Frequently asked questions.

Agent Passport System makes every AI agent accountable. Every agent gets a cryptographic identity (Ed25519). Authority can only narrow, never expand. Trust is earned through performance. One API call revokes all downstream access.

Most frameworks handle orchestration. Agent Passport System handles enforcement: what can this agent do, and what happens when it violates a constraint? Bring your own identity. The gateway is both judge and executor. Works with any framework.

107 modules across SDK, MCP, and Python implementations. 3,932 tests. Eight published papers in the federal record. An IETF Internet-Draft. Independently cited by PDR in Production (UBC). 25 vocab crosswalks.

A human delegates authority to an agent with explicit scope: tools, money, services. The agent can sub-delegate, but authority can only narrow, never expand. Revoke the root and everything downstream dies instantly.

Cascade revocation. Delegation chains form a tree. Revoke any node and every downstream delegation dies instantly. The gateway enforces this at the boundary, so revoked agents can't sneak through on cached credentials.

Bring your own: did:key, did:web, SPIFFE SVID, OAuth. Cross-language: signatures round-trip TS ↔ Python byte-identically across 27 fixtures.

Yes. The gateway image is published. You own your keys, your audit log, and your enforcement decisions. The hosted version exists for convenience, not lock-in.

Three contribution PRs merged into the Microsoft Agent Governance Toolkit by a Microsoft maintainer (#274, #598, #1328). MolTrust co-edits the spec. Edison Munoz Duran contributed the Agent-DID crosswalk. UBC PDR in Production cites the Bayesian model. Federal agency review underway.

GitHub issues, vocab PRs, conformance fixtures. The agent-governance-spec org is the cross-vendor home; aeoess/agent-passport-system is the reference SDK.

Yes. Apache-2.0 licensed. All code on GitHub. Eight academic papers published on Zenodo. TypeScript SDK on npm, Python SDK on PyPI.

Seven non-negotiable principles (F-001 through F-007): traceability, honest identity, scoped authority, revocability, auditability, non-deception, proportionality. Agents sign cryptographic attestations. Compliance is checked through graduated enforcement: inline (blocks execution), audit (logs violations), warn (advisory).

30 governance modules addressing what happens when perfectly compliant agents still cause systemic failures. Designed through cross-model adversarial review. Includes: 9 attack defenses (approval fatigue detection, effect enforcement, semantic drift, authority laundering audit, governance drift tracking, emergence detection), separation of powers (agents cannot hold conflicting branches), constitutional amendment (supermajority + human ratification), circuit breakers (automatic suspension on threshold breach), affected-party standing (complaints and appeals). All implemented with tests in src/v2/.

The protocol governs what happens to data after access — through transformation, across system boundaries, after consent revocation, into decisions, and under dispute. Key primitives: Extended Derivation Continuity (multi-hop chains with break markers and lineage confidence), Post-Revocation Obligations (honest per-artifact-type obligations — RAG chunks get deleted, model weights require retraining, settlement records are ledger-exempt), Decision Lineage Receipt (traces which data sources influenced a specific decision — the right-to-explanation primitive), Purpose Taxonomy (hierarchical with wildcard matching), Retention TTL (ephemeral vs persistent access), Terms Version Pinning (freezes terms at access time for settlement). Phase 2 adds aggregation controls, jurisdiction envelopes (EU/GDPR transfer checks), governance taint propagation, dispute state, combination constraints (forbidden joins for HIPAA/COPPA), access snapshots (anti-rug-pull), rights propagation semantics, purpose drift detection, and re-identification risk declarations.

The bridge between decision provenance (Module 37) and data provenance (Modules 38-42). When an agent makes a decision that affects a human — loan denied, content moderated, insurance claim rejected — the human should be able to ask: "what data influenced this decision?" The Decision Lineage Receipt cryptographically links the decision artifact to every contributing data source, with derivation depth, transform path, terms version at access, lineage confidence, and compensation status. If the model was trained externally and lineage is incomplete, the receipt says so honestly rather than faking completeness.

150 tools across: identity (3), delegation (4), values/policy (4), signed communication (5), coordination (11), commerce (3), reputation-gated authority (5), and more. See the full list in the technical docs.

Core protocol (required): Agent identity (Ed25519), delegation chains, cascade revocation, Values Floor, policy engine, ProxyGateway enforcement. These are the foundational layers every deployment uses.

Extended modules (pick what you need): Coordination, commerce, DID/VC, EU AI Act mapping, E2E encrypted messaging, task routing, reputation-gated authority, governance provenance, and all 23 v2 constitutional modules.

Ecosystem services such as agent matching and professional networking can be built on top of these primitives, but are not part of the open protocol and not required for any core functionality.

Fastest (MCP, zero install): npx agent-passport-system-mcp setup --remote
Local MCP (150 tools): npm install -g agent-passport-system-mcp && npx agent-passport-system-mcp setup
SDK (library): npm install agent-passport-system
Python: pip install agent-passport-system
Go: go get github.com/aeoess/agent-passport-go@v0.2.0-alpha.3
Persistence: npm install @aeoess/storage-sqlite
Mingle (networking, opt-in): npm install -g mingle-mcp && npx mingle-mcp setup
All setup commands auto-configure Claude Desktop and Cursor. Read the technical docs or llms-full.txt for full API reference.

The tombstoneReceipt() function redacts the sensitive payload (action details, parameters, result summary become [REDACTED]) while preserving the receipt ID, signature, timestamps, and chain hash links. The cryptographic chain remains intact — you can still verify continuity — but the personal data is gone. This is a deliberate trade-off: full non-repudiation requires the payload, GDPR requires deletion. Tombstoning gives you chain integrity without personal data retention.

The Agent Governance Working Group (across APS, AgentID, qntm, OATR, ArkForge) maintains specifications for: QSP-1 v1.0 (encrypted agent transport), DID Resolution v1.0 (where is this agent's identity document?), Entity Verification v1.0 (is this agent who they claim to be?), and Execution Attestation v0.1 (did this agent actually do what it claims?). Together they define the communication infrastructure layer. Everything above (reputation, commerce, governance) composes on top.