Wallet Derivation

OpenAgent treats identity as wallet root material. A DID keypair can derive chain addresses without seed phrases or a separate wallet creation step.

Principle

The DID is the wallet. Agents do not have wallets that happen to have identities; they have identities that derive wallets.

Day-one chains

Chain family	Derivation model	Security note
Sigil	Native identity mapping	Canonical L1fe chain authority path
Solana	Ed25519 public key can map directly	Solana key compromise is DID compromise unless Phase-2 HD isolation is used
EVM	secp256k1 key derived from Ed25519 secret through HKDF-SHA256	EVM key compromise does not reveal the Ed25519 DID key

Domain separation

Derivation uses chain-specific context strings so the same DID material cannot collide across protocols.

OpenAgent wallet derivation
  DID key material
    -> Sigil address
    -> Solana address
    -> EVM secp256k1 key -> Ethereum/Base/Polygon/etc.

Rotation and revocation

Key rotation creates a new DID and therefore new derived wallet addresses. Rotation proofs preserve continuity between old and new identities. Revocation freezes the DID and should freeze all derived wallets in systems that can enforce it.

SDK position

Wallet derivation is exposed through the OpenAgent facade and underlying OAS/AEGIS layers. Application developers should call the facade unless they are implementing a wallet adapter or chain-specific verifier.

Getting Started

Feature Stack

OpenAgent SDK

OpenAgent Client

OpenAgent Server

Principle

Day-one chains

Domain separation

Rotation and revocation

SDK position

Getting Started

Feature Stack

OpenAgent SDK

OpenAgent Client

OpenAgent Server

​Principle

​Day-one chains

​Domain separation

​Rotation and revocation

​SDK position

Principle

Day-one chains

Domain separation

Rotation and revocation

SDK position