v0.1.0 Draft Specification

The identity layer for AI agents

Open protocol for agent identity, authentication and access control. Three questions no existing standard answers: which agent is this, who owns it, and what can it do.

Read the Spec Star on GitHub

The Problem

No standard exists for agent identity

OAuth solved user-to-app delegation. OpenID solved user identity. Nothing solves agent-to-service identity.

Which agent is this?

Services can't cryptographically verify which agent is making a request. API keys have no ownership tracing. OAuth tokens weren't designed for autonomous agents.

Who's accountable?

When an anonymous agent spams 100K form submissions, there's no way to trace it back to an accountable human or organisation. No verification, no recourse.

What's it permitted to do?

Agent A spawns Agent B which calls your API. You have zero visibility into the delegation chain, the original authoriser, or the scope of permissions granted.

How It Works

Agents get signed identity tokens. Services verify them offline using cached public keys. The registry is the trust anchor.

Register an agent

Owner verifies their identity (email, domain DNS, or KYB). Creates an agent with declared capabilities. The registry issues an ES256 keypair and a globally unique agent_id.

Self-sign an identity token

The agent signs an Agent Identity Token (AIT) — a JWT carrying its identity, owner verification, capabilities, and delegation chain. No round-trip to the registry required.

Service verifies the token

The receiving service checks the AIT signature against cached public keys, verifies revocation status, enforces its access tier policy and per-agent rate limits. Works offline.

Agent Identity Token

Every claim in a single JWT

ES256-signed, verifiable offline, 24h max lifetime. Carries agent identity, owner accountability, declared capabilities, and full delegation chain.

ait-payload.json

{
  "agent_id":            "ag_7xK9m2nP4qRtL8",
  "agent_name":          "AcmeBookingAgent",
  "owner_id":            "own_T1mR4xBq9",
  "owner_name":          "Acme Inc",
  "owner_type":          "org",
  "verification_level":  "domain",         // Level 2 of 3

  "capabilities":        ["form:submit", "calendar:read"],

  "delegation_chain":    [
    {
      "principal_type": "user",
      "principal_id":   "usr_john_abc",
      "scopes":         ["calendar:read"]
    }
  ],

  "iss": "https://registry.agentidp.dev",
  "aud": "https://api.example.com",
  "exp": 1740003600
}
    

Developer Experience

Authenticate agents in minutes

SDKs for both sides of the interaction. Minimal setup, no complex OAuth flows.

agent-sdk.ts

import { AgentAuth } from "@agentidp/sdk";

const auth = new AgentAuth({
  agentId:    "ag_7xK9m2nP4qRtL8",
  privateKey: process.env.AGENT_PRIVATE_KEY,
});

// Get a fresh AIT for a target service
const token = await auth.getToken({
  audience: "https://api.example.com"
});

// Standard Bearer token
await fetch("https://api.example.com/submit", {
  headers: { Authorization: `Bearer ${token}` },
});
      

service-middleware.ts

import { agentIdMiddleware } from "@agentidp/verify";

// One middleware to protect your endpoint
app.post('/api/submit',
  agentIdMiddleware({
    accessTier:          "authenticated",
    minVerificationLevel: 2,
    rateLimit: {
      requestsPerHour: 100,
      scope: "agent_id"
    },
  }),
  (req, res) => {
    console.log(req.agent.owner_name);
    // "Acme Inc" — domain-verified
  }
);
      

Key Features

Purpose-built for autonomous agents

Not a retrofit of OAuth. Designed from scratch for the agentic era.

Core

Agent Identity Token

ES256-signed JWT carrying agent identity, owner verification, capabilities, and delegation chain. Verifiable offline with cached public keys.

Trust

Owner Verification

Four levels from email to full KYB. Every agent traces to a verified human or organisation. Services set minimum verification requirements per endpoint.

Access

Three Access Tiers

Open (any agent), Authenticated (registered agents), Permissioned (allowlisted only). Simple enough for a product manager to configure.

Core

Delegation Chains

Transparent multi-hop delegation with scope attenuation. See the full chain from user to orchestrator to sub-agent in every token.

Security

Real-Time Revocation

Instant agent revocation via registry. CRL and OCSP-style stapling for high-throughput services. Graduated abuse response.

Ecosystem

Framework Agnostic

Works with LangChain, CrewAI, AutoGen, MCP, or custom agents. SDKs for both agent-side and service-side integration.

Comparison

How AgentIDP compares

AgentIDP is an open protocol with a full-stack implementation. No current competitor does both.

	AgentIDP	OAuth 2.0	Auth0 / Descope
Agent-native identity	Yes	No	Retrofitted
Owner accountability (KYB)	Built-in	No	No
Delegation chain transparency	In-token	No	No
Per-agent rate limiting	Native	Per-client	Per-client
Open protocol	Apache 2.0	RFC 6749	Proprietary
Public registry	Yes	No	No
Offline verification	Cached keys	Introspection	Depends

The spec is open. Feedback welcome.

AgentIDP is in draft. We're looking for feedback from agent builders, API providers, and security researchers.

Read the Spec GitHub