CLI for Credat — agent identity and delegation from the terminal.
Create decentralized identities (DIDs), issue delegation credentials, and verify trust chains — all without writing code.
npm install -g @credat/cliRequires Node.js >= 22.
# 1. Create an agent identity
credat init --domain acme.corp
# 2. Delegate scopes to the agent
credat delegate --scopes payments:read,invoices:create --until 2026-12-31
# 3. Verify the delegation
credat verifyRun credat demo to see the full trust flow in action — identity creation, delegation, verification, and challenge-response handshake:
Create an agent identity with did:web.
credat init --domain acme.corp
credat init --domain acme.corp --path agents/assistant
credat init --domain acme.corp --algorithm EdDSA
credat init --domain acme.corp --force # overwrite existing
credat init --domain acme.corp --output ./my-agent.json| Option | Description |
|---|---|
-d, --domain <domain> |
Domain for did:web (required) |
-p, --path <path> |
Optional sub-path |
-a, --algorithm <alg> |
ES256 (default) or EdDSA |
-f, --force |
Overwrite existing agent identity |
-o, --output <file> |
Write agent to custom file path |
Issue a delegation credential to an agent.
credat delegate --scopes payments:read,invoices:create
credat delegate --scopes payments:read --max-value 1000 --until 2026-12-31
credat delegate --agent did:web:other.agent --scopes admin:read
credat delegate --scopes payments:read --output ./delegation.jwt| Option | Description |
|---|---|
-a, --agent <did> |
Agent DID (defaults to .credat/agent.json) |
-s, --scopes <scopes> |
Comma-separated scopes (required) |
-m, --max-value <n> |
Maximum transaction value constraint |
-u, --until <date> |
Expiration date (ISO 8601) |
-o, --output <file> |
Write delegation to custom file path |
Verify a delegation token. If no token is given, reads from .credat/delegation.json.
credat verify
credat verify eyJhbGciOiJFUzI1NiIs...Decode and inspect a delegation token without cryptographic verification. Shows header, payload, selective disclosures, and expiration status.
credat inspect
credat inspect eyJhbGciOiJFUzI1NiIs...
credat inspect --file ./delegation.jwt
credat --json inspect| Option | Description |
|---|---|
-f, --file <path> |
Read token from a file (JSON or raw) |
Revoke a delegation credential via a status list. Creates the status list automatically if it doesn't exist.
credat revoke
credat revoke --token eyJhbGciOiJFUzI1NiIs...
credat revoke --index 42
credat revoke --status-list ./custom-status-list.json| Option | Description |
|---|---|
-t, --token <token> |
Delegation token to revoke (defaults to .credat/delegation.json) |
-s, --status-list <path> |
Path to status list file (default: .credat/status-list.json) |
-i, --index <number> |
Status list index to revoke directly |
Validate a delegation token against security best practices. Checks expiration, scope breadth, constraints, revocation endpoints, issuer/subject presence, and more.
credat audit
credat audit eyJhbGciOiJFUzI1NiIs...
credat --json auditRenew an existing delegation with a new expiry date. Re-issues the credential with the same scopes and constraints.
credat renew --until 2027-06-30
credat --json renew --until 2027-06-30| Option | Description |
|---|---|
-u, --until <date> |
New expiration date, ISO 8601 (required) |
Challenge/response trust verification flow. Four subcommands for interactive or programmatic use.
Create a challenge for an agent to prove its identity.
credat handshake challenge --from did:web:service.example| Option | Description |
|---|---|
--from <did> |
Challenger DID (required) |
Present credentials in response to a challenge.
credat handshake present --challenge '{"type":"credat:challenge","from":"did:web:service.example","nonce":"...","timestamp":"..."}'| Option | Description |
|---|---|
--challenge <json> |
Challenge JSON string (required) |
Verify a presentation against a challenge.
credat handshake verify \
--presentation '{"type":"credat:presentation",...}' \
--challenge '{"type":"credat:challenge",...}'| Option | Description |
|---|---|
--presentation <json> |
Presentation JSON string (required) |
--challenge <json> |
Challenge JSON string (required) |
Run a full handshake demo between two local agents — creates identities, delegates, challenges, presents, and verifies.
credat handshake demoImport, export, and list key pairs.
Export a key pair in JWK format. Includes private key material.
credat keys export
credat keys export --as owner
credat --json keys export| Option | Description |
|---|---|
--as <type> |
agent (default) or owner |
Import a key pair from JWK JSON. Requires an existing agent or owner file.
credat keys import '{"algorithm":"ES256","publicKey":{...},"privateKey":{...}}'
credat keys import '...' --as owner| Option | Description |
|---|---|
--as <type> |
Import as agent (default) or owner |
List current key fingerprints for agent and owner.
credat keys list
credat --json keys listGenerate shell completion scripts.
credat completions bash
credat completions zsh
credat completions fish
credat completions install # show install instructions for your shellShow the current .credat/ state: agent, owner, and delegation info.
credat status
credat --json statusRun a full interactive trust flow demo — creates identities, delegates, verifies, and completes a challenge-response handshake.
credat demo| Option | Description |
|---|---|
--json |
Output structured JSON (works with most commands) |
-V, --version |
Show CLI and SDK versions |
-h, --help |
Show help |
Credat uses Verifiable Credentials and Decentralized Identifiers (DIDs) to establish trust between agents and owners — no passwords, no API keys, just cryptographic proof.
- Owner creates an agent identity (
did:web) - Owner delegates specific scopes to the agent via a signed credential
- Services verify the delegation and challenge the agent to prove its identity
- @credat/sdk — core library (GitHub)
- @credat/mcp — MCP server middleware (GitHub)
- Documentation
- DID specification
- Verifiable Credentials
Apache-2.0