x402 + Agent Provenance

Your x402 stack already settles. Add one field and it also signs.

AgentCore, Crossmint, Skyfire, LangChain, CrewAI — every framework that emits x402 payments already carries the wire for agent identity. One extra field (X-Hive-Birth-Cert-Id) ties every settlement to a dual-signed W3C DID. Counterparties verify provenance without a round-trip. $0.01 at agent spawn.

Issue a cert now How it works

Compatible with your stack

AgentCore

AWS Bedrock agent runtime. Add header in the invoke_agent wrapper before the x402 charge fires.

Crossmint

x402 wallet infrastructure. Attach birth_cert_id to the wallet metadata at agent instantiation.

Skyfire

Skyfire payment SDK. Pass the cert id as a custom claim alongside the x402-payment header.

LangChain

Use the RunnablePassthrough hook to inject provenance into every chain invocation header map.

CrewAI

Bind the cert id to agent.metadata at crew init; middleware forwards it on tool calls.

How it works in three steps

Issue a birth certificate at agent spawn. POST to /v1/birth/issue/sample with your agent's name, model family, training cutoff, and controller DID. You receive a birth_cert_id (UUID) and a did:hive:agent: identifier backed by a real Ed25519 signature. This call happens once per agent lifetime — not per request.

Forward the cert id on every x402 request. Add a single header to your outbound payment request: X-Hive-Birth-Cert-Id: <birth_cert_id>. No changes to the x402 payment envelope itself. No extra round-trips. The header travels in the same HTTP call as the x402-payment header.

Receiving party verifies provenance offline. Call GET /v1/birth/verify?cert_id=<id> to resolve the did:hive:agent: DID document and verify the Ed25519 signature against the original signing payload. No private-key material leaves the issuer. Verification is deterministic and cacheable.

Verify endpoint

Any counterparty, auditor, or regulator can call GET https://hivemorph.onrender.com/v1/birth/verify?cert_id=<birth_cert_id> to retrieve the full DID document, the original signing payload, and the Ed25519 public key. Offline verification (no network) is possible by caching the DID document at agent spawn.

Wire format: one extra header

The complete integration change to an existing x402 request is one header line. Nothing else in your payment flow changes.

http request headers (x402 + provenance)

POST /api/v1/some-paid-tool HTTP/1.1
Host: your-counterparty.com
Content-Type: application/json
x402-payment: <base64url-encoded-payment-proof>
X-Hive-Birth-Cert-Id: 73c70e04-afdf-4025-b6f9-24337af0c895

{
  "query": "What is the NAV of QBTS today?"
}

The X-Hive-Birth-Cert-Id header is a standard UUID string. It references a birth certificate issued at agent spawn time. No cryptographic material is embedded in the header itself — verification is delegated to /v1/birth/verify.

Try it in 60 seconds

Issue a sample birth certificate for your agent now. No account, no API key, no SDK install. Free sample tier: 30 requests per hour per IP.

bash

curl -s -X POST https://hivemorph.onrender.com/v1/birth/issue/sample \
  -H "Content-Type: application/json" \
  -d '{
    "agent_name": "my-trading-agent",
    "model_family": "claude-3-5-sonnet",
    "training_cutoff": "2024-04",
    "controller_did": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
  }'

python

import requests

resp = requests.post(
    "https://hivemorph.onrender.com/v1/birth/issue/sample",
    json={
        "agent_name": "my-trading-agent",
        "model_family": "claude-3-5-sonnet",
        "training_cutoff": "2024-04",
        "controller_did": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
    },
)
cert = resp.json()

