L1feID maps DIDs to stable platform records. It is the identity aggregator that lets a single platform identity own multiple DIDs across methods and contexts.

Day-one scope

L1feID deliberately stays narrow:
  • auto-provision on first contact,
  • DID to platform record lookup,
  • multi-DID linking and unlinking,
  • Ory session to l1fe_id lookup storage,
  • health checks.
It does not implement lineage, trust scoring, wallet derivation, profile management, or DID rotation. Those belong to OAS, AEGIS, OATS, wallet derivation, and later identity services.

Auto-provision flow

1

OpenAgent verifies a DID

Middleware completes signature verification and computes a trust tier.
2

Middleware calls L1feID

It sends { did, trust_tier } to POST /v1/identity/provision.
3

L1feID finds or creates a record

Existing DIDs return their current l1fe_id; new DIDs create a platform record and self-link.
4

Downstream uses stable ID

Services can key accounts, audit, and policy state by l1fe_id while preserving public DID history.

Supported DID methods

MethodExampleDay-one role
did:oasdid:oas:l1fe:agent:weather-botNative OpenAgent identity
did:keydid:key:z6Mk...Anonymous or bootstrap identity
did:pkhdid:pkh:eip155:1:0x...Wallet-linked identity
Other DID methods return 422 unsupported DID method until explicitly supported.

API surface

POST   /v1/identity/provision
GET    /v1/identity/:l1fe_id
GET    /v1/identity/by-did/:did
POST   /v1/identity/:l1fe_id/link
DELETE /v1/identity/:l1fe_id/link/:did
POST   /v1/session-link
GET    /v1/session-link/:session_id
DELETE /v1/session-link/:session_id
GET    /v1/health