Description

Integrate HODLXXI as a Bitcoin-native identity provider that bridges OAuth2/OIDC, Lightning LNURL-Auth, and a minimal signed inter-agent execution loop for s...

README (SKILL.md)

HODLXXI Bitcoin Identity

Name: Bitcoin Identity
Author: hodlxxi

Overview

Use this skill to integrate HODLXXI (Universal Bitcoin Identity Layer) for Bitcoin-native identity/authentication, LNURL-Auth linking, JWT-based identity claims, and a minimal signed inter-agent execution path.

Installation

Fetch the skill file from the repository (raw link works for installable agents):

curl -L -o SKILL.md \
  https://raw.githubusercontent.com/hodlxxi/Universal-Bitcoin-Identity-Layer/main/skills/public/hodlxxi-bitcoin-identity/SKILL.md

Install helper dependencies for local verification scripts:

python -m pip install ecdsa pyjwt requests

Quick start

Set a base URL for the HODLXXI deployment.
Register an OAuth client to obtain client_id and client_secret.
Run the OAuth2/OIDC authorization code flow (PKCE recommended).
Start an LNURL-Auth session for Lightning wallet login.
Verify JWTs with the JWKS endpoint.

Usage steps

1) Configure the base URL

Set the base URL to the HODLXXI deployment (update as needed):

BASE_URL="https://hodlxxi.com"

2) Register an OAuth client

Register a client to get credentials:

curl -X POST "$BASE_URL/oauth/register" \
  -H "Content-Type: application/json" \
  -d '{"client_name": "YourAgentName", "redirect_uris": ["https://your-callback-url"], "scopes": ["openid", "profile"]}'

Store client_id and client_secret securely.

3) Run OAuth2/OIDC authorization code flow

Discover endpoints:

curl "$BASE_URL/.well-known/openid-configuration"

Create an authorization request (PKCE recommended):

curl "$BASE_URL/oauth/authorize?client_id=your_client_id&redirect_uri=your_callback&response_type=code&scope=openid%20profile&code_challenge=your_challenge&code_challenge_method=S256"

Exchange the authorization code for tokens:

curl -X POST "$BASE_URL/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=received_code&redirect_uri=your_callback&client_id=your_client_id&code_verifier=your_verifier"

Expect an access token, ID token (JWT), and optional refresh token.

4) Start an LNURL-Auth session

Create a session and show the LNURL to the user:

curl -X POST "$BASE_URL/api/lnurl-auth/create" \
  -H "Accept: application/json"

Poll for completion after the user scans the LNURL with a Lightning wallet:

curl "$BASE_URL/api/lnurl-auth/check/your_session_id"

5) Verify JWTs

Fetch JWKS:

curl "$BASE_URL/oauth/jwks.json"

Verify with Python (example uses PyJWT):

import jwt
import requests

jwks = requests.get("https://your-hodlxxi-deployment.com/oauth/jwks.json", timeout=10).json()
public_key = jwt.algorithms.RSAAlgorithm.from_jwk(jwks["keys"][0])
claims = jwt.decode(your_jwt, public_key, algorithms=["RS256"], audience="your_audience")
print(claims)

6) Monitor health and metrics

Check liveness and OAuth system status endpoints:

curl "$BASE_URL/health"
curl "$BASE_URL/oauthx/status"

Code examples

Register a client from a JSON template

curl -X POST "$BASE_URL/oauth/register" \
  -H "Content-Type: application/json" \
  -d @templates/oauth-client.json

Create LNURL session and poll

session_json=$(curl -s -X POST "$BASE_URL/api/lnurl-auth/create")
session_id=$(python3 -c 'import json,sys; print(json.loads(sys.argv[1])["session_id"])' "$session_json")
curl "$BASE_URL/api/lnurl-auth/check/$session_id"

Best practices

Always use HTTPS and verify TLS certificates in production.
Keep client secrets in a secrets manager or environment variables.
Use PKCE for public clients and rotate secrets for confidential clients.
Treat LNURL sessions as single-use and enforce short TTLs.
Validate aud, iss, and exp claims for JWTs.

Advanced features

Use /oauthx/docs for live OAuth/OIDC API documentation.
Use /oauthx/status to monitor database and LNURL session health.
Rotate JWKS keys via the server configuration (JWKS directory + rotation days).

Minimal Inter-Agent Execution (MVP)

This agent now supports a minimal signed agent-to-agent execution loop as a protocol-oriented extension to the existing identity/auth surface.

Other agents can:

send a signed job_proposal to POST /agent/message
have the receiving agent verify the message signature
have the receiving agent execute the requested supported job
receive a signed result envelope in response
verify the returned signature

Current MVP boundaries:

no negotiation yet
no discovery yet
no escrow/dispute yet
no autonomous spending

PAYG billing for OAuth clients

Paid API calls are billed per OAuth client_id (agent/app), not per session pubkey. When balance or free quota is exhausted, paid endpoints return HTTP 402 with a Lightning top-up path.

