specifications

AgentPKI Protocol — published specifications

Two product lines. Core protocol (v0.1 → v0.3-intent): cryptographic identity for AI agents — passports, signing, verification, trust tiers, intent declarations. AgentPKI Provenance (v0.1, new): agent-signed content provenance built on C2PA — text, code, images, audio, video, with HTTP-header and sidecar delivery. All versions additive.

draft · new
draft · active
v0.3 intent · 2026-06-08

Declare-and-audit bot intent against any site. Adds an intent claim to the passport, a site-side /.well-known/agentpki-intent-policy.json for accepted/denied/throttled intents, and a hash-chained public audit log. Bots working *for* you or *against* you become cryptographically distinguishable.

What's new in v0.3

  • +Canonical intent vocabulary (purchase, monitor, scrape-bulk, …)
  • +Site policy document at /.well-known/agentpki-intent-policy.json
  • +Verifier intent_match in /v1/verify response
  • +Hash-chained public audit log + witness model (RFC 6962-inspired)
  • ·Additive over v0.2 — no wire-format changes
Read v0.3-intent draft
operational baseline
draft · active
v0.2 published 2026-05-27

Adds production operational layer: KV-backed issuer directory cache with explicit TTL hints, full Certificate Revocation List (CRL) format, Mode B replay detection via Durable Object, abuse aggregation reporting endpoint, and extended verifier response schema (crl_fresh, replay_checked, cached_until).

What's new since v0.1

  • +Tiered issuer directory caching (memory → KV → origin)
  • +CRL document format + verifier behavior + caching rules
  • +Durable-Object-backed replay detection for Mode B
  • +POST /v1/abuse/report aggregation endpoint
  • +Same-zone Worker fetch trap documented + service-binding fix
  • ·Fully backward-compatible with v0.1 — no wire-format changes
Read v0.2 spec
draft · stable
v0.1 published 2026-05-21

The protocol core: passport token format (PASETO v4), Ed25519 signing, issuer directory at /.well-known/agentpki-issuer.json, three trust tiers (T1 DNS, T2 KYB, T3 hardware), Mode A bearer + Mode B RFC 9421 signed wire formats, verification procedure, capability scoping.

What v0.1 defines

  • Passport token format (PASETO v4.public + Ed25519)
  • Issuer identity + trust tier model
  • Mode A bearer header + Mode B HTTP Message Signatures
  • Verification procedure (12 steps) + edge SLA expectations
  • Capability scoping vocabulary
  • Bridges to MCP, A2A, Kite, SPIFFE, OWASP ANS
Read v0.1 spec

License

Apache License 2.0

Patent grant included. Forkable, embeddable, no rug-pull.

Repository

github.com/agentpki/spec

Source markdown, issue tracker, contribution guidelines.

SDKs implementing this protocol

@agentpki/sdk (npm), agentpki (PyPI)

v0.1.x supports v0.1; v0.2.x adds v0.2 features.

reference flows

Animated walkthroughs

Six click-by-click walkthroughs of the protocol and the commercial surfaces it sits on. Each one lives where you'd actually use it.

Flow What it shows Lives on
Allow Successful mint → verify → allow. The happy-path trust contract. /how-verification-works
Tampered Adversary flips signature bytes; verifier returns deny / bad_signature. /how-verification-works
Revoked Old signature valid, but CRL says kid was revoked. deny / revoked_key. /how-verification-works
Mode B replay Bundled passport + signed request. Durable Object catches the second use. /replay
Subscribe + provision Stripe Checkout → webhook → automatic key provisioning → email with API key. /pricing
Magic-link sign-in No password. Email → one-time signed token → HttpOnly cookie. /account

See the protocol in action.

Anyone can run the full mint → verify pipeline against the production deployment in their browser.

Watch the live demo

Talk to Founder

Personal reply from Founder within 48 hours. Tell us a bit about you — what you're building, what you'd want from AgentPKI, anything you want to push back on.

By submitting, you agree we can email you back. We don't share leads, ever.