OPEN STANDARD DRAFT v2.0 MAY 2026

Agent Trust Protocol

The cryptographic identity layer for AI agents. Five primitives defining who an agent is, what it may do, what it did, and whether it's been tampered with.

Download Whitepaper → View on GitHub ↗
agent-identity-certificate.json 
{
  "atp_version": "2.0",
  "primitive":  "AIC",
  "agent_id":   "agt_7f3a9c2e...",
  "name":       "SecurityAnalystAgent",
  "version":    "1.4.2",
  "model":      "claude-3-7-sonnet",
  "issued_at":  1747065600,
  "expires_at": 1778601600,
  "issuer": {
    "org":  "ott-cybersecurity",
    "did":  "did:web:lyrie.ai"
  },
  "scope": [
    "read:logs",
    "write:findings",
    "exec:sandboxed"
  ],
  "public_key": {
    "alg": "Ed25519",
    "x":   "MCowBQYDK2VwAy..."
  },
  "signature": "ed25519:3YfKqP2..."
}
The Problem

AI agents have no identity.

Today, any process can claim any identity, and there is no standard mechanism for a system to verify, scope, or audit an AI agent's actions.

No Identity
Any process can claim to be any agent. There is no cryptographic binding between a claimed agent name and its actual implementation or deployment context.
No Scope
No formal definition of what an agent is authorized to do. Permissions are implicit, runtime-evaluated, and unenforceable across trust boundaries and API calls.
No Audit Trail
No attributable, tamper-evident action record. Post-incident investigations cannot establish what an agent did, on whose behalf, or whether logs have been modified.

"CVE-2026-30615 (MCP RCE), unbounded sub-agent privilege escalation, and prompt-injection attacks share a common root cause: AI agents have no cryptographic identity."

— ATP Threat Analysis, §2.1 — Root Cause Classification
Specification

Five primitives. One complete trust model.

ATP defines exactly five data structures. Each addresses a discrete gap in the current AI agent security landscape.

# Name Purpose Key Fields
01 Agent Identity Certificate (AIC) Establishes cryptographic identity for an agent instance. Binds agent name, version, and model to a public key signed by an issuing authority. agent_id public_key issuer signature
02 Scoped Authorization Token (SAT) Defines the precise permission boundary for an agent session. Replaces ambient authority with explicit, time-bounded, cryptographically-signed scope declarations. scope[] resources[] constraints expires_at
03 Tamper-Evident Action Log (TEAL) Append-only, hash-chained record of every action taken by an agent. Each entry is signed by the agent's private key, enabling attribution and forensic reconstruction. entry_hash prev_hash action agent_sig
04 Delegation Receipt (DR) Documents authority transfer when one agent spawns another. Prevents privilege escalation by requiring explicit, signed grants from the parent agent's authorized scope. parent_id child_id delegated_scope chain_depth
05 Runtime Attestation Bundle (RAB) Verifies that the executing environment matches the expected configuration. Binds model hash, tool versions, and system prompt digest to the agent's declared identity at runtime. model_hash prompt_digest tool_manifest platform_sig
Primitive Details

The AIC is the foundational primitive. It is a JSON document conforming to a subset of W3C Verifiable Credentials, signed using Ed25519 (or ECDSA-P256 for hardware-backed keys). The issuer is any entity operating an ATP Authority — a service that validates agent binaries, system prompts, and model configurations before issuing certificates.

  • agent_id — Globally unique, stable identifier. Format: agt_{hex32}
  • name — Human-readable name of the agent, from its manifest.
  • version — SemVer of the agent software. Included in signature.
  • model — Full model identifier (provider:model:version) of the underlying LLM.
  • public_key — Ed25519 public key in SubjectPublicKeyInfo format (base64url).
  • issuer.did — DID of the ATP Authority that issued this certificate.
  • issued_at / expires_at — Unix timestamps. Default validity: 365 days.
  • signature — Detached JWS over canonical JSON-LD serialization of all above fields.

The SAT is issued per-session by the orchestrating system. It is structurally inspired by OAuth 2.0 access tokens but is self-contained and verifiable without a token endpoint. The SAT is presented by an agent when making API calls; receiving services validate the scope before executing.

  • scope — Array of action:resource pairs (e.g., "read:logs", "exec:sandboxed").
  • resources — Optional URI list restricting resource-level access within each scope item.
  • constraints — Structured rate limits, output size caps, and forbidden operations.
  • nonce — One-time use token to prevent replay attacks.
  • bound_to — Must reference a valid AIC agent_id; prevents token theft across agents.

TEAL implements a hash-linked chain analogous to a Certificate Transparency log, but scoped to an individual agent session. Every action (tool call, API request, LLM inference, file write) generates a signed log entry. The chain is anchored to the AIC and SAT at session start.

  • seq — Monotonically increasing sequence number within the session.
  • timestamp — RFC 3339 timestamp with millisecond precision.
  • action_type — Enum: tool_call, llm_inference, file_op, network_req, delegation.
  • payload_hash — SHA-256 of the full action payload (inputs + outputs).
  • prev_hash — Hash of the previous TEAL entry, creating the chain.
  • agent_sig — Ed25519 signature over seq + timestamp + action_type + payload_hash + prev_hash.

When an agent with an active SAT spawns a sub-agent, it must produce a Delegation Receipt. The DR is signed by both the parent agent (proving it willingly delegated) and the ATP Authority (proving the delegation is within the parent's authorized scope). The child's effective scope is the intersection of the DR's delegated_scope and the child's own SAT.

  • parent_agent_id — AIC agent_id of the delegating agent.
  • child_agent_id — AIC agent_id of the receiving agent.
  • delegated_scope — Strict subset of the parent's current SAT scope.
  • chain_depth — Current delegation depth. Authorities may cap this (recommended: 3).
  • parent_sig — Parent's Ed25519 signature over the DR.
  • authority_countersig — ATP Authority countersignature validating the scope reduction.

The RAB solves a distinct problem: an agent may have a valid AIC but be running in a tampered environment (modified system prompt, unexpected tools, different model). The RAB is generated at session start and can be re-requested by verifiers at any point during the session. It ties the runtime state to the agent's declared identity.

  • model_hash — SHA-256 of the full model identifier string (provider-consistent format).
  • prompt_digest — SHA-256 of the system prompt, excluding dynamic injections.
  • tool_manifest — Sorted list of tool names + version hashes the agent has access to.
  • platform_id — Identifier of the execution platform (e.g., anthropic:claude-api:v1).
  • platform_sig — Platform's signature over the RAB (where supported); else self-attested.
  • attest_time — Unix timestamp of attestation generation.
New in ATP v2

ATP v2 — Extended Trust Primitives

Three capabilities added in draft v2.0, addressing enterprise deployment patterns identified in the IETF AIAGENT working group and real-world incident analysis.

Delegation Chains
Cryptographically linked Delegation Receipts forming a verifiable chain from the root orchestrator to any leaf agent. Chain depth limits enforced by ATP Authorities prevent unbounded privilege propagation. Each node in the chain is independently auditable.
RFC 9110 Compatible
Certificate Revocation
ATP Certificate Revocation Lists (ACRLs) and Online Certificate Status Protocol (OCSP) stapling enable real-time AIC invalidation. Supports both hard revocation (agent fully disabled) and scope reduction (emergency permission strip) without key rotation.
OCSP Stapling Support
Multi-Party Authorization
High-risk actions (data exfiltration, external API calls, deployment operations) can be gated on M-of-N human approver signatures before the agent proceeds. Approvals are captured in the TEAL log, creating an immutable consent record for compliance.
M-of-N Threshold Signing
Reference Implementation

Reference Implementation

Official TypeScript SDK. Zero external runtime dependencies. Ships with a full test suite covering all five primitives and all v2 extensions.

Install 
npm install @lyrie/atp
agent-lifecycle.ts 
import {
  ATPAuthority,
  AgentIdentityCertificate,
  ScopedAuthorizationToken,
  TamperEvidentActionLog,
  RuntimeAttestationBundle
} from '@lyrie/atp';

// 1. Issue an Agent Identity Certificate
const authority = new ATPAuthority({
  did: 'did:web:lyrie.ai',
  signingKey: process.env.AUTHORITY_PRIVATE_KEY
});

const aic = await authority.issueAIC({
  name:    'SecurityAnalystAgent',
  version: '1.4.2',
  model:   'anthropic:claude-3-7-sonnet:20250219',
  ttlDays: 365
});

// 2. Mint a Scoped Authorization Token for a session
const sat = aic.mintSAT({
  scope: ['read:logs', 'write:findings', 'exec:sandboxed'],
  ttlMinutes: 60
});

// 3. Start a Tamper-Evident Action Log
const teal = TamperEvidentActionLog.start({ aic, sat });

// 4. Record actions — each entry is signed and chained
await teal.record({
  actionType: 'tool_call',
  tool:       'bash',
  input:      { command: 'cat /etc/passwd' },
  output:     result
});

// 5. Export the sealed, verifiable log
const sealedLog = teal.seal();
const verified  = await ATPAuthority.verifyTEAL(sealedLog);
console.log(verified.integrityStatus); // "VERIFIED" | "TAMPERED" | "INCOMPLETE"
138 tests
0 failures
Ed25519 · ECDSA-P256
MIT Licensed
No external dependencies
TypeScript 5.4+
Compliance Tiers

ATP Conformance Levels

Three conformance tiers allow incremental adoption. ATP-Basic covers minimum viable identity; ATP-Full satisfies enterprise and regulatory requirements.

Feature / Requirement ATP-Basic ATP-Standard ATP-Full
Agent Identity Certificate (AIC)
Scoped Authorization Token (SAT)
Tamper-Evident Action Log (TEAL) Optional
Delegation Receipt (DR)
Runtime Attestation Bundle (RAB) Optional
Certificate Revocation (v2)
Delegation Chains (v2)
Multi-Party Authorization (v2)
OCSP Stapling Optional
RFC 9110 / RFC 8555 Compatibility Partial
NIST AI RMF Alignment Partial
Adoption & Recognition

Trusted by

Lyrie.ai Reference Implementation
Anthropic CVP Compatible Value Protocol
IETF AIAGENT Working Group Submission
OTT Cybersecurity LLC Specification Author
138
Tests
0
Failures
Ed25519
Signing Algorithm
MIT
License
5
Primitives
14
RFC References
Get Started

Deploy ATP today.

Read the Specification
The full ATP v2.0 draft specification with formal definitions, JSON Schema, and worked examples. Available on npm and GitHub.
npm install @lyrie/atp
View on GitHub ↗
Download the Whitepaper
19-page technical whitepaper covering threat model, design rationale, interoperability considerations, and the complete primitive specification.
Download PDF →

Questions, implementation support, or IETF comments?  dev@lyrie.ai