]> Montcao

james@montcao.com https://agentidentityprotocol.io

NVIDIA

eduardoa@nvidia.com https://agentidentityprotocol.io

This document defines the Agent Identity Protocol (AIP), an open standard for verifiable identity and policy enforcement for artificial intelligence (AI) agents. Agent Identity Protocol (AIP) addresses the problem of AI agents operating with unbounded permissions -- running as users, inheriting full API key access, and executing tool calls with no verifiable identity boundary between human and non-human actors. The protocol is structured as two cooperating layers. Layer 1 (Identity) gives every agent a unique identifier and a key pair registered with an AIP Registry; the agent signs every outbound action with that key. Layer 2 (Enforcement) interposes a proxy between the AI client and every tool server that verifies the signature, evaluates a declarative policy, and produces an allow, deny, or hold decision before any tool is reached.

Introduction AI agents are being deployed at scale with the same credentials as the humans who operate them. When an agent calls a tool -- writing a file, querying a database, sending a request to an external API -- there is nothing in the request that distinguishes it from a direct human action. The downstream service has no way to know it is talking to an agent, which agent, who authorized it, or what it is permitted to do. This creates compounding problems as agents become more capable and more numerous. An agent that is compromised, misbehaves, or is manipulated into acting outside its intended scope has no technical boundary stopping it from using every credential it has been given. Audit logs attribute actions to human accounts rather than to agents, making incident investigation difficult. Multi-agent systems can accumulate permissions across delegation steps without any explicit record of what was authorized. AIP closes this gap with two layers: Layer 1 -- Agent Identity. At provisioning time, the agent is registered with an AIP Registry. The registry assigns the agent a unique identifier (the Agent ID) and records the agent's public key alongside the identity of the accountable principal. From that point forward, the agent signs every outbound tool call with its private key. Any party that can reach the registry can verify who the agent is. Layer 2 -- Enforcement Proxy. An AIP Proxy sits between the AI client and every tool server. It intercepts every tool call, verifies the agent's signature against the registry, evaluates the call against a simple declarative policy (the AgentPolicy), and either forwards the call, blocks it, or holds it for human approval. The tool server is never reached until all checks pass. Every decision is written to an append-only audit log. The two layers are independent. Layer 1 can be used without Layer 2 to provide signed, attributable agent actions in existing systems. Layer 2 requires Layer 1 for identity verification but adds no new requirements on tool servers. AIP targets the Model Context Protocol (MCP) as its primary tool-call interface but is designed to be applicable to any structured tool invocation mechanism. AIP does NOT:

• Define a new transport protocol.
• Replace existing service-level authentication (OAuth 2.0, mTLS). It adds an agent-identity layer on top of existing mechanisms.
• Provide content moderation or model output filtering.

Terminology and Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Agent:

An autonomous software process that uses a large language model or other AI system to reason over tasks and invoke external tools on behalf of a principal.

Agent ID:

A unique, stable identifier assigned to an agent by an AIP Registry at registration time. The Agent ID is a UUID v4 prefixed with the registry hostname, e.g., "reg.example.com/01933f4a-9b2c-7d8e-af01-3b5c6d7e8f9a".

Agent Record:

The data structure stored in the AIP Registry that holds an agent's Agent ID, public key, principal identifier, and metadata. Defined in .

AIP Proxy (or "Enforcement Proxy"):

A transparent forward proxy that intercepts tool calls between an AI client and tool servers. It verifies the AIP Token and evaluates the AgentPolicy before forwarding or blocking the call.

AIP Registry:

A server that stores Agent Records and exposes an HTTP API for registration, key lookup, and revocation.

AIP Token:

A signed JSON object attached to every tool call by the agent. It carries the agent's Agent ID, the tool being called, a nonce, a timestamp, and an key signature. Defined in .

AgentPolicy:

A YAML configuration file that declares which tools an agent is permitted to call, argument constraints, DLP rules, and HITL requirements. Defined in .

DLP:

Data Loss Prevention; scanning of tool call arguments and responses for sensitive data patterns.

HITL:

Human-in-the-Loop; a control mode in which the proxy holds a tool call and waits for explicit approval from an operator before forwarding it.

IoA:

Internet of Agents; the network of autonomous AI agents that act across organizational and infrastructure boundaries.

MCP:

Model Context Protocol ; a structured protocol for tool-call communication between AI clients and tool servers.

Principal:

The human operator or organization accountable for an agent.

Tool Call:

A structured invocation of an external capability initiated by an agent, typically carrying a tool name and arguments.

Tool Server:

A service that exposes tools callable by agents.

Problem Statement

The Identity Gap When an AI agent calls a tool, it presents credentials that belong to a human account. The tool server cannot tell whether the actor is a human or an agent, which agent it is, or what limits apply to it. This creates four concrete problems:

(a)

Security -- A compromised or manipulated agent can invoke any tool the human account can reach. There is no agent-specific authorization boundary.

