Managing Your AI Discovery Identity

An operations guide for understanding, configuring, and maintaining the digital identity that proves your site's AI manifest is authentic.

1. How Identity Works

Every Rootz AI Discovery plugin install generates a unique cryptographic identity — an Ethereum-compatible address derived from a secp256k1 keypair. This identity is used to sign every ai.json manifest and llms.txt your site serves.

When an AI agent reads your /.well-known/ai endpoint, it receives both your structured data and a cryptographic signature proving:

Plugin Install │ ├── Generates secp256k1 keypair (once, on first use) │ Private key → encrypted AES-256-CBC in wp_options │ Public key → Ethereum address (your Plugin Wallet) │ ├── Signs ai.json manifest (SHA-256 hash → ECDSA signature) │ └── Signs llms.txt content (same process) AI Agent reads /.well-known/ai │ ├── Gets structured data (identity, policies, content) ├── Gets _signature block (signer address, hash, signature) └── Can verify: "This data was signed by 0xD089...DAfF"

2. Your Plugin Wallet

The Plugin Wallet is your site's persistent cryptographic identity. You'll find it in Settings → AI Discovery → Account & Wallet.

What you'll see

Requirements

Signing requires the PHP GMP extension. Most hosting providers include it. If GMP is not available, the plugin runs in hash-only mode — content hashes are still generated for integrity verification, but no cryptographic signature is produced.

To check: look for "Signing Capability: Active" in the Account tab. If it says "GMP not available," contact your hosting provider to enable the GMP PHP extension.

Your Plugin Wallet address never changes. It's generated once and persists for the life of the installation. If you move to a new server, you can export/import the encrypted key via your database's wp_options table (the rootz_signing_key row).

3. Manifest Signing

The plugin does not auto-sign content changes. This is a deliberate security decision.

The signing workflow

  1. You make changes (edit a page, update settings, publish a post)
  2. An admin notice appears: "Content changes detected since last signing"
  3. You review the changes in the What AI Sees tab
  4. You click "Approve & Sign Manifest"
  5. The plugin generates a fresh ai.json, signs it, and stores the signed version
Why not auto-sign? If your site is compromised (FTP hack, injected content, plugin vulnerability), auto-signing would immediately give the attacker a valid signature on their malicious content. The manual approval step ensures a human reviews what gets signed.

What gets signed

The signature block

"_signature": {
  "signer": "0xD089...DAfF",
  "contentHash": "sha256:a1b2c3...",
  "signedAt": "2026-03-20T15:30:00Z",
  "method": "ecdsa-secp256k1",
  "signature": "0x3f4a5b...",
  "authorization": "self-signed"
}

4. Owner Identity & Subscriptions

The Owner Identity is separate from the Plugin Wallet. It represents the person or organization that owns one or more sites.

How it works

  1. Subscribe to a Standard or Pro plan at rootz.global/ai-discovery
  2. After payment, you receive an Owner Identity — a deterministic address derived from your Stripe customer ID
  3. Copy this address into your plugin's Account → Owner Identity field
  4. Click Register This Site — this links your Plugin Wallet to your Owner Identity
  5. Your license status is checked automatically (cached 12 hours)
Owner Identity (you, the person/org) │ ├── Site A: Plugin Wallet 0xAAA... ├── Site B: Plugin Wallet 0xBBB... └── Site C: Plugin Wallet 0xCCC... Standard plan: up to 5 sites Pro plan: up to 25 sites

5. Authorization & Chain of Authority

The authorization field in your signature block tells AI agents how much trust to assign. Authorization is a chain — each level builds on the one below it:

Corporate / Organization Wallet (MetaMask, Multisig, Hardware Wallet) │ │ "Rootz Corp authorizes this owner to manage AI Discovery for our domains" │ (on-chain transaction or Data Wallet record) │ ├── Owner Wallet (user's personal wallet) │ │ │ │ "I authorize these plugin wallets to sign content for my sites" │ │ (recorded via registry, domain record, or on-chain) │ │ │ ├── Plugin Wallet A → signs ai.json for site-a.com │ ├── Plugin Wallet B → signs ai.json for site-b.com │ └── Plugin Wallet C → signs ai.json for site-c.com │ └── Verification: anyone can follow the chain back to the corporate wallet

