Protocol Overview
An open protocol for accountable AI agents. Verifiable identity, scoped delegation that can only narrow, enforcement at the boundary, and a signed receipt for every action.
1. What APS is
The Agent Passport System is an open protocol for accountable AI agents. It gives an agent a verifiable identity, ties that identity to the person or company it represents, scopes what the agent is allowed to do, and produces a signed receipt for every action it takes.
One rule holds the protocol together: authority can only decrease at each transfer point. A login authorizes a session. APS authorizes a specific action, at a specific time, under a specific policy, for a specific principal. The proof travels with the action instead of living in a log someone reads after something breaks.
2. Design goals
- Verifiable identity. Ed25519 passports bound to a principal. APS accepts did:key, did:web, SPIFFE SVIDs, and OAuth tokens alongside native did:aps.
- Monotonic narrowing. Delegated authority can only shrink as it is passed on, never widen. Revocation cascades through the full chain.
- Enforcement at the boundary. A gateway evaluates each action before it happens and is both judge and executor, not an after-the-fact approver.
- Honest receipts. Every receipt states its own evidentiary weight. Self-attested evidence is never promoted to observed evidence.
- Composability. The layers are independent. Use identity without the gateway, or enforcement without commerce.
- Open and conformance-tested. Apache 2.0 code, CC0 spec, cross-implementation conformance fixtures with byte-level receipt matching.
3. Architecture
3.1 Identity
Ed25519 passports with grades 0 to 3, key rotation, and did:aps identifiers. APS also accepts did:key, did:web, SPIFFE SVIDs, and OAuth tokens, so an agent can carry the identity a stack already issues. One passport binds to one principal.
3.2 Delegation
Scoped authority with monotonic narrowing. Sub-delegation can only reduce scope, never widen it. Revocation cascades through the full chain, so revoking a parent authority invalidates everything derived from it.
3.3 Enforcement
A three-signature action chain: the agent signs the intent, the policy engine signs the evaluation, the agent signs the execution receipt. Because the evaluation sits between intent and execution, the agent cannot act without being checked. The gateway that runs this chain is both judge and executor.
3.4 Receipts
Every action produces a signed receipt, and receipts are graph-composable: each claim links to the authority, policy, action, or evidence it depends on, so a verifier can walk back to the supporting facts and stop at the boundary it cares about. A standard enforcement receipt proves that the gateway observed the agent issue the action under the cited delegation chain, and that the signed body has not changed. A receipt also states its own weight: self-attested evidence carries less than gateway-observed, and a verifier must reject self-attested evidence presented as observed.
3.5 Commerce
A five-gate preflight for payments: valid passport, scope check, spend limit, merchant allowlist, and idempotency, with a configurable human-approval threshold above a set value.
3.6 Reputation
Bayesian trust scoring across five tiers. Authority is earned per scope, not globally, and passport grades compound with behavioral history.
3.7 Beneficiary attribution
When an agent produces value as part of a larger task, that participation is credited back to the person or company it represents, traceable through Merkle proofs rather than pooled anonymously. Every contribution traces to its human principal.
3.8 Accountability primitives
Five signed primitives form the accountability surface: ActionReceipt, AuthorityBoundaryReceipt, CustodyReceipt, ContestabilityReceipt, and APSBundle. They use RFC 8785 JCS canonicalization, so receipts are content-addressed and byte-match across implementations, backed by conformance fixtures.
4. Protocol invariants
Five properties are enforced at the protocol level rather than left to good behavior:
- Traceability. Every action produces a signed receipt.
- Honest identity. No impersonation. One passport per principal.
- Scoped authority. Delegations carry explicit limits.
- Revocability. Any delegation can be revoked, and revocation cascades.
- Privacy. Principal data is not disclosed without explicit consent.
5. Comparison with related work
| Property | Agent Passport System | Google AP2 | DeepMind Delegation | EU EUDI |
|---|---|---|---|---|
| Signed receipts | ✓ | ✓ | ✓ | ✓ |
| Revocation with cascade | ✓ | ✓ | ~ | ✓ |
| Delegation depth limits | ✓ | − | ✓ | ✓ |
| Beneficiary attribution | ✓ Merkle | − | − | − |
| Agentic commerce | ✓ | ~ payments | − | − |
| Scope | All agent actions | Payments | Auth flows | Identity |
| Open source | ✓ Apache 2.0 | Spec only | Paper only | Spec only |
6. References
- Pidlisnyi, T. (2025). The Agent Social Contract. Zenodo. DOI: 10.5281/zenodo.18749779
- Agent Passport System SDK. npm: agent-passport-system
- Protocol implementation. github.com/aeoess
- Conformance test suite. aeoess/aps-conformance-suite
- action_ref v1 canonical specification. agent-passport.org/action-ref
- Developer documentation. agent-passport.org/docs