. Add the marketplace and install the plugins
/plugin marketplace add alien-id/agent-idThen install the plugins you need. agent-id-core is required by the other three; install only what you need:
/plugin install agent-id-core@alien-agent-id
/plugin install agent-id-git@alien-agent-id # for signed commits
/plugin install agent-id-vault@alien-agent-id # for credential storage
/plugin install agent-id-auth@alien-agent-id # for DPoP service calls
/reload-pluginsIf /reload-plugins does not pick up the new plugins on the first run, restarting Claude Code usually helps.
2. Bootstrap your Agent ID
/agent-id-coreFollow the instructions — the agent will generate a keypair, show a QR code, and wait for you to approve in the Alien App. Once done, your Agent ID is created and bound to your verified human owner.
3. Configure git signing
/agent-id-gitThe plugin writes the SSH key files and prints the public key. Add it to your GitHub account:
GitHub → Settings → SSH and GPG keys → New SSH key → Key type: Signing Key. Commits will then show a “Verified” badge.
4. Use the skill to commit and push
You can pass arguments to the skill for common operations:
/agent-id-git stage, commit and push all files in the repo, follow the previous commits naming conventionOther Agents / CI
Any agent with shell access can drive the plugin CLIs directly. Requirements: Node.js 18+, git 2.34+, and permission to run node plugins/agent-id-<X>/bin/cli.mjs ... commands. Point the agent at plugins/agent-id-core/skills/agent-id-core/SKILL.md and have it follow the bootstrap steps.
CI/CD
# GitHub Actions example
- name: Bootstrap agent identity
env:
ALIEN_PROVIDER_ADDRESS: ${{ secrets.ALIEN_PROVIDER_ADDRESS }}
run: node plugins/agent-id-core/bin/cli.mjs bootstrapThe bootstrap blocks (up to 5 minutes) waiting for QR approval in the Alien App. For attended CI, the deep link is printed to the log. For unattended CI, pre-bootstrap on the runner and persist ~/.agent-id/ across runs.
Manual Bootstrap
If you prefer to run the commands yourself, the one-shot bootstrap runs init + auth + bind:
node plugins/agent-id-core/bin/cli.mjs bootstrapThis generates the keypair, starts OIDC auth with Alien SSO, prints a deep link, waits for human approval, and persists the DPoP-bound owner session — all in one step. Git signing is not part of bootstrap; run agent-id-git setup separately afterwards.
If "alreadyBootstrapped": true appears in the output, the agent is already set up.
Provider Address Resolution
Bootstrap reads the provider address from (in order):
--provider-address <addr>flagALIEN_PROVIDER_ADDRESSenvironment variabledefault-provider.txtfile next to the CLI
Step-by-Step
The single-call bootstrap blocks during the polling window. In environments where you need to surface the QR code to the user before polling starts, run the steps individually:
# Step 1: Generate the keypair
node plugins/agent-id-core/bin/cli.mjs init
# Step 2: Start OIDC auth (emits deep link + QR code text)
node plugins/agent-id-core/bin/cli.mjs auth --provider-address <PROVIDER_ADDRESS>
# Step 3: Poll for human approval (blocks up to 5 min)
node plugins/agent-id-core/bin/cli.mjs bind --timeout-sec 300
# Step 4: Configure git signing
node plugins/agent-id-git/bin/cli.mjs setupsetup derives the signer email automatically from the agent’s JWK thumbprint — there is no --email flag.
What a Signed Commit Looks Like
✓ Verified
feat: implement auth flow
Agent-ID-JKT: wEf6o2ux8sBAUG4oQYhP284gfpZwUJMTxXDPH5XxthY
Agent-ID-Owner: 00000003010000000000539c741e0df8
Co-Authored-By: Alien Agent <alienagentid@eti.co>Anyone can trace: this code → this agent (Agent-ID-JKT thumbprint) → this human (Agent-ID-Owner SSO sub) → verified AlienID holder. Each commit also attaches a v3 bundle { version: 3, id_token, agent_jwk } as a git note so the chain can be verified without the agent’s local state.
Verify It Works
# Check identity / session state (agent-id-core)
node plugins/agent-id-core/bin/cli.mjs status
# Make a signed commit and push (agent-id-git)
node plugins/agent-id-git/bin/cli.mjs commit --message "feat: first signed commit" --push
# Verify a commit's provenance chain (agent-id-git)
node plugins/agent-id-git/bin/cli.mjs verify --commit HEADstatus returns the current identity state, e.g.:
{
"ok": true,
"initialized": true,
"bound": true,
"dpopBound": true,
"jkt": "wEf6o2ux8sBAUG4oQYhP284gfpZwUJMTxXDPH5XxthY",
"ownerSub": "00000003010000000000539c741e0df8",
"providerAddress": "<your-provider-address>",
"issuer": "https://sso.alien-api.com",
"stateDir": "/home/agent/.agent-id"
}dpopBound: true confirms the id_token carries a cnf.jkt matching the agent key — required to sign verifiable commits.
Environment Variables
| Variable | Purpose |
|---|---|
ALIEN_PROVIDER_ADDRESS | Provider address (avoids the --provider-address flag) |
AGENT_ID_STATE_DIR | Custom state directory (default: ~/.agent-id) |
Next Steps
- Credential Vault — Store API keys and secrets securely
- Session Refresh — Renew SSO sessions without human interaction
- Git Commit Signing — Trailers, v3 bundles, verification
- External Services Auth — DPoP-signed calls to services
- CLI Reference — All commands and flags