| Internet-Draft | AIP | March 2026 |
| Prakash | Expires 28 September 2026 | [Page] |
This document specifies the Agent Identity Protocol (AIP), a protocol for verifiable, delegable identity for AI agent systems. AIP introduces Invocation-Bound Capability Tokens (IBCTs) that bind identity, authorization, scope constraints, and provenance into a single cryptographic artifact. Two token modes are defined: a compact mode using JSON Web Tokens (JWT) with Ed25519 signatures for single-hop interactions, and a chained mode using Biscuit tokens with append-only blocks and Datalog policy evaluation for multi-hop delegation chains. Protocol bindings are specified for the Model Context Protocol (MCP), Agent-to-Agent Protocol (A2A), and generic HTTP APIs. The protocol addresses authentication gaps in current AI agent infrastructure where a survey of approximately 2,000 MCP servers found all lacked authentication.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
AI agent systems are increasingly deployed in multi-agent architectures where an orchestrator decomposes tasks and delegates subtasks to specialist agents. The protocols enabling this communication, notably the Model Context Protocol (MCP) and the Agent-to-Agent Protocol (A2A), solve the connectivity problem but do not solve the identity problem.¶
MCP provides no built-in authentication layer. A2A uses self-declared identities with no attestation mechanism. OAuth 2.1, recently added to MCP, covers single-hop client-to-server authentication but does not address multi-hop delegation chains. When an orchestrator delegates to a specialist that calls a tool, the delegation chain that led to the tool invocation is lost.¶
AIP fills this gap by introducing Invocation-Bound Capability Tokens (IBCTs) that answer four questions for every agent action: who authorized this action, through which delegation chain, with what constraints at each hop, and what was the outcome.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
AIP defines two identifier schemes for agent identity:¶
DNS-based identifiers follow the format:¶
aip:web:<domain>/<path>¶
Example: aip:web:example.com/agents/research-analyst¶
DNS-based identifiers are suitable for long-lived agents with stable domain ownership. Identity documents are resolved via HTTPS at a well-known path.¶
aip:key:ed25519:<multibase-encoded-public-key>¶
Self-certifying identifiers derive identity from the public key itself. They are suitable for ephemeral agents that do not require DNS infrastructure. The identifier is deterministically computed from the Ed25519 public key using multibase encoding.¶
Each agent with a DNS-based identifier MUST publish an identity document at:¶
https://<domain>/.well-known/aip/<path>.json¶
The identity document is a JSON object containing:¶
aip: Protocol version (MUST be "1.0")¶
id: The agent's AIP identifier¶
public_keys: Array of public key objects with validity windows¶
name: Human-readable agent name¶
delegation: Delegation preferences¶
protocols: Supported protocol bindings¶
document_signature: Ed25519 signature over the canonicalized document¶
expires: Document expiration timestamp¶
The document MUST be self-signed. Verification uses JSON Canonicalization Scheme (JCS) [RFC8785]: remove the document_signature field, canonicalize the remaining JSON, and verify the Ed25519 signature against a currently-valid public key.¶
AIP defines two token modes that share a common identity scheme but differ in delegation capability.¶
Compact mode tokens are JSON Web Tokens [RFC7519] signed with Ed25519 (EdDSA). They support single-hop interactions only.¶
Header:¶
{"alg": "EdDSA", "typ": "aip+jwt"}
¶
Claims:¶
iss: Issuer AIP identifier (REQUIRED)¶
sub: Subject/holder AIP identifier (REQUIRED)¶
scope: Array of authorized capabilities (REQUIRED)¶
budget_usd: Authorization budget ceiling in USD (REQUIRED)¶
max_depth: Maximum delegation depth, 0 for no further delegation (REQUIRED)¶
iat: Issued-at timestamp (REQUIRED)¶
exp: Expiration timestamp (REQUIRED)¶
Token lifetime SHOULD be less than one hour. Both iss and sub MUST be valid AIP identifiers.¶
Chained mode tokens use Biscuit [BISCUIT] tokens with append-only blocks and Datalog policy evaluation. They support multi-hop delegation with cryptographic scope attenuation.¶
A chained token consists of ordered blocks:¶
Scope attenuation is a fundamental security property of AIP. At each delegation step, scope can only narrow or remain equal, never widen. This applies across four dimensions:¶
Verifiers MUST check attenuation at every hop in the delegation chain. A wildcard (*) in the parent permits any specific value in the child, but a specific value in the parent MUST NOT widen to a wildcard in the child.¶
Chained mode tokens support three policy profiles of increasing expressiveness:¶
Budget values in AIP tokens represent per-token authorization ceilings, NOT running balances. A delegator asserts "I authorize up to $X for this task" at delegation time. The verifier checks that the budget is non-negative but does NOT track cumulative spending. Aggregate budget enforcement is the responsibility of the orchestration platform at runtime. Completion blocks record actual cost_usd for audit purposes.¶
AIP tokens are transported in MCP via the X-AIP-Token HTTP header:¶
X-AIP-Token: <compact-or-chained-token>¶
For tokens exceeding 4KB, token-by-reference is supported:¶
X-AIP-Token-Ref: https://issuer/.well-known/aip/tokens/<id>¶
