AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A
0.049ms verification in Rust. 0.086% overhead in real LLM multi-agent chains. 100% rejection across 600 adversarial attacks in 6 categories.
Open-source protocol
Agent Identity Protocol
Your AI agents have no identity. AIP fixes that. Cryptographic delegation tokens for MCP and A2A, with scoped authorization and audit trails.
The problem
A scan of ~2,000 MCP servers found zero authentication. MCP recently added OAuth 2.1, but it only covers single-hop auth. When an orchestrator delegates to a specialist that calls a tool, the delegation chain disappears. Nobody knows who authorized what.
A2A is worse: agent identities are self-declared strings with no cryptographic attestation. Any agent can claim to be any other agent.
The fix
AIP gives every agent a cryptographic identity. A single token answers: who authorized this, through which agents, with what scope at each hop. No blockchain, no wallet UX. Ed25519 keys and append-only token chains.
pip install aip-agents[crewai]from aip_agents.adapters.crewai import CrewAIPlugin
plugin = CrewAIPlugin(app_name="my-app")
plugin.setup(crew) # every agent gets a cryptographic identity
headers = plugin.get_auth_headers("researcher") # signed token for tool callsfrom aip_agents.adapters.adk import ADKPlugin
plugin = ADKPlugin(app_name="my-app")
plugin.setup(root_agent) # walks the agent tree, assigns identities
headers = plugin.get_auth_headers("specialist")from aip_agents.adapters.langchain import LangChainPlugin
plugin = LangChainPlugin(app_name="my-app")
plugin.register(executor, name="researcher")
headers = plugin.get_auth_headers("researcher")from aip_core.crypto import KeyPair
from aip_token.claims import AipClaims
from aip_token.compact import CompactToken
import time
kp = KeyPair.generate()
claims = AipClaims(
iss="aip:key:ed25519:" + kp.public_key_multibase(),
sub="aip:web:example.com/tools/search",
scope=["tool:search"],
budget_usd=1.0,
max_depth=0,
iat=int(time.time()),
exp=int(time.time()) + 3600,
)
token = CompactToken.create(claims, kp)
headers = {"X-AIP-Token": token}What you get
Cryptographic identity
Every agent gets an Ed25519 keypair and an AIP identifier. DNS-based or self-certifying. No certificate authority needed.
Scoped delegation
When agents delegate, each hop can only narrow scope, never widen. Budget, tool access, and depth limits attenuate cryptographically.
MCP and A2A auth
Signed X-AIP-Token headers for MCP. Identity fields and token metadata for A2A. HTTP binding for everything else.
Audit trail
Every token records the full delegation chain. Who authorized what, through which agents, with what scope. Structured JSON logging.
Two token modes
Compact (JWT + EdDSA) for single-hop. Chained (Biscuit + Datalog) for multi-agent delegation. Start simple, upgrade when you need it.
Policy profiles
Simple (auto-generated), Standard (curated Datalog), Advanced (full Datalog). 90% of use cases never write Datalog by hand.
How delegation works
Each hop in a delegation chain creates a new Biscuit block that can only narrow the scope of the previous block. The token is append-only: you can add restrictions, never remove them.
Orchestratorsearch, email, browse | $5.00
→
Researchersearch | $1.00
→
Tool Serververifies full chain
The researcher can search but not email. Its budget is $1.00, not $5.00. The tool server verifies every signature in the chain before granting access. If any block is tampered with, the entire chain is rejected.
Guides
Quickstart
Zero to working auth in 5 minutes. Install, generate keys, secure your agents.
Get started →Research
The protocol design, experiments, and adversarial evaluation are described in the AIP paper. AIP is part of a multi-agent trust stack with three companion papers.