Authorization levels

Level What it proves How to get it
none Content hash only. No signature (GMP not available). Default without GMP
self-signed Same key signs every response. Proves consistency and origin over time. Automatic with GMP (free tier)
delegated An authorizer wallet has delegated trust to this plugin wallet on-chain. Proves organizational authority. On-chain transaction from owner wallet

The Owner Wallet

The owner wallet is your wallet — it can be anything that signs Ethereum transactions:

How authorization gets recorded

There are multiple ways to establish the chain of authority. Use whichever fits your organization:

  1. On-chain transaction — the owner wallet writes a data record to Polygon stating "wallet 0xAAA is authorized to sign content for domain.com." This can be done manually with any Ethereum wallet.
  2. Data Wallet — use the Rootz Dashboard to create a public Data Wallet that records the authorization. Anyone can validate it.
  3. Domain record — the authorization is recorded under a DBA name (e.g., "Rootz Corp") linked to the domain.
  4. Registry model — a service like Epistery maintains a registry of authorized wallets, providing a lookup for verification.
You don't need delegated authorization to get started. Most sites operate at self-signed and that's perfectly fine. Self-signed proves the same key controls the same site over time — this is what builds reputation. Delegated authorization adds organizational proof when you need it.

Corporate authorization

For enterprises managing many sites, the chain extends one level higher. A corporate wallet (controlled by the organization, often a multisig) authorizes individual owner wallets, which in turn authorize plugin wallets. This creates a verifiable hierarchy:

Each link in the chain is an on-chain record that anyone can verify independently — no trusted third party required.

This section will expand. Detailed guides for each authorization method — MetaMask delegation, hardware wallet signing, multisig setup, Data Wallet creation, and registry enrollment — are in development. Check back or contact us for early access.

6. Managing Multiple Sites

Each WordPress installation generates its own Plugin Wallet. To manage multiple sites under one identity:

  1. Subscribe to a multi-site plan (Standard 10, Pro 25, etc.)
  2. Copy your Owner Identity address to each site's Account tab
  3. Click "Register This Site" on each one
  4. Check your registration status: rootz.global/api/license/status?identity=0xYOUR_ADDRESS

To remove a site (free up a slot), use the Deactivate option in the Account tab or call the deactivation API.

7. Key Security

How the private key is stored

What to protect

Migration

If you move your site to a new server with the same database and wp-config.php salts, the key migrates automatically. If you change your salts (which WordPress itself warns against), you'll need to generate a new key — your site will get a new Plugin Wallet address.

8. Verifying a Signature

Any Ethereum-compatible library can verify a Rootz AI Discovery signature:

// Using ethers.js
const { ethers } = require('ethers');

// Get the manifest
const response = await fetch('https://example.com/.well-known/ai');
const manifest = await response.json();

// Extract signature data
const { signer, contentHash, signature } = manifest._signature;

// Verify
const recoveredAddress = ethers.verifyMessage(contentHash, signature);
console.log(recoveredAddress === signer); // true = valid

You can also use the plugin's built-in verification endpoint:

GET /wp-json/rootz/v1/verify?page=/about
→ { "verified": true, "hash": "sha256:...", "signer": "0x..." }

9. Troubleshooting

"Signing Capability: Inactive"

Your hosting provider doesn't have the PHP GMP extension enabled. Contact them to enable it. The plugin still works without it — you just won't get cryptographic signatures.

"Content changes detected" keeps appearing

This means content has changed since the last time you approved the manifest. Go to the What AI Sees tab, review the output, and click Approve & Sign.

Plugin Wallet address changed

This happens if: (1) you changed your wp-config.php salts, (2) the rootz_signing_key option was deleted, or (3) you reinstalled the plugin. The old address is no longer valid. If you had a subscription, register the new wallet under your Owner Identity.

License shows "free" even though I paid

Make sure the Owner Identity address in your plugin matches the one shown on your activation page. Click Refresh License in the Account tab to force a re-check.

Part of the AI Discovery Standard — the open standard for the AI-readable web.
Questions? Contact us or email support@rootz.global