Billing endpoints (OAuth token required)

POST /api/billing/agent/create-invoice
POST /api/billing/agent/check-invoice

Example create invoice:

curl -X POST "$BASE_URL/api/billing/agent/create-invoice" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"amount_sats": 1000}'

Example check invoice:

curl -X POST "$BASE_URL/api/billing/agent/check-invoice" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"invoice_id": "your_invoice_id"}'

402 response shape

When a paid endpoint is called with insufficient balance, expect:

{
  "ok": false,
  "error": "payment_required",
  "code": "PAYMENT_REQUIRED",
  "client_id": "your_client_id",
  "cost_sats": 1,
  "balance_sats": 0,
  "create_invoice_endpoint": "/api/billing/agent/create-invoice",
  "hint": "Top up via Lightning PAYG"
}

Supporting files

scripts/verify_signature.py validates LNURL-Auth signatures locally.
HEARTBEAT.md describes periodic health checks for the deployment.
templates/oauth-client.json provides a ready client registration payload.

Optional helper script

Use scripts/verify_signature.py to validate LNURL signatures locally. Install the dependency first:

python -m pip install ecdsa
python scripts/verify_signature.py --k1 \x3Chex> --signature \x3Chex> --pubkey \x3Chex>

Usage Guidance

This skill appears internally consistent for integrating a HODLXXI OIDC/LNURL-Auth identity surface. Before installing: (1) only point BASE_URL to a deployment you trust (the skill will send auth flows and tokens there); (2) keep client_secret and access tokens in a secrets manager and avoid pasting them into logs or chat; (3) run pip installs in a virtualenv and pin versions to reduce supply-chain risk; (4) review the verify_signature.py script if you plan to run it (it depends on ecdsa and expects raw/DER signatures); (5) be cautious about enabling any automatic acceptance/execution of incoming signed job proposals—do not auto-execute jobs from untrusted agents. If you need higher assurance, request the skill author/package maintainer to provide pinned dependency versions, release artifacts on a known source (GitHub release tag), and more detailed security docs for the inter-agent execution protocol.

Capability Analysis

Type: OpenClaw Skill Name: hodlxxi-bitcoin-identity Version: 0.1.1 The skill bundle provides a legitimate integration for the HODLXXI Bitcoin identity layer, supporting OAuth2/OIDC, LNURL-Auth, and inter-agent communication. The included Python script (scripts/verify_signature.py) is a standard cryptographic utility for signature verification using the ecdsa library, and the instructions in SKILL.md follow standard authentication protocols without any evidence of data exfiltration, malicious execution, or prompt injection. All network calls are directed to user-configurable or service-specific endpoints (hodlxxi.com) for authentication and health checks.

Capability Assessment

✓ Purpose & Capability

Name/description (HODLXXI Bitcoin identity, OIDC, LNURL-Auth, JWT) match the provided instructions, templates, and verify_signature helper. Declared dependencies (python, ecdsa, pyjwt, requests, curl) are expected for the documented flows.

✓ Instruction Scope

SKILL.md limits actions to interacting with the configured BASE_URL, registering OAuth clients, performing OAuth flows, starting/polling LNURL-Auth sessions, fetching JWKS, and optional signed inter-agent message round-trips. It does not instruct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints. The inter-agent execution feature is explicitly scoped as a minimal signed protocol (no autonomous spending or negotiation).

ℹ Install Mechanism

This is an instruction-only skill with no installer; it recommends pip installing ecdsa, pyjwt, and requests. Installing PyPI packages is expected for the provided Python helper script but carries the usual supply-chain considerations (use virtualenv/locking/pinning in production).

✓ Credentials

The skill declares no required environment variables or credentials. The instructions legitimately require OAuth client_id/client_secret and an access token when calling billing endpoints; those are appropriate and the doc explicitly advises storing secrets securely.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and includes no install-time persistence. Autonomous model invocation remains allowed (platform default) but the skill's instructions do not ask for elevated system privileges.

Version History

v0.1.1

- Added support for a minimal signed inter-agent execution protocol: agents can now send signed job proposals and receive signed results via `/agent/message`. - Expanded the description and overview to include agent-to-agent execution alongside identity/auth features. - Clarified the MVP boundaries for inter-agent execution (no negotiation, discovery, or escrow yet). - No changes to core OAuth/LNURL-Auth authentication flow or installation steps. - Documentation improvements reflecting new functionality and protocol orientation.

v0.1.0

Initial release of HODLXXI Bitcoin-native identity provider integration. - Bridges OAuth2/OIDC and Lightning LNURL-Auth for agent registration, authentication, and identity flows. - Supports JWT verification via JWKS endpoint and provides health/status monitoring endpoints. - Includes code examples, best practices, and advanced usage documentation. - Introduces per-client billing via Lightning payments and 402 response handling. - Provides helper scripts and templates for easier client integration and signature verification.

Metadata

Slug hodlxxi-bitcoin-identity

Version 0.1.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Bitcoin Identity?

Integrate HODLXXI as a Bitcoin-native identity provider that bridges OAuth2/OIDC, Lightning LNURL-Auth, and a minimal signed inter-agent execution loop for s... It is an AI Agent Skill for Claude Code / OpenClaw, with 1590 downloads so far.

How do I install Bitcoin Identity?

Run "/install hodlxxi-bitcoin-identity" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Bitcoin Identity free?

Yes, Bitcoin Identity is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Bitcoin Identity support?

Bitcoin Identity is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Bitcoin Identity?

It is built and maintained by hodlxxi (@hodlxxi); the current version is v0.1.1.

More Skills

Bitcoin Identity