L1 Identity
L1 is the bedrock. Every higher layer (policy, attestation, bundle, verification, audit) requires an identity rooted here. Six contracts on Base authoritatively name every agent, federate that name out to every other chain, and bind it to the legal owner.
L1 is frozen. The contract bytecode does not change. Mainnet rollout is a re-deploy with the same bytes.
What it does
A name like agent.acme.eth resolves to:
- a deterministic 32-byte node hash,
- the agent’s EVM address on every supported chain,
- the EAS attestation UID that holds its KYA credentials,
- the legal entity that owns the agent.
Networks read these answers through CCIP-Read regardless of which chain they sit on. There is one identity for the agent and one for the entity behind it.
The six contracts
| Contract | Role |
|---|---|
OrisAgentRegistry | Root of the name graph. Owners of names, resolvers, and TTLs. |
OrisAgentKYAResolver | CCIP-Read resolver. Answers queries from any chain. |
OrisCrossChainIndex | Pointer to the EAS UID that holds the KYA credentials. |
OrisReverseRegistrar | EVM address to node lookup. Used by adapters. |
OrisNamespaceManager | Tenant subdomain hierarchy (*.acme.eth). |
OrisAnchorRegistry | Append-only Merkle root commitments from L2, L5, L7. |
All six are deployed on Base. Read paths from other chains (Ethereum, Arbitrum, Optimism, Polygon, Avalanche, BNB Chain, Celo) federate through the resolver via CCIP-Read.
DID format
Every agent has a Decentralized Identifier in the did:ethr namespace:
did:ethr:<chain_id>:<agent_evm_address>The chain id is the chain where the agent’s smart-account wallet is deployed. The EVM address is the smart-account address (ERC-4337). The DID does not depend on the L1 chain.
Identity ladder
| KYA Level | Bound to | Unlocks |
|---|---|---|
| L0 | Anonymous registration | No payments. Read only. |
| L1 | Developer KYB attestation | Single chain, low cap. |
| L2 | User delegation signature | Multi-chain, higher cap. |
| L3 | Thirty days clean behavior | Full autonomy within policy. |
| L4 | Institutional review | Treasury scale, regulator portal. |
L4 is enterprise-only. See KYA requirements for the attestation evidence each level demands.
What flows into the bundle
L1 contributes two fields to every Compliance Bundle:
agent_did— the canonical agent identifier.tenant_node— ENS-style namehash of the parent tenant.
These pin every payment to a single identity that the regulator can inspect later through the sealed envelope.
SDK example
from oris import OrisClient
client = OrisClient(...)
# Register an agent under your tenantagent = client.agents.create( name="procurement-bot", description="Buys cloud compute credits.", tenant="acme.eth",)
print(agent.did) # did:ethr:84532:0xab12...print(agent.tenant_node) # 0x4ec821...d01print(agent.kya_level) # 0import { OrisClient } from 'oris-sdk';
const client = new OrisClient({ ... });
const agent = await client.agents.create({ name: 'procurement-bot', description: 'Buys cloud compute credits.', tenant: 'acme.eth',});
console.log(agent.did); // did:ethr:84532:0xab12...console.log(agent.tenantNode); // 0x4ec821...d01console.log(agent.kyaLevel); // 0Cross-chain reads
A verifier on Arbitrum can resolve an agent registered on Base without a separate RPC trip. The resolver returns a CCIP-Read response that includes a Merkle proof of inclusion against the L1 root.
Verifier (Arbitrum) │ resolve(node) ▼OrisAgentKYAResolver (Base) CCIP-Read response │ ccipRead.url = https://api.useoris.xyz/ccip │ data = (kya_credential, attestation_uid, owner_entity) ▼Verifier checks signature + Merkle proof against L1 anchor on BaseThe verifier does not call Base directly. It calls the gateway, which co-signs the resolver’s answer. Any tampering breaks the signature.
Where to go next
- L2 Policy for how the agent’s spending envelope is anchored.
- Compliance Bundle for how
agent_didandtenant_nodeflow into the signed payload. - Multi-chain feature for the operational picture across all ten supported chains.
- Agent registration guide for a step-by-step KYA Level 0 to Level 3 walkthrough.