(b)

Auditability -- Logs record actions against a human account. After an incident, investigators cannot determine which actions were taken by a human versus an agent.

(c)

Compliance -- Regulations increasingly require traceability of automated decision-making. Without agent-level identity, organizations cannot satisfy these requirements.

(d)

Accountability -- Billing, rate limits, and quotas are scoped to human accounts. Agent usage cannot be isolated or attributed.

The Enforcement Gap Even where agent behavior policies exist, they are expressed as text in model system prompts. System prompts are not tamper-evident and can be bypassed by adversarial inputs to the model. There is no infrastructure-layer enforcement point that acts independently of the model.

Scope of This Specification AIP closes both gaps. Layer 1 gives every agent a distinct, verifiable identity independent of the human principal's credentials. Layer 2 enforces agent-specific policy at the tool-call boundary, outside the model's trust domain, in a way that cannot be overridden by model outputs.

Protocol Overview

Architecture AIP introduces two components into the agent-to-tool-server path: an AIP Registry (Layer 1) and an AIP Proxy (Layer 2).

AIP Architecture

Call Lifecycle The lifecycle of a single tool call under AIP is as follows:

1. Registration (once, at deploy time). The principal registers the agent with an AIP Registry. The registry assigns an Agent ID and stores the agent's public key. The agent stores its private key securely.
2. Token construction (per call). Before each tool call the agent constructs an AIP Token (): a small JSON object containing the Agent ID, tool name, argument hash, nonce, timestamp, and a key signature over the token.
3. Proxy intercept. The AIP Proxy receives the tool call request before it reaches the tool server.
4. Token verification (Layer 1). The proxy retrieves the agent's public key from the registry (or local cache) and verifies the signature. It also checks the nonce for replay and the timestamp for freshness.
5. Policy evaluation (Layer 2). The proxy checks the call against the AgentPolicy: is the tool on the allowlist? Do the arguments pass validation? Does the call trigger a HITL hold? Does the response contain sensitive data that must be redacted?
6. Decision. The proxy produces one of three outcomes: ALLOW -- forward the call to the tool server; DENY -- return an error to the agent, tool server not reached; HOLD -- queue the call for human approval.
7. Audit. Every decision is written to the audit log regardless of outcome.

Relationship to Existing Standards

• OAuth 2.0 / OIDC : AIP does not replace service- level authentication. The agent still presents its OAuth token or API key to the tool server. AIP provides a separate agent identity layer that the proxy can verify independently.
• SPIFFE/SVID : In Kubernetes deployments, the AIP Proxy MAY use a SPIFFE SVID to authenticate to tool servers over mTLS, layering workload identity on top of AIP agent identity.
• JSON-RPC 2.0 : Tool call and error messages use the JSON-RPC 2.0 wire format, compatible with MCP and similar protocols.

Layer 1: Agent Identity

Agent Registration An agent is provisioned by its principal submitting a registration request to an AIP Registry. The request MUST include:

(a)

The agent's public key, base64url-encoded ; (b) The principal identifier -- a string that uniquely identifies the accountable human or organization (e.g., an email address, an organization slug, or an OAuth subject claim); (TO BE WORKED ON FURTHER)

(c)

A human-readable agent name (RECOMMENDED); (d) An optional free-text description.

The registration request MUST be authenticated. Authentication MAY be via OAuth 2.0 bearer token, mTLS client certificate, or a pre- shared registration secret, at the registry operator's discretion. On successful registration, the registry:

(a)

Assigns a UUID v4 as the agent's local identifier; (b) Constructs the Agent ID as "<registry-host>/<uuid>"; (c) Stores the Agent Record (); (d) Returns the Agent ID to the principal.

The principal MUST store the Agent ID and configure the agent with both the Agent ID and its private key before deployment.

Agent Record The Agent Record is the data structure the AIP Registry stores for each registered agent. It MUST contain:

agentId (string):

The Agent ID assigned at registration, in the form "<registry-host>/<uuid-v4>". Example: "reg.agentidentityprotocol.io/01933f4a-9b2c-7d8e-af01"

publicKey (string):

The agent's current public key, base64url-encoded.

principalId (string):

Identifier of the accountable principal.

name (string):

Human-readable agent name. Informational only; not authenticated.

description (string, optional):

Free-text description of the agent's purpose.

createdAt (string):

ISO 8601 UTC timestamp of registration.

keyHistory (array):

Append-only list of all public keys ever bound to this Agent ID. Each entry contains "publicKey", "activeFrom", and "revokedAt" (null if still active).

status (string):

One of "active" or "revoked".

