Inferensys

Glossary

DIDComm

DIDComm is a secure, private communication protocol built on top of the decentralized identifier architecture, enabling authenticated, encrypted messaging between agents.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
DECENTRALIZED IDENTITY COMMUNICATION

What is DIDComm?

DIDComm is a secure, private communication protocol built on top of the decentralized identifier (DID) architecture, enabling authenticated, encrypted messaging between agents.

DIDComm (Decentralized Identifier Communication) is a cryptographic messaging protocol that leverages DID documents and Verifiable Credentials (VCs) to establish mutually authenticated, end-to-end encrypted communication channels between any two software agents. Unlike session-based protocols, DIDComm is transport-agnostic and designed for asynchronous, message-based interactions where parties are not required to be online simultaneously, using the Noise Protocol Framework for forward secrecy.

The protocol defines a standard message structure with plaintext routing headers and encrypted content bodies, supporting both AEAD authenticated encryption for direct messages and anonymous encryption for privacy-preserving routing. DIDComm enables agent-to-agent trust without centralized certificate authorities by resolving recipient public keys directly from their DID document on a verifiable data registry, making it foundational for Zero Trust Architecture in autonomous agent mesh networks.

PROTOCOL PRIMITIVES

Key Features of DIDComm

DIDComm is a secure, private communication protocol built on decentralized identifiers. It provides the cryptographic building blocks for authenticated, encrypted messaging between autonomous agents without relying on centralized infrastructure.

01

Message-Level Encryption

DIDComm encrypts messages at the application layer using Authenticated Encryption with Associated Data (AEAD), ensuring confidentiality and integrity regardless of the transport mechanism. Each message is encrypted for a specific recipient's public key, derived from their Decentralized Identifier (DID). This means even if the underlying transport (HTTP, Bluetooth, etc.) is compromised, the message content remains opaque.

  • Uses ECDH-ES key agreement for per-message encryption
  • Supports both anoncrypt (anonymous encryption) and authcrypt (authenticated encryption) modes
  • Provides perfect forward secrecy when ephemeral keys are used
AEAD
Encryption Primitive
02

Decentralized Identity Anchoring

DIDComm relies on DID Documents—JSON-LD files stored on distributed ledgers or decentralized networks—to resolve public keys and service endpoints. There is no central certificate authority. Agents discover each other's cryptographic material by resolving DIDs, enabling trustless communication without pre-shared keys or federated identity providers.

  • DIDs are self-sovereign: the owner controls the private keys
  • Supports multiple DID methods (did:web, did:key, did:indy, did:cheqd)
  • Enables interoperability across different identity networks
0
Central Authorities Required
03

Transport Agnosticism

DIDComm messages are designed to be transport-independent. The protocol defines a message structure and encryption envelope that can be transmitted over HTTP, WebSockets, Bluetooth, NFC, or even push notifications. This makes it ideal for agent mesh networks where agents communicate across heterogeneous environments—from cloud servers to edge devices.

  • DIDComm V2 standardizes message format in JSON
  • Supports routing protocols for store-and-forward delivery
  • Enables offline-first communication patterns via mediators
5+
Supported Transports
04

Authenticated Key Agreement

DIDComm establishes secure sessions using Diffie-Hellman key agreement over elliptic curves (X25519). The protocol performs a handshake where both parties derive a shared secret from their DID keys, authenticating each other in the process. This shared secret then derives symmetric keys for subsequent message encryption.

  • Uses Curve25519 for key exchange
  • Supports multi-recipient messages via key wrapping
  • Prevents man-in-the-middle attacks through DID-based authentication
X25519
Key Agreement Curve
05

Message Routing and Mediation

DIDComm defines a routing protocol that allows messages to traverse intermediary agents (mediators) to reach recipients that are offline or behind NATs. Mediators store encrypted messages and forward them when the recipient connects. This is critical for mobile agents and edge devices that cannot maintain persistent connections.

  • Forward secrecy is preserved: mediators cannot decrypt payloads
  • Supports relay and store-and-forward mediator roles
  • Enables asynchronous communication patterns
E2E
Encryption Through Mediators
06

Protocol Co-Execution

DIDComm messages carry a protocol identifier and message type that allow agents to co-execute structured interactions. Beyond simple messaging, agents can negotiate credentials, issue Verifiable Credentials (VCs), or coordinate multi-step workflows. Each protocol defines a state machine that both parties follow.

  • Built-in protocols for trust ping, discover features, and issue credential
  • Extensible: developers define custom protocol URIs
  • Enables rich, stateful agent interactions beyond fire-and-forget messaging
3+
Core Built-in Protocols
DIDCOMM PROTOCOL

Frequently Asked Questions

Clear answers to the most common questions about the Decentralized Identifier Communication protocol, its security model, and how it enables private, authenticated messaging between autonomous agents.

DIDComm (Decentralized Identifier Communication) is a secure, private communication protocol that enables any two software agents to exchange authenticated, encrypted messages without relying on centralized infrastructure. It operates at Layer 2 of the decentralized identity stack, sitting on top of the DID (Decentralized Identifier) layer. The protocol works by resolving a recipient's DID document to discover their public keys and service endpoints, then establishing a DIDComm channel using the Noise Protocol Framework or JOSE (JSON Object Signing and Encryption) for cryptographic operations. Messages are structured as JSON-based envelopes that support forward secrecy, sender authentication, and message-level encryption, meaning each message is independently secured rather than relying solely on transport-layer TLS. This architecture allows agents to communicate asynchronously across different transports—HTTP, WebSockets, Bluetooth, or even push notifications—while maintaining end-to-end security regardless of the intermediary routing infrastructure.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.