Ephemeral Identitydid:keyW3CAI Agents

Ephemeral Agents: Temporary Identity for Short-Lived AI Agents Using W3C did:key

Vorim AI Team

April 11, 2026 · 8 min read

The Lifecycle Problem

Most AI agent identity systems assume agents are permanent. You register an agent, give it an identity, and it lives forever until you manually revoke it.

But many agents are temporary by nature:

CI/CD pipelines that spin up an agent to run a deployment check
One-off data processing tasks that run for 10 minutes
Testing environments where agents are created and destroyed constantly
Workflow automations that create sub-agents for specific tasks

Giving these agents permanent identities is overkill. Not giving them any identity is a security gap. There's no record of what they did, no permission scoping, and no way to audit their actions after they're gone.

The Solution: Ephemeral Agents with did:key

Ephemeral agents are a middle ground. They get full cryptographic identity, scoped permissions, and audit trail coverage — but they auto-expire after a configurable TTL.

The identity format uses W3C did:key — a self-certifying decentralized identifier derived directly from the agent's Ed25519 public key. No registry lookup required. No pre-registration needed. The agent bootstraps its identity on instantiation.

How did:key Works

A did:key identifier encodes the key type and raw public key material into a single string:

did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH

The encoding is deterministic — the same Ed25519 public key always produces the same did:key. This means the identity is verifiable by anyone with the public key, without needing to query any registry.

Using Ephemeral Agents with Vorim AI

TypeScript

import { VorimSDK } from '@vorim/sdk';

const vorim = new VorimSDK({ apiKey: 'agid_sk_live_...' });

// Register an ephemeral agent (5-minute TTL)
const result = await vorim.registerEphemeral({
  capabilities: ['data-processing'],
  scopes: ['agent:read', 'agent:execute'],
  ttl_seconds: 300,
});

console.log(result.did_key);     // did:key:z6Mkp...
console.log(result.ttl_seconds); // 300
console.log(result.expires_at);  // ISO timestamp
console.log(result.private_key); // Ed25519 key (returned once)

Python

from vorim import Vorim

client = Vorim(api_key="agid_sk_live_...")

# Register ephemeral agent (2-minute TTL)
result = client.register_ephemeral(
    capabilities=["temp-task"],
    scopes=["agent:read"],
    ttl_seconds=120,
)

print(result["did_key"])      # did:key:z6Mkp...
print(result["expires_at"])   # auto-expires in 2 minutes

What Happens When the TTL Expires

When an ephemeral agent's TTL expires: 1. Status changes to "expired" automatically 2. Permissions are revoked — no more permission checks pass 3. Credential delegations are revoked — no more OAuth token access 4. Audit trail remains — every action is still attributable to the did:key

A background cleanup job runs every 5 minutes to expire agents past their TTL. No manual intervention needed.

Ephemeral vs. Persistent: When to Use Which

Property	Persistent	Ephemeral
ID format	agid_{org}_{uuid}	did:key:z6Mk...
Lifetime	Permanent	60s to 24h
Permissions	Updatable	Fixed at creation
Cleanup	Manual revocation	Automatic
Use case	Production services	Temp tasks, CI/CD, testing

The Key Insight

The agent is temporary. The accountability is permanent. An ephemeral agent that existed for 3 minutes still has a complete, signed, auditable record of everything it did. The identity is gone, but the audit trail remains. That's what accountability looks like for temporary agents.

Get Started

Ephemeral agents are available in @vorim/sdk v3.0.0 (npm) and vorim v3.0.0 (PyPI). Documentation at vorim.ai/docs.

Ready to build with agent identity?

Free plan: 3 agents, 10K auth events/month, full SDK access. No credit card.