OPEN-SOURCE PROTOCOL · IETF DRAFT-PRAKASH-AIP

Agent Identity
Protocol.

One token answers five questions: who authorized this, through which agents the delegation flowed, what scope applied at each hop, what happened, and whether it was independently verified.

Quickstart → GitHub Paper PyPI IETF
AIP delegation chain Four nodes: User, Orchestrator, Research-analyst, Search Tool. A signed token flows from left to right. Scope narrows from two tools and five dollars to one tool and one dollar. The Search Tool node shows a green checkmark indicating successful verification. USER ORCHESTRATOR orch-key SPECIALIST rsch-key TOOL tool:search tool:email $5.00 tool:search $1.00 attenuates

// scope narrows at each hop · chain verifies in 0.049 ms

0.049 ms Rust compact verify
0.086% overhead on Gemini 2.5 Flash
600 / 600 adversarial attacks rejected
217 Python + Rust (160 + 57)
829 PyPI installs (last 30d)

The auth gap

A scan of approximately 2,000 MCP servers found zero authentication. MCP recently added OAuth 2.1, but it covers only single-hop auth: when an orchestrator delegates to a specialist that calls a tool, the delegation chain disappears.

A2A is worse. Agent identities are self-declared strings in aip_identity fields with no cryptographic attestation. Any agent can claim to be any other agent.

The fix

AIP gives every agent a cryptographic identity. Three ways to adopt, smallest change first:

  1. Drop-in proxy — point your MCP/A2A traffic at the AIP Gateway. No agent code change.
  2. Framework adapter — one-line setup for CrewAI, Google ADK, or LangChain.
  3. SDK — Python, Rust, or TypeScript; build identity in directly.
pip install aip-agents[crewai]
# python
from aip_agents.adapters.crewai import CrewAIPlugin

plugin = CrewAIPlugin(app_name="my-app")
plugin.setup(crew)  # every agent gets a cryptographic identity
headers = plugin.get_auth_headers("researcher")
# python
from aip_agents.adapters.adk import ADKPlugin

plugin = ADKPlugin(app_name="my-app")
plugin.setup(root_agent)
headers = plugin.get_auth_headers("specialist")
# python
from aip_agents.adapters.langchain import LangChainPlugin

plugin = LangChainPlugin(app_name="my-app")
plugin.register(executor, name="researcher")
headers = plugin.get_auth_headers("researcher")
// typescript
import { AIPLangChainPlugin } from "@aip-sdk/agents";

const plugin = new AIPLangChainPlugin();
await plugin.register(agentExecutor, "search-agent");
const headers = await plugin.getToolCallHeaders("search-agent");
# python (core SDK)
from aip_core.crypto import KeyPair
from aip_token.claims import AipClaims
from aip_token.compact import CompactToken
import time

kp = KeyPair.generate()
claims = AipClaims(
    iss="aip:key:ed25519:" + kp.public_key_multibase(),
    sub="aip:web:example.com/tools/search",
    scope=["tool:search"],
    budget_usd=1.0, max_depth=0,
    iat=int(time.time()), exp=int(time.time()) + 3600,
)
token = CompactToken.create(claims, kp)
headers = {"X-AIP-Token": token}

Four pillars

Identity

Every agent gets an Ed25519 keypair and an AIP identifier. DNS-based or self-certifying. No certificate authority needed.

Delegation

Append-only Biscuit chain. Bounded depth. Every hop signs its delegation and records a mandatory context string.

Scope & Budget

Datalog policies in three profiles (Simple / Standard / Advanced). Holder-side attenuation: scope only narrows, never widens.

Audit & Provenance

Completion blocks record outcome, cost, and verification status. The completed token answers who, through whom, with what scope, and what happened.

Also: two token modes (compact / chained), MCP and A2A protocol bindings, structured error codes, key rotation via overlapping validity windows.

How delegation works

Each hop appends a new Biscuit block that can only narrow the scope of the previous block. The token is append-only: you add restrictions, never remove them. If any block is tampered with, the entire chain is rejected.

Full delegation chain with tamper case and Datalog policies A four-hop chain showing block 0 authority, block 1 delegation with attenuated scope, block 2 completion. Below, the same chain with a tampered block shown in red and a rejected tool. To the right, the four canonical Datalog policy checks. HAPPY PATH USER ORCHESTRATORblock 0: authority SPECIALISTblock 1: delegation SEARCH TOOL scope: [tool:search, tool:email] budget: $5.00 max_depth: 3 scope: [tool:search] budget: $1.00 context: "research climate" block 2 completion: cost $0.03, status: self_reported, tokens: 1200 TAMPER REJECTED USER ORCHESTRATORblock 0 ok SPECIALISTblock 1 TAMPERED SEARCH TOOL any tampered block rejects the entire chain SIMPLE PROFILE // canonical Datalog checks check if tool($t), ["search","email"].contains($t); check if budget($b), $b <= 500; check if depth($d), $d <= 3; check if time($t), $t <= 2026-05-25T13:00:00Z; // 90% of deployments never write // Datalog by hand

Works with

Python SDK Rust SDK TypeScript SDK CrewAI Google ADK LangChain Claude Code OpenClaw
AIP Gateway (drop-in proxy) MCP A2A HTTP

Guides

Quickstart

Zero to working auth in five minutes. Install, generate keys, secure your agents.

Get started →

CrewAI

Add cryptographic identity to your CrewAI agents and crews.

Read guide →

Google ADK

Identity and delegation for ADK agent hierarchies.

Read guide →

LangChain

Secure LangChain executors and multi-agent supervisors.

Read guide →

A2A Integration

Cryptographic identity and delegation for agent-to-agent calls.

Read guide →

MCP Auth Proxy

Drop-in auth for any MCP server. Zero code changes.

Read guide →

Delegation Patterns

Multi-agent delegation, scope attenuation, and chain verification.

Read guide →

See also: Specification · Interactive Paper

Research

The protocol design, experiments, and adversarial evaluation are described in the AIP paper. AIP is part of a multi-agent trust stack with three companion papers.

AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A

Sunil Prakash arXiv:2603.24775 · 2026

0.049 ms verification in Rust. 0.086% overhead in real LLM multi-agent chains. 100% rejection across 600 / 600 adversarial attacks in 6 categories.

Paper IETF Draft Spec
Related papers (trust stack)

The Provenance Paradox in Multi-Agent LLM Routing

arXiv:2603.18043 · 2026

Paper

LDP: An Identity-Aware Protocol for Multi-Agent LLM Systems

arXiv:2603.08852 · 2026

Interactive paper arXiv

DCI: Structured Collective Reasoning with Typed Epistemic Acts

arXiv:2603.11781 · 2026

Interactive paper arXiv