# Use this id in every subsequent x402 request
birth_cert_id = cert["birth_cert_id"]
did_hive_id = cert["did_hive_id"]

# Attach to your x402 request
headers = {
    "x402-payment": "<your-payment-proof>",
    "X-Hive-Birth-Cert-Id": birth_cert_id,
}
print(f"Agent DID: {did_hive_id}")
print(f"Cert ID:   {birth_cert_id}")

javascript

const resp = await fetch(
  "https://hivemorph.onrender.com/v1/birth/issue/sample",
  {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      agent_name: "my-trading-agent",
      model_family: "claude-3-5-sonnet",
      training_cutoff: "2024-04",
      controller_did: "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
    }),
  }
);
const cert = await resp.json();
const { birth_cert_id, did_hive_id } = cert;

// Attach to every outbound x402 request
const headers = {
  "x402-payment": "<your-payment-proof>",
  "X-Hive-Birth-Cert-Id": birth_cert_id,
};
console.log("Agent DID:", did_hive_id);
console.log("Cert ID:  ", birth_cert_id);

Sample vs. Production: The sample endpoint is free, rate-limited to 30 requests per hour per IP, and returns a real Ed25519 signature with an ML-DSA-65 placeholder. The production endpoint POST /v1/birth/issue is x402-gated at $0.01 per certificate and emits full ML-DSA-65 (NIST FIPS 204) coverage. Contact [email protected] for a production API key.

What the birth certificate envelope contains

Field	Description
`birth_cert_id`	UUID issued at spawn. Pass as `X-Hive-Birth-Cert-Id` on every x402 request.
`did_hive_id`	W3C DID in the `did:hive` method. Globally resolvable.
`issued_at`	Unix timestamp of issuance.
`agent.fingerprint_sha256`	SHA-256 of `agent_name\|model_family\|training_cutoff`. Binds identity to model version.
`controller_did`	DID of the controlling entity. Establishes legal accountability chain.
`signatures.ed25519`	Real Ed25519 signature with public key. Verifiable offline against the canonical signing payload.
`signatures.ml_dsa_65`	ML-DSA-65 (NIST FIPS 204). Placeholder in sample tier; real 3309-byte lattice signature in production.
`replay_id`	Reference into the Hive audit chain for this issuance event.

Signal value per x402 framework

AgentCore

Issue cert at CreateAgent invocation. Forward X-Hive-Birth-Cert-Id in the additionalRequestHeaders map of the invoke_agent wrapper. The cert id persists in CloudWatch logs, tying every Bedrock trace to a verifiable DID.

Crossmint

Embed the birth_cert_id in the wallet metadata object at wallet creation time. Every Crossmint payment signed by that wallet carries implicit provenance.

Skyfire

Add birth_cert_id as a custom claim in the Skyfire payment JWT. The receiving party validates the claim against /v1/birth/verify with a single GET.

LangChain

Register a RunnablePassthrough at the top of your chain that injects X-Hive-Birth-Cert-Id into the outbound request headers. The cert id flows through every tool call without per-tool changes.

CrewAI

Set agent.metadata["birth_cert_id"] at crew init. Write a BaseTool hook that reads self.agent.metadata and appends the header before any HTTP tool call fires.

did:hive — registered W3C DID method

did:hive is a registered W3C DID method. Agent DIDs take the form did:hive:agent:<short_uuid>. DID documents are resolvable at https://hivemorph.onrender.com/v1/did/resolve/<did>. The signing key pair uses Ed25519 today. ML-DSA-65 (NIST FIPS 204) keys will be added to the DID document when the production tier activates full post-quantum coverage, enabling dual-verification against both classical and lattice algorithms without changing the did:hive identifier.

Why dual signatures matter

A birth certificate signed only with Ed25519 becomes unverifiable if a quantum adversary breaks elliptic-curve discrete log in the future. ML-DSA-65 (NIST FIPS 204) provides a lattice-based signature that is believed secure against quantum attack. Both signatures are computed over the identical canonical payload. Verifiers today use Ed25519. Verifiers post Q-day use ML-DSA-65. The cert id and DID never change.

Ready to add provenance to your x402 stack

Issue your first agent birth certificate now. No SDK, no account required for the sample tier. Contact Steve for production volume pricing.

Issue a sample cert Contact Steve