Two product lines. Core protocol (v0.1 → v0.3-intent): cryptographic identity for AI agents — passports, signing, verification, trust tiers, intent declarations. AgentPKI Provenance (v0.1, new): agent-signed content provenance built on C2PA — text, code, images, audio, video, with HTTP-header and sidecar delivery. All versions additive.
Declare-and-audit bot intent against any site. Adds an intent claim to the passport, a site-side /.well-known/agentpki-intent-policy.json for accepted/denied/throttled intents, and a hash-chained public audit log. Bots working *for* you or *against* you become cryptographically distinguishable.
purchase, monitor, scrape-bulk, …)/.well-known/agentpki-intent-policy.jsonintent_match in /v1/verify response
Adds production operational layer: KV-backed issuer directory cache with explicit TTL hints, full Certificate Revocation List (CRL) format, Mode B replay detection via Durable Object, abuse aggregation reporting endpoint, and extended verifier response schema (crl_fresh, replay_checked, cached_until).
POST /v1/abuse/report aggregation endpoint
The protocol core: passport token format (PASETO v4), Ed25519 signing, issuer directory at /.well-known/agentpki-issuer.json, three trust tiers (T1 DNS, T2 KYB, T3 hardware), Mode A bearer + Mode B RFC 9421 signed wire formats, verification procedure, capability scoping.
When an AI agent creates content — an article, an image, a video, a code snippet — there's currently no cryptographic way to prove which agent did it. AgentPKI Provenance extends C2PA (the Adobe/Microsoft/BBC content credentials standard) with an agent-signing layer: the same Ed25519 passport that proves "this bot is who it says" can now also prove "this bot wrote this paragraph."
Phases 2–7 (reference verifier, SDK, CLI, Provenance Explorer, integration adapters, browser surface) ship Q3–Q4 2026.
Apache License 2.0
Patent grant included. Forkable, embeddable, no rug-pull.
@agentpki/sdk (npm), agentpki (PyPI)
v0.1.x supports v0.1; v0.2.x adds v0.2 features.
reference flows
Six click-by-click walkthroughs of the protocol and the commercial surfaces it sits on. Each one lives where you'd actually use it.
| Flow | What it shows | Lives on |
|---|---|---|
| Allow | Successful mint → verify → allow. The happy-path trust contract. | /how-verification-works |
| Tampered | Adversary flips signature bytes; verifier returns deny / bad_signature. | /how-verification-works |
| Revoked | Old signature valid, but CRL says kid was revoked. deny / revoked_key. | /how-verification-works |
| Mode B replay | Bundled passport + signed request. Durable Object catches the second use. | /replay |
| Subscribe + provision | Stripe Checkout → webhook → automatic key provisioning → email with API key. | /pricing |
| Magic-link sign-in | No password. Email → one-time signed token → HttpOnly cookie. | /account |
Anyone can run the full mint → verify pipeline against the production deployment in their browser.