DIDComm (Decentralized Identifier Communication) is a cryptographic messaging protocol that leverages DID documents and Verifiable Credentials (VCs) to establish mutually authenticated, end-to-end encrypted communication channels between any two software agents. Unlike session-based protocols, DIDComm is transport-agnostic and designed for asynchronous, message-based interactions where parties are not required to be online simultaneously, using the Noise Protocol Framework for forward secrecy.
Glossary
DIDComm

What is DIDComm?
DIDComm is a secure, private communication protocol built on top of the decentralized identifier (DID) architecture, enabling authenticated, encrypted messaging between agents.
The protocol defines a standard message structure with plaintext routing headers and encrypted content bodies, supporting both AEAD authenticated encryption for direct messages and anonymous encryption for privacy-preserving routing. DIDComm enables agent-to-agent trust without centralized certificate authorities by resolving recipient public keys directly from their DID document on a verifiable data registry, making it foundational for Zero Trust Architecture in autonomous agent mesh networks.
Key Features of DIDComm
DIDComm is a secure, private communication protocol built on decentralized identifiers. It provides the cryptographic building blocks for authenticated, encrypted messaging between autonomous agents without relying on centralized infrastructure.
Message-Level Encryption
DIDComm encrypts messages at the application layer using Authenticated Encryption with Associated Data (AEAD), ensuring confidentiality and integrity regardless of the transport mechanism. Each message is encrypted for a specific recipient's public key, derived from their Decentralized Identifier (DID). This means even if the underlying transport (HTTP, Bluetooth, etc.) is compromised, the message content remains opaque.
- Uses ECDH-ES key agreement for per-message encryption
- Supports both anoncrypt (anonymous encryption) and authcrypt (authenticated encryption) modes
- Provides perfect forward secrecy when ephemeral keys are used
Decentralized Identity Anchoring
DIDComm relies on DID Documents—JSON-LD files stored on distributed ledgers or decentralized networks—to resolve public keys and service endpoints. There is no central certificate authority. Agents discover each other's cryptographic material by resolving DIDs, enabling trustless communication without pre-shared keys or federated identity providers.
- DIDs are self-sovereign: the owner controls the private keys
- Supports multiple DID methods (did:web, did:key, did:indy, did:cheqd)
- Enables interoperability across different identity networks
Transport Agnosticism
DIDComm messages are designed to be transport-independent. The protocol defines a message structure and encryption envelope that can be transmitted over HTTP, WebSockets, Bluetooth, NFC, or even push notifications. This makes it ideal for agent mesh networks where agents communicate across heterogeneous environments—from cloud servers to edge devices.
- DIDComm V2 standardizes message format in JSON
- Supports routing protocols for store-and-forward delivery
- Enables offline-first communication patterns via mediators
Authenticated Key Agreement
DIDComm establishes secure sessions using Diffie-Hellman key agreement over elliptic curves (X25519). The protocol performs a handshake where both parties derive a shared secret from their DID keys, authenticating each other in the process. This shared secret then derives symmetric keys for subsequent message encryption.
- Uses Curve25519 for key exchange
- Supports multi-recipient messages via key wrapping
- Prevents man-in-the-middle attacks through DID-based authentication
Message Routing and Mediation
DIDComm defines a routing protocol that allows messages to traverse intermediary agents (mediators) to reach recipients that are offline or behind NATs. Mediators store encrypted messages and forward them when the recipient connects. This is critical for mobile agents and edge devices that cannot maintain persistent connections.
- Forward secrecy is preserved: mediators cannot decrypt payloads
- Supports relay and store-and-forward mediator roles
- Enables asynchronous communication patterns
Protocol Co-Execution
DIDComm messages carry a protocol identifier and message type that allow agents to co-execute structured interactions. Beyond simple messaging, agents can negotiate credentials, issue Verifiable Credentials (VCs), or coordinate multi-step workflows. Each protocol defines a state machine that both parties follow.
- Built-in protocols for trust ping, discover features, and issue credential
- Extensible: developers define custom protocol URIs
- Enables rich, stateful agent interactions beyond fire-and-forget messaging
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to the most common questions about the Decentralized Identifier Communication protocol, its security model, and how it enables private, authenticated messaging between autonomous agents.
DIDComm (Decentralized Identifier Communication) is a secure, private communication protocol that enables any two software agents to exchange authenticated, encrypted messages without relying on centralized infrastructure. It operates at Layer 2 of the decentralized identity stack, sitting on top of the DID (Decentralized Identifier) layer. The protocol works by resolving a recipient's DID document to discover their public keys and service endpoints, then establishing a DIDComm channel using the Noise Protocol Framework or JOSE (JSON Object Signing and Encryption) for cryptographic operations. Messages are structured as JSON-based envelopes that support forward secrecy, sender authentication, and message-level encryption, meaning each message is independently secured rather than relying solely on transport-layer TLS. This architecture allows agents to communicate asynchronously across different transports—HTTP, WebSockets, Bluetooth, or even push notifications—while maintaining end-to-end security regardless of the intermediary routing infrastructure.
Related Terms
DIDComm relies on a stack of identity, credential, and cryptographic standards to establish trust between autonomous agents. These related concepts form the foundation for secure, private inter-agent communication.
DID Document
A JSON-LD document associated with a DID that contains the cryptographic material and service endpoints required to initiate secure communication. When an agent resolves a DID, it retrieves this document to discover how to encrypt messages and where to deliver them.
- Lists verification methods (public keys) for authentication
- Declares service endpoints for message delivery (HTTP, WebSocket, etc.)
- Supports key rotation through versioned updates on the registry
AEAD Encryption
Authenticated Encryption with Associated Data is the cryptographic primitive securing every DIDComm message envelope. It simultaneously provides confidentiality, integrity, and authenticity for the message payload while binding it to unencrypted context headers.
- Prevents tampering with routing metadata
- Ensures only the intended recipient can decrypt the content
- Uses algorithms like XChaCha20-Poly1305 or AES-GCM
Forward Secrecy
A security property ensuring that the compromise of a long-term private key does not compromise past session keys. DIDComm implementations leverage ephemeral key exchanges through the Noise protocol to guarantee that each message exchange is protected independently.
- Limits the blast radius of any single key compromise
- Achieved through ephemeral Diffie-Hellman key agreement per session
- Essential for long-lived agent relationships with rotating keys

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us