Credentials Route. Identity Confirms. Agent Discovery Has It Backwards.
--
Credentials route. Identity confirms. That is the order every discovery system in history has followed. Medical boards, search engines, licensing authorities, the Yellow Pages. You find what you need first, then verify who it is. The agent ecosystem is building it backwards — racing to prove agents are real when the harder question is whether they are relevant.
The problem everyone is solving
Right now, dozens of projects are shipping specs for decentralized identifiers, trust registries, encrypted transport, and proof-of-key-ownership. The work is technically sound. Ed25519 passports, DID resolution, interop tests passing across three languages. Real engineering, solving a real problem. But it is the wrong problem for discovery.
“Is this agent real?” is a necessary check. It is not a useful filter. A verified agent with a clean DID Document and a valid trust registry entry that cannot do what you need is just a well-authenticated waste of time.
How every other discovery system works
When you need a cardiologist, you do not browse a list of every doctor and check each one’s identity. You search by specialty and board certification. The credential routes you to the right person. Identity confirmation happens after.
When you need an electrician, you check the state licensing board. You filter by license type, active status, and geographic area. The licensing board does not just confirm the electrician exists. It confirms the electrician is qualified. An unlicensed electrician with a verified identity is still someone you cannot legally hire.
When you need a lawyer, you search bar associations by practice area and jurisdiction. The attorney’s name is the output of the search, not the input.
This pattern is not accidental. It is how discovery works in every domain where the cost of choosing wrong is high. Medical boards, bar associations, contractor licensing, financial certifications. The credential is the filter. Identity is the handshake.
The history is older than you think
The Yellow Pages organized businesses by category, not alphabetically by name. The entire information architecture was capability-first. White Pages existed too, but only worked when you already knew who you wanted. Yellow Pages worked when you knew what you needed.
DNS maps names to addresses. Pure identity resolution. It has no concept of “find me a server that does X.” Identity-first resolution requires you to already know what you are looking for. DNS could not answer “find me X,” which is precisely why search engines had to be invented. Google indexes by content relevance, not by domain name.
Every discovery system that has ever worked at scale puts capability ahead of identity. The agent ecosystem is building White Pages and DNS when it needs Yellow Pages and search engines. That will not scale.
The firehose problem
When 10 agents exist, identity-first discovery works fine. You can inspect each one. When 10,000 agents pass identity verification for the same task category, you have 10,000 verified agents and you are no closer to choosing.
This is not a hypothetical. Information retrieval theory has studied this tradeoff for decades. In 1979, C. J. van Rijsbergen formalized the precision-recall tradeoff: systems optimized for recall return everything that might be relevant, at the cost of flooding users with irrelevant results. Systems optimized for precision return fewer results, but the right ones.
Identity-first discovery maximizes recall. Credential-first discovery maximizes precision. For agent selection, where you typically need one qualified agent rather than a complete census, precision is what matters.
Without credential-based filtering at the discovery layer, every verified agent can knock on every door. That is not trust infrastructure. That is a firehose with signatures.
This is not a new idea
In 1966, Jack Dennis and Earl Van Horn introduced capability-based addressing at MIT. A capability is an unforgeable token that simultaneously names a resource and authorizes access to it. The capability routes you to the resource. You do not find the resource first and then present credentials. Possession of the capability is both necessary and sufficient.
That is how a signed attestation works. “This wallet holds governance tokens on Ethereum” is a capability token. Possession of it should be sufficient to route an agent to services that require that credential. No separate identity check needed at the discovery layer.
The multi-agent systems community learned this lesson decades ago. The FIPA Agent Management Specification defined a Directory Facilitator where agents register capabilities and other agents query by capability description. Attribute-based matching, not identity lookup. The agent identity frameworks being built today are ignoring prior art from their own field.
NIST formalized the broader principle as Attribute Based Access Control: identity is just one attribute among many, and often not the most important one. What you hold, what you are certified for, and what conditions you meet tell a system more about whether you should have access than your name ever could.
Why it matters more for agents than for humans
Humans have a natural rate limiter on identity creation. Creating a new professional identity takes years of education, licensing, and reputation building. An AI agent can create a new identity in milliseconds. Unlimited keypairs, unlimited DIDs, unlimited trust registry entries.
In a world of synthetic identity, identity verification is checking the lock on a door with no walls. A signed DID Document proves key control. It does not prove the agent behind that key can do anything useful. It does not prove the wallet behind the agent holds anything of value. It does not prove the agent has ever successfully completed a task.
Credentials backed by verifiable state are different. On-chain holdings cannot be fabricated. Staking positions cannot be faked. Governance token ownership is observable. Wallet auth — a signed attestation that a wallet holds specific assets on a specific chain at a specific block — is a credential that resists synthetic inflation in a way that identity alone never can.
The more agents that exist, the less identity tells you and the more credentials matter. Wallet auth is the filter that scales.
The credential-first flow
The discovery architecture should invert:
- Filter by credential. “Show me agents whose wallets hold governance tokens on Ethereum, with active staking positions, attested by a recognized issuer.” This is a structured query against verifiable, machine-readable data. No ambiguity, no self-reported capabilities, no natural language matching.
- Route to the qualified agent. The credential narrows the field from thousands to the handful that actually meet the requirements.
- Verify identity on connection. Confirm the agent’s DID, check the trust registry, validate the transport layer. All the identity work the ecosystem is building goes here. It is necessary. It is just not the first step.
Self-described capabilities do not scale. Two people use the same term for the same concept less than 20% of the time. One agent says “payment processing,” another says “financial transactions.” Structured credentials bypass this entirely. On-chain state, signed attestations, verifiable conditions. They are machine-readable, unambiguous, and comparable without interpretation.
Credentials route. Identity confirms.
The agent ecosystem is doing important work on identity. DIDs, trust registries, encrypted transport, and proof-of-key-ownership are real infrastructure that real systems need. None of it is wasted.
But it is step three in a flow that is being built as if it were step one. Identity tells you the agent is real. Credentials tell you the agent is relevant. Discovery systems that get the order wrong do not fail gracefully. They flood every participant with every verified agent in the registry and call it trust.
The credential is the filter. Identity is the handshake. Every discovery system in history has known this. Agent infrastructure should too.
Build credential-based agent discovery
Wallet auth verifies what an agent holds across 33 chains. ECDSA-signed, JWKS-verifiable, offline-checkable. The credential layer for agent commerce.
Originally published at https://insumermodel.com.