MCP servers verify tokens in five steps: (1) extract token, (2) verify signatures against issuer identity document, (3) check requested tool against token scope, (4) validate chain constraints for chained tokens, (5) inject verified identity into request context.¶
Nine error codes are defined with appropriate HTTP status mappings: 401 for authentication failures (token_missing, token_malformed, signature_invalid, identity_unresolvable, token_expired, key_revoked) and 403 for authorization failures (scope_insufficient, budget_exceeded, depth_exceeded).¶
Servers declare AIP requirements via the require_aip field in their identity document's protocols.mcp configuration.¶
In A2A interactions, AIP tokens are transported in the metadata.aip_token field of task submissions. Agent cards are extended with an aip_identity object containing the agent's AIP identifier and document URL.¶
The A2A verification flow adds a sixth step: the calling agent appends a delegation block with attenuated scope before sending the task, and the receiving agent verifies that the final delegation block delegates to its own AIP identifier.¶
For generic HTTP APIs not using MCP or A2A, tokens are transported via the Authorization header with the AIP scheme:¶
Authorization: AIP <base64url-encoded-token>¶
Token-by-reference uses the X-AIP-Token-Ref header with a 5-second fetch timeout and SSRF protection (reject reference URLs outside expected domain patterns).¶
Block 0 declares max_depth (default: 3). Each delegation block increments effective depth by 1. If current depth equals max_depth, further delegation is forbidden. In compact mode, max_depth of 0 means the holder MUST NOT delegate further.¶
Each delegation block MUST include a non-empty context field containing a human-readable description of the delegation purpose. Verifiers MUST reject tokens with missing or empty context. This requirement ensures audit trail integrity.¶
For short-lived sub-agents, a parent agent generates an Ed25519 keypair, creates an aip:key: identifier, and appends a delegation block with scoped capabilities and a short TTL (5 minutes RECOMMENDED). The parent's identity document MAY set delegation.allow_ephemeral_grants to false to prevent this.¶
DNS-based identifiers support zero-downtime key rotation through overlapping validity windows on public keys. A new key is published with a future valid_from timestamp. Both keys are valid during the overlap period. Recommended rotation period is 90 days. Cache TTL MUST NOT exceed 5 minutes.¶
Self-certifying identifiers cannot rotate keys; key rotation requires identity replacement, which is acceptable for ephemeral agents.¶
AIP prefers short-lived tokens over revocation infrastructure. Compact mode tokens SHOULD have a TTL under 1 hour, making revocation generally unnecessary. For chained mode, key revocation (removing a key from the identity document) invalidates all tokens signed by that key. Token-specific revocation via Certificate Revocation Lists is deferred to v2.¶
A completion block is the final block in a chained token, signed by the executing agent. It contains:¶
status: REQUIRED. One of "completed", "failed", or "partial".¶
result_hash: REQUIRED. SHA-256 hash of the output in format "sha256:<hex>".¶
verification_status: REQUIRED. One of "self_reported", "tool_verified", "peer_verified", or "human_verified".¶
tokens_used: OPTIONAL. LLM tokens consumed.¶
cost_usd: OPTIONAL. Actual cost incurred.¶
duration_ms: OPTIONAL. Wall-clock execution time.¶
ldp_provenance_id: OPTIONAL. Back-link to LDP provenance record.¶
AIP defines three escalating trust levels for completion data:¶
A completed chained token with a completion block appended is a self-contained audit artifact. It answers five questions without requiring an external database: who authorized (Block 0), through whom (delegation blocks), what constraints (Datalog policies), what happened (completion block), and whether it was verified (verification_status). Audit tokens are tamper-evident, non-repudiable, and verifiable offline using public keys from identity documents.¶
This section addresses the security properties and threat model for AIP.¶
AIP is designed to resist the following attack categories:¶
Experimental evaluation across 600 adversarial attempts in six attack categories showed a 100% rejection rate. Two attack categories (delegation depth violation and audit evasion through empty context) are uniquely addressed by AIP's chained token structure and cannot be detected by standard JWT deployments. Details are reported in the companion paper [AIP-PAPER].¶
AIP v1 mandates Ed25519 exclusively. No algorithm negotiation is supported. This is a deliberate design choice to eliminate downgrade attacks and reduce implementation complexity. Future versions MAY introduce additional algorithms through the protocol version field.¶
Identity document resolution and token-by-reference fetching MUST use HTTPS. Implementations SHOULD enforce TLS 1.3 or later. Token-by-reference URLs MUST be validated against expected domain patterns to prevent SSRF attacks. Fetch timeout SHOULD be 5 seconds.¶
This document requests the following IANA registrations:¶
Registration of the "AIP" HTTP authentication scheme in the "HTTP Authentication Scheme Registry":¶
Registration of the "aip" well-known URI suffix in the "Well-Known URIs" registry:¶
Registration of the "aip+jwt" structured syntax suffix:¶
The Biscuit authorization token specification influenced the chained mode design. The MCP and A2A protocol teams provided the agent communication infrastructure that AIP extends.¶