Manav.id
Definitional4 min read

Self-sovereign identity, without the crypto headache

SSI without the crypto headache

Imagine a passport you couldn't lose, a recruiter couldn't fake, and an employer couldn't keep when you quit. That's self-sovereign identity. Here's how it works without the jargon.

The custodial world we live in

Most identity you interact with is custodial. Your Gmail account is owned by Google. Your work badge is owned by your employer. Your bank profile is owned by your bank. When the relationship ends — you change jobs, banks fail, accounts get suspended — you lose access to records of who you were and what you did. Useful identity dies with the platform that hosted it.

Custodial identity has worked because the platforms outlasted us. The agentic age changes that. Now your work history, agent fleet, supervised decisions, and verified contributions need to outlast every platform you ever used. Custody breaks.

Self-sovereign, in three sentences

You hold the keys. The platforms hold the verifications. The relying parties (employers, banks, regulators) verify directly with cryptography, not by phoning the platform. When you leave a platform, your identity stays with you, and the verifications you accumulated are still cryptographically valid.

The three things you actually need

A wallet. A small piece of software (phone app, browser extension, hardware key) that holds your private keys. You don't need to know what a private key is to use it. The wallet keeps it safe.

A DID. A decentralized identifier — a long string starting with did: that points back to your public keys. The DID is your phone number for the SSI world. You can publish it; you cannot share the keys behind it.

Credentials. Signed claims about you, issued by people or institutions you do business with. "Alice graduated from MIT." "Alice supervised this code review on March 12." Each credential is a small file, signed by the issuer, that you can present to anyone — and they can verify without phoning MIT or the employer.

Why crypto people make this seem hard

Three reasons, none structural.

The vocabulary is hostile. "Decentralized identifier," "verifiable credential," "selective disclosure," "BBS+ signatures." Each is a real concept. Each has been described in language designed for cryptographers, not users. The thing under the words is not hard.

The early UX was bad. Wallets that asked you to back up 24-word seed phrases. Verifications that took minutes. Permissions screens with seven panels. Modern SSI wallets, including Manav's, do none of this — they look like Apple Wallet adding a credential.

The standards moved slowly. W3C's verifiable credentials standard was finalized; broad adoption took six more years. The lag created the impression that nothing worked. Soon, the standards exist and the implementations have caught up.

Three flows you'll actually use

Onboarding to a job. The employer asks for proof of three credentials: identity, prior work history, and a relevant certification. Your wallet shows the request. You tap "share" on each. The employer's system verifies cryptographically. Time elapsed: 30 seconds.

Verifying age at a website. The site asks "are you over 18?" Your wallet generates a zero-knowledge proof from your government ID credential that proves "yes, but I'm not telling you my birthday." The site never sees your name, ID number, or actual age.

Leaving a job. Your employer keeps their internal records. Your wallet keeps the cryptographic credentials representing your work history under their employ. Two years later, when applying for a new role, you present those credentials directly. The new employer verifies without contacting the old one.

What changes in the agentic age

SSI gets a fourth thing: agents. Your wallet doesn't just hold credentials — it issues delegations. Every agent you authorize carries a token signed by your wallet, scoped and time-limited. When the agent acts, the relying party verifies the chain back to you. Your identity now governs a fleet, not just a login.

Common objections

Two objections come up across every conversation. Will the platform vendors ship this themselves? Some will, inside their boundary; none can ship the cross-platform shape, by their own architectural choice. Is the category too narrow to matter? It's the layer beneath every agent action — narrow looks broad once the wire bends.

Frequently asked questions

Why does this category not already exist? Because the failure mode it addresses is recent. The pre-agent enterprise could pretend the service account was the human; the agentic enterprise cannot. The category becomes named when the failure becomes regulator-visible, which is now.

Where does this end up in the standards stack? As a layer above OAuth and below the application. OAuth carried scoped delegation between services; this layer carries scoped delegation from a verified human to an agent. The IETF and W3C working groups are converging on the shape; the protocol that ships first sets the verbs.

What does adoption look like in practice? Quietly. The integrations are middleware, not platforms. Each vertical sees its specific compliance pain solved — healthcare gets Article 14, finance gets SOC 2 evidence, hiring gets continuous identity — and treats the underlying primitive as plumbing once it ships.

Where to start

Read what is hati next for the deeper architecture. Then delegation tokens explained for the closest practical anchor. The mental model that holds those two together holds the rest of the site as well.

You hold the keys. The platforms hold the verifications. The relying parties verify with cryptography. That's the whole idea.

Keep reading

Definitional

What is HATI?
Developer

How delegation tokens work
AEO

How do I prove I am human?