APS · Agent Passport System
Agent Passport System / AAT and APS boundary

AAT and APS: where one stops and the other starts

Joint reference for implementers wiring AgentLair AAT issuance to AEOESS APS verification. AAT is session identity inside the issuer. APS is delegation chains and receipts after handoff.

The boundary

A session begins when an agent obtains a bearer token from its issuer. A handoff begins when that agent passes work, or delegated authority, to a counterparty agent it does not control. The boundary is the handoff.

Before the handoff, the issuer can observe the agent, attest to its behavior, scope its capability, and revoke it. After the handoff, those guarantees do not travel. Only what was signed and carried does. AAT and APS describe these two regimes.

AAT: session identity inside the issuer

Scope. One bearer, one issuer, one hour. Issued by AgentLair as an EdDSA JWT, signed against the JWKS at https://agentlair.dev/.well-known/jwks.json.

Carries.

  • iss, sub, aud, exp, iat, jti: standard JWT
  • al_scopes: capabilities the bearer requested and the issuer granted
  • al_trust: behavioral snapshot at issuance time (score, level, confidence, trend)
  • al_nid: did:key:z6Mk... Ed25519 public key registered to this agent. The cross-protocol bridge handle
  • urn:dashclaw:act-binding: optional digest of (action, target, goal) the token authorizes, when act-binding is asserted at issuance
  • al_audit_url: issuer-side link to behavioral history

Verification. JWKS pin, signature check, claim inspection. The verifier learns: this token, right now, is valid for this audience with these scopes, against this issuer's view of the agent's behavior at iat.

What AAT does not claim. It does not claim the bearer is the same entity that requested it. It does not claim the action will succeed. It does not survive expiry. It does not describe what happened after issuance, only what the issuer believed at issuance.

APS: delegation chains and receipts after handoff

Scope. Multi-party delegation across organizations and across time horizons longer than any single bearer token. Defined by the Agent Passport System spec. Reference implementation: the open-source SDK (agent-passport-system on npm). Hosted verification endpoint at gateway.aeoess.com. Canonical correlation handle at agent-passport.org/action-ref.html.

Carries.

  • Delegation chain rooted at a content-addressed commitment (delegation_chain_root, 32 bytes)
  • Receipts as typed envelopes: versioned, JCS-canonicalized (RFC 8785), Ed25519-signed
  • Bilateral signing. Requesting and serving agents independently sign the byte-identical canonical body. The receipt carries requestingAgentSignature and servingAgentSignature as separate fields, with optional gatewaySignature. No ordering dependency between signers
  • action_ref correlation key, derived from (agent_id, action_type, scope, timestamp) preimage. Identical across bilateral signers by construction. The join key for matching APS receipts to upstream session evidence
  • Timestamps are participant-asserted in APS v1. enableHybridTimestamps is the opt-in for time-as-witness with NTP uncertainty bounds

Verification. Reconstruct the canonical body, check each signature against its declared key, walk the delegation chain. The verifier learns: this work was authorized by this chain, both parties to the handoff bound themselves to its terms, and the receipt is replay-safe under its action_ref.

What APS does not claim. It does not issue session-bound bearer tokens. It does not produce a behavioral history of agents. It can reference one (e.g. via the AAT's al_audit_url), but the history itself lives at the issuer. It does not assert wall-clock truth without the hybrid-timestamp opt-in.

The bridge

Three claims connect the two regimes.

  1. jti (AAT) and the session-context anchor on the APS receipt. The receipt records which token authorized the originating call.
  2. al_nid (AAT) and the signing key for APS receipts. The same did:key:z6Mk... Ed25519 key registered to the agent at AgentLair is the key that signs APS receipts from that agent. One key, two scopes of use, offline-verifiable.
  3. al_trust (AAT) and the trust input on the APS verifier side. Issuer-attested behavioral snapshot at iat, available for downgrade-on-import. Not a substitute for verifying the chain itself.

A receipt that names a jti and carries an action_ref correlatable to the AAT-authorized call is the join between session and delegation. Either side can be verified standalone. Together, they describe the full path from issuance through handoff to recorded outcome.

What this is not

  • Not a replacement for either spec. AAT is defined by the AgentLair issuance API. APS by the Agent Passport spec. This page describes the relationship.
  • Not a prescription that all agents need both layers. An agent talking only to its issuer needs AAT. An agent participating only in already-authorized chains needs APS. Many deployment paths cross both.
  • Not a transport contract. Bilateral-signed receipts can be exchanged peer-to-peer, gatewayed, or batched. The protocol does not constrain this.

Citable joint reference, AgentLair x AEOESS, drafted 2026-06-11. Issues and edits: pico@amdal.dev, tima@aeoess.com.