Inferensys

Glossary

DIDComm Messaging

A secure, asynchronous, peer-to-peer messaging protocol designed for private communication between DID controllers, using end-to-end encryption based on decentralized keys.
Operations room with a large monitor wall for system visibility and control.
DECENTRALIZED COMMUNICATION PROTOCOL

What is DIDComm Messaging?

DIDComm Messaging is a secure, asynchronous, peer-to-peer communication protocol enabling private, end-to-end encrypted message exchange between decentralized identifier (DID) controllers without reliance on intermediary servers.

DIDComm Messaging is a protocol that establishes a cryptographically secure communication channel directly between two DID subjects. It leverages the public keys published in DID Documents to perform authenticated key agreement and encrypt messages, ensuring that only the intended recipient can decrypt the payload. Unlike traditional messaging protocols that depend on centralized servers, DIDComm operates over a decentralized transport layer, routing encrypted, signed messages through mediators or relays without exposing content or metadata to the intermediary.

The protocol supports complex interaction patterns including routing, forward secrecy, and multi-party workflows essential for autonomous agent communication. By using DID-based authentication rather than usernames and passwords, DIDComm enables verifiable trust between parties that have never interacted before. This makes it the foundational communication layer for self-sovereign identity ecosystems and AI agent identity frameworks, where autonomous systems must negotiate access and exchange verifiable credentials without human intervention.

PROTOCOL ARCHITECTURE

Key Features of DIDComm Messaging

DIDComm Messaging provides a secure, private communication layer built on decentralized identifiers. These core features define its architectural advantages over traditional messaging protocols.

01

Asynchronous & Offline-First Delivery

DIDComm is designed for a store-and-forward model, decoupling the sender from the receiver's availability. Messages are encrypted and routed through mediator agents or message queues, ensuring delivery even when the recipient is offline. This is critical for mobile identity wallets and IoT devices that operate intermittently.

  • Uses DID Document service endpoints to discover routing paths
  • Supports Message Pickup Protocol 3.0 for retrieving queued messages
  • Enables communication without persistent connections or centralized brokers
Store-and-Forward
Delivery Model
02

End-to-End Encryption by Default

Every DIDComm message is encrypted using Authenticated Encryption with Associated Data (AEAD). The protocol mandates AuthCrypt for authenticated encryption or AnonCrypt for anonymous communication. Encryption keys are derived directly from the DID Documents of the participants, eliminating the need for out-of-band key exchange.

  • Leverages X25519 key agreement and A256CBC-HS512 or XC20P ciphersuites
  • Supports perfect forward secrecy (PFS) through ephemeral key generation
  • Prevents metadata leakage via envelope-based message wrapping
AEAD
Encryption Standard
03

Transport-Agnostic Protocol Design

DIDComm operates as a Layer 2 protocol independent of any specific transport layer. Messages are structured as JSON-based DIDComm Envelopes that can be transmitted over HTTP, WebSockets, Bluetooth Low Energy, NFC, or even QR codes. This allows the same secure messaging layer to function across web, mobile, and proximity-based interactions.

  • Defined in DIDComm Messaging v2.0 specification
  • Supports multiple transport bindings without changing the message payload
  • Enables peer-to-peer connections without reliance on TCP/IP infrastructure
04

Protocol Co-Execution & Routing

DIDComm messages carry a type header referencing a specific protocol URI, enabling structured multi-step interactions. Agents co-execute these protocols to achieve complex workflows like credential issuance, proof requests, or negotiation. Messages can be routed through multiple intermediaries using forward secrecy at each hop.

  • Uses DIDComm Protocols as standardized interaction patterns (e.g., https://didcomm.org/issue-credential/3.0)
  • Supports nested routing with forward messages for onion-like pathing
  • Enables machine-to-machine agent choreography without human intervention
05

Sender Authenticity & Non-Repudiation

Every message is cryptographically signed by the sender's private key associated with their DID. This provides mathematical proof of origin and ensures message integrity. Verifiers can resolve the sender's DID Document from a Verifiable Data Registry to validate the signature, establishing a chain of trust without centralized certificate authorities.

  • Uses Ed25519 or P-256 signature schemes
  • Prevents spoofing and tampering through detached signatures
  • Enables auditable communication logs for compliance and forensics
06

Privacy-Preserving Message Routing

DIDComm supports anonymous communication where the sender's identity is hidden from the recipient using AnonCrypt mode. Additionally, routing protocols allow messages to traverse multiple mediators, obscuring the sender's network location. This architecture prevents metadata correlation and protects against traffic analysis.

  • Implements sender anonymity through sealed sender techniques
  • Uses mediator agents as privacy-preserving relays
  • Prevents correlation attacks by decoupling transport from identity
DIDCOMM MESSAGING

Frequently Asked Questions

Clear, technical answers to the most common questions about the secure, asynchronous communication protocol powering decentralized identity agents.

DIDComm Messaging is a secure, asynchronous, peer-to-peer communication protocol designed for private interaction between Decentralized Identifier (DID) controllers. It operates at the application layer (Layer 7) and is transport-agnostic, meaning it can function over HTTP, Bluetooth, NFC, or message queues. The protocol works by resolving a recipient's DID Document from a Verifiable Data Registry to discover their public keys and service endpoints. Messages are then structured as JSON-based, JSON Web Encryption (JWE) -encrypted envelopes that provide end-to-end confidentiality, authenticity, and integrity. Unlike traditional messaging, DIDComm does not rely on centralized servers; it establishes a direct cryptographic trust channel between two DIDs, enabling verifiable, repudiable, or non-repudiable communication depending on the message type.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.