Example Agent Record (JSON):

AIP Registry API The AIP Registry MUST expose the following HTTP endpoints over TLS 1.3 (): The GET /v1/agents/{agentId} endpoint is the only endpoint that MUST be reachable by AIP Proxies at call-verification time. All other endpoints are used during provisioning and key management. Responses from GET /v1/agents/{agentId} MUST include the full Agent Record. Proxies SHOULD cache this response for at least 30 seconds. The cache MUST be invalidated on receipt of a revocation event from the SSE stream.

Key Rotation A principal rotates an agent's key by submitting a PUT request to /v1/agents/{agentId}/key, authenticated with the current private key. The request body MUST contain the new public key.

The registry MUST:

(a) Set "revokedAt" on the current keyHistory entry to the current timestamp;

(b)

Append a new keyHistory entry with the new public key; (c) Update the "publicKey" field on the Agent Record; (d) Emit a rotation event on the revocations SSE stream so that proxies can invalidate their cached Agent Records immediately.

The Agent ID does NOT change on key rotation.

Agent Revocation A principal revokes an agent by sending a DELETE request to /v1/agents/{agentId}. The registry MUST set the agent's status to "revoked" and emit a revocation event on the SSE stream. Proxies MUST reject AIP Tokens from revoked agents with error AIP-E012. Revoked Agent Records MUST be retained in the registry for audit log verification but MUST NOT be returned as "active".

The AIP Token (Agent Attestation Token) The AIP Token is a compact signed JSON object that the agent constructs and attaches to every outbound tool call. It is the mechanism by which the agent asserts its identity to the proxy.

Token Fields

aipVersion (string, REQUIRED):

Protocol version. MUST be "1" for this specification.

agentId (string, REQUIRED):

The agent's Agent ID as registered with the AIP Registry.

tool (string, REQUIRED):

The name of the tool being called, exactly as declared in the tool server's manifest.

argumentsHash (string, REQUIRED):

Lowercase hex-encoded SHA-256 hash of the canonical JSON serialization of the tool call arguments. This binds the token to the specific arguments being passed.

nonce (string, REQUIRED):

A 128-bit cryptographically random value, hex-encoded. MUST be unique per token. MUST be generated by a CSPRNG.

timestamp (string, REQUIRED):

ISO 8601 UTC timestamp of token construction.

signature (string, REQUIRED):

Base64url-encoded signature over the canonical serialization of the token ().

Canonical Serialization To produce the bytes that are signed:

(a)

Construct a JSON object containing all token fields except "signature";

(b)

Serialize with no insignificant whitespace; (c) Sort object keys lexicographically; (d) Encode as UTF-8.

The signature field is then set to the base64url encoding of the signature over these bytes.

Example Token (before base64url encoding for transport)

Token Verification The AIP Proxy MUST perform the following checks in order. A failure at any step MUST produce a DENY decision with the corresponding error code () and an audit log entry.

Step 1 -- Presence check.

Confirm the AIP Token is present in the request. On failure: AIP-E010.

Step 2 -- Agent Record lookup.

Resolve the Agent ID from the token against the AIP Registry (or local cache). Confirm the Agent Record status is "active". On failure: AIP-E011 (unresolvable) or AIP-E012 (revoked).

Step 3 -- Signature verification.

Compute the canonical serialization () and verify the key signature against the public key in the Agent Record. This operation MUST be performed in constant time. On failure: AIP-E013.

Step 4 -- Nonce replay check.

Check the nonce against the proxy's local nonce cache (minimum TTL: 600 seconds). If the nonce has been seen before, reject. On failure: AIP-E004.

Step 5 -- Timestamp freshness.

Reject the token if its timestamp is more than 300 seconds in the past or 30 seconds in the future relative to the proxy clock. On failure: AIP-E005.

If all five steps pass, the token is verified and the call proceeds to policy evaluation ().

Layer 2: Enforcement Proxy

Proxy Architecture The AIP Proxy is a forward proxy interposed between the AI client and one or more tool servers. It is transparent: it presents itself to the AI client as the tool server endpoint, and to the tool server as an authorized caller. The proxy operates in one of two modes, set per agent in the AgentPolicy:

enforce:

Policy violations result in DENY responses. The tool server is never reached for blocked calls. This is the default and RECOMMENDED mode.

monitor:

Policy violations are logged but calls are forwarded regardless. Used for baselining and policy development before switching to enforce mode.

The proxy MUST maintain locally: = 600 seconds, LRU eviction); o A revocation cache (refresh interval <= 60 seconds); o An append-only audit log. ]]>

AgentPolicy The AgentPolicy is a YAML file that declares the enforcement rules for a specific agent. One AgentPolicy file corresponds to one Agent ID. A AgentPolicy file can apply to multiple Agent IDs.

Schema mode: tools: allowed: - rules: - tool: action: args: : pattern: maxLength: dlp: - name: regex: action: scope: hitl: approvers: - timeout_seconds: # seconds to wait for approval on_timeout: