every agent gets a bitcoin address.
every action, signed.
Bitcoin-identity-bound delegation authority. A principal grants an agent scoped action rights, bonded to real sats, revocable on-demand. Every action the agent takes is non-repudiable and offline-verifiable. No OAuth, no custodial tokens, no trusted issuer.
{
"v": 1,
"kind": "agent-delegation",
"id": "36d7…19a7",
"principal": { "address": "bc1qalice…" },
"agent": { "address": "bc1qagent…" },
"scopes": [
"ln:send(max_sats<=1000,node=03abc…)",
"stamp:sign(mime=text/markdown)"
],
"bond": {
"sats": 500000,
"attestation_id": "22…22"
},
"issued_at": "2026-04-22T12:00:00Z",
"expires_at": "2026-04-29T12:00:00Z",
"nonce": "0123…cdef",
"sig": { "alg": "bip322", "value": "…" }
}four steps. two bitcoin addresses.
A principal and an agent each hold a Bitcoin address. The principal signs one delegation; the agent signs every action under it. No custodial issuer, no bearer tokens, no platform to trust.
delegate
Principal signs a BIP-322 canonical message: agent address, scope set, expiry, optional bond. One wallet click emits a self-contained .delegation envelope.
scope
Scopes are declarative strings: ln:send(max_sats<=1000,node=03abc…) or stamp:sign(mime=text/markdown). Parseable, comparable, composable across products.
act
The agent signs each action under its own BIP-322 key, cites the delegation id, and optionally anchors to OpenTimestamps. Every action is non-repudiable.
revoke
Principal burns the delegation ahead of expiry by publishing a signed revocation to Nostr. OTS anchoring decides priority if an action and a revocation race.
authority, not access tokens.
OAuth bearer tokens and UCAN capabilities solve parts of the problem — but neither binds to a Bitcoin address, neither prices reputation in sats × time, and neither verifies offline against Bitcoin. OC Agent is the authority primitive in the OrangeCheck stack: composable with every sibling product, verifiable without trusting any server. full rationale →
six primitives. one stack.
OC Agent is the authority primitive. It composes with every sibling in the OrangeCheck family: OC Attest supplies the principal’s bond, OC Lock wraps sensitive instructions, OC Stamp is the base of every agent-action envelope, OC Vote provides a registered vote:cast scope, and OC Pledge can resolve agent-bonded commitments via stake-weighted disputes.
import { createDelegation, signAsAgent } from '@orangecheck/agent-signer';
import { check } from '@orangecheck/sdk';
// gate delegation issuance on principal's bond
const r = await check({
addr: principal.address,
minSats: 500_000,
minDays: 30,
});
if (!r.ok) throw new Error('bond too low');
const delegation = await createDelegation({
principal,
agentAddress: agent.address,
scopes: ['ln:send(max_sats<=1000,node=03abc…)'],
bond: { sats: 500_000, attestation_id: r.attestationId },
ttlMs: 7 * 24 * 3600 * 1000,
});authority, not access
Bitcoin proves who you are. Scopes prove what the agent may do. The bond prices reputation in sats × days.
composable by design
Agent-actions are OC Stamps with two extra lines. Stamp verifiers keep working. Authority verification is additive.
offline verifiable
Envelope + Bitcoin headers + (optional) Nostr relays. No ochk.io call at verify time. Ever.
one wallet. scoped grants. signed actions.
No OAuth. No custodial issuer. Your Bitcoin address is the authority; your agent carries a signed envelope that proves it. Bond to real sats when stakes are high. Verify anywhere, anytime, offline.