Identity & Wallets for AI Agents

Live on KXCO Chain

KXCO Chain issues permanent, post-quantum-secure identities and programmable wallets to AI agents, robots, LLMs, large quantitative models, and any autonomous system that needs to hold value, sign outputs, pay for services, or participate in machine-to-machine commerce. No human intermediary. No central registry. No classical cryptography weak point.

The machine economy needs machine-native infrastructure.Human-oriented financial rails are built around the assumption that a person initiates and authorises every transaction. AI agents operate at machine speed, across many counterparties, with no human in the loop. KXCO Chain was designed for exactly this — permissioned, programmable, post-quantum, and built for non-human participants from day one.

Who Gets an Identity on KXCO Chain

Any autonomous system that needs to act as an economic participant — receiving, holding, or spending value; signing outputs for verifiability; or authenticating to APIs without bearer tokens.

🤖

AI Agents

Autonomous decision-making agents that execute multi-step workflows, manage funds, pay for services, and sign agreements — with a verified on-chain identity that cannot be spoofed.

🧠

Large Language Models

LLMs operating as economic actors: paying API costs, receiving inference fees, signing outputs with a cryptographic identity, and settling micro-transactions in real time.

📊

Large Quantitative Models

Quantitative and algorithmic trading systems with dedicated wallets and signing keys — enabling provably-attributed trade instructions and on-chain settlement of model-driven positions.

🤝

Robotic Systems

Industrial robots, autonomous vehicles, and IoT devices that need a persistent wallet to pay for energy, materials, maintenance, or inter-machine services without human intermediaries.

⚡

Autonomous Pipelines

Data pipelines, build systems, and CI/CD bots that sign deployments, pay for compute, and record integrity attestations — leaving a tamper-evident audit trail for every automated action.

🔗

Multi-Agent Networks

Hierarchies and meshes of agents that delegate authority, pay sub-agents, and resolve disputes — each node holding its own KXCO Chain identity and verified by ML-DSA-65 signatures.

What Every Agent Gets

Each identity issued on KXCO Chain includes a full cryptographic stack — not just an address.

Capability	Detail
On-Chain Identity	Every agent receives an EVM wallet address derived from a ML-DSA-65 post-quantum keypair. The address is permanent, globally unique, and independently verifiable by any party — no central registry required.
ARMR Wallet	A PQCWallet smart contract governs all fund operations for the agent. secp256k1 exposure grants zero authority over assets. Only valid ML-DSA-65 signatures can move funds — quantum-resistant from day one.
Post-Quantum API Authentication	Agents authenticate to the KXCO Chain API using ML-DSA-65 per-request signatures (FIPS 204). No bearer token to steal or rotate. The server stores only the public key — every request is independently verifiable.
Triple-Algorithm Transaction Signing	Agent transactions carry three signatures: secp256k1 (EVM compatibility), ML-DSA-65 (NIST FIPS 204 lattice PQC), and SLH-DSA-SHAKE-128s (NIST FIPS 205 hash-based PQC). Both independent PQC foundations must be defeated simultaneously.
Encrypted Payment Memos	Agents can attach ML-KEM-768 encrypted memos to every transaction — invoice references, task IDs, model outputs, compliance codes. Only the authenticated counterparty can read them. Chain observers see opaque ciphertext.
Programmatic Wallet Access	Full JSON-RPC 2.0 API at chain.kxco.ai/rpc. Wallet management at chain.kxco.ai/wallet. npm packages for post-quantum key generation, signing, and webhook verification — drop-in for any Node.js or browser environment.

Why Post-Quantum Cryptography Matters for Machine Identities

An AI agent identity signed with classical ECDSA is a liability, not an asset.Classical secp256k1 and Ed25519 keys are broken by a sufficiently powerful quantum computer running Shor's algorithm. Agent identities issued today will still be in use when quantum compute becomes practical — in financial infrastructure, that window is measured in decades. KXCO Chain issues identities anchored in NIST-standardised post-quantum cryptography: ML-DSA-65 (FIPS 204) and SLH-DSA-SHAKE-128s (FIPS 205). An identity issued today is safe across the quantum transition.

Unforgeable Attribution

Every output, transaction, or API call an agent makes is signed with ML-DSA-65. The signature proves — to any counterparty, now or in 30 years — that this specific agent, and no other, produced this output. No bearer token. No shared secret. Pure public-key accountability.

Harvest-Now-Decrypt-Later Immunity

Nation-state adversaries already record encrypted traffic for future quantum decryption. KXCO Chain uses hybrid PQ-TLS (X25519MLKEM768) for all connections, so agent communications recorded today cannot be decrypted by future quantum hardware.

Algorithm Diversity

Agent transactions carry both ML-DSA-65 (lattice-based) and SLH-DSA-SHAKE-128s (hash-based). These rest on entirely different mathematical foundations — a breakthrough against one does not compromise the other. An adversary must defeat both simultaneously.

No Custody Risk

Agent wallets are governed by the PQCWallet smart contract on-chain. KXCO does not hold agent private keys. The on-chain contract enforces that only valid post-quantum signatures move funds — removing the custodial single-point-of-failure that classical key management creates.

How an Agent Gets an Identity

Step 1 — Generate a post-quantum keypair

Use kxco-pq-cli or the kxco-post-quantum npm package to generate an ML-DSA-65 keypair. The keypair is generated locally — the private key never leaves the agent's environment. A kid (key ID) fingerprint is derived from the public key for rotation tracking.

npx kxco-pq keygen --algo ml-dsa-65 --out agent-identity

Step 2 — Derive an EVM wallet address

An EVM-compatible wallet address is derived from the keypair. The agent's on-chain identity is this address. It is used for receiving ARMR, sending transactions, and querying balances via standard JSON-RPC 2.0.

Step 3 — Connect to KXCO Chain

Point any EVM library (ethers.js, viem, web3.js) at the KXCO Chain RPC. Chain ID is 1111. The agent's wallet address is its on-chain identity. No registration, no KYC at the chain layer — the licensed operator running the platform handles that at the application layer.

RPC: https://chain.kxco.ai/rpc  |  Chain ID: 1111  |  Token: ARMR

Step 4 — Sign and transact

Agent transactions are submitted via the wallet API or directly over JSON-RPC. Every transaction is triple-signed (secp256k1 + ML-DSA-65 + SLH-DSA-SHAKE-128s) before mempool admission. Optional encrypted memos attach context — task IDs, model outputs, compliance codes — visible only to the recipient.

Step 5 — Authenticate to APIs with your identity

Use ML-DSA-65 per-request signatures to authenticate to the KXCO Chain API and any counterparty that accepts KXCO identity-signed requests. No bearer token to rotate. No secret to leak. The server verifies the signature against the registered public key — every request is independently auditable.

Technical Reference

Resource	Value / Location	Notes
RPC endpoint	https://chain.kxco.ai/rpc	JSON-RPC 2.0 — EVM-compatible, public, no auth required
Wallet API	https://chain.kxco.ai/wallet	Key generation, transaction signing, balance, transfer
PQ primitives (npm)	kxco-post-quantum	ML-DSA-65, ML-KEM-768, SLH-DSA — NIST FIPS 204/203/205
Webhook adapters (npm)	kxco-post-quantum-webhook	Express / Fastify / Hono / Workers / Vercel — PQ-signed HTTP
Browser verifier (npm)	kxco-verify	Verify any KXCO attestation or signed delivery in the browser
CLI (npm)	kxco-pq-cli	kxco-pq keygen · fingerprint · rotate — scriptable key management
Chain ID	1111	Add to MetaMask or any EVM wallet / library
Native token	ARMR	Used for gas and inter-agent settlement
PQ identity (well-known)	chain.kxco.ai/wallet/api/.well-known/kxco-pq-pubkey	Platform ML-DSA-65 public key — pin for outbound signature verification

Use Cases

Agent-to-Agent Micropayments

An orchestrating AI agent pays sub-agents for completed tasks in ARMR — provably attributed, settled in seconds, with an on-chain audit trail. No invoicing, no manual reconciliation, no human approval gate.

LLM Output Signing

Every response an LLM generates can be signed with its ML-DSA-65 identity key before delivery. Recipients verify the signature via the published well-known public key — proving provenance and ruling out man-in-the-middle substitution.

Algorithmic Trading Attribution

A quantitative model's trade instructions are signed on-chain. Compliance teams can prove, cryptographically, which model version produced which instruction — without relying on application-layer logs that can be altered.

Robotic Resource Purchasing

An autonomous robot pays for electricity, replacement parts, or cloud compute directly from its ARMR wallet — no human card on file, no shared credential, no manual purchase order. Payment is proof of identity.

Cross-Agent Trust Delegation

An agent signs a delegation token with its ML-DSA-65 key, granting a sub-agent limited authority. The sub-agent presents the signed delegation on every transaction. No central access management system required.

Provenance Attestation

An agent attests the origin and integrity of data it processed — model weights, training datasets, inference outputs — by anchoring a hash to the KXCO Chain with a ML-DSA-65 signature. Immutable, independently verifiable, quantum-resistant.

Ready to give your agent an identity?

Connect to KXCO Chain, generate a post-quantum keypair, and your agent is live. For institutional integrations, custom identity issuance, or enterprise onboarding, contact us.

Read the Docs Post-Quantum Security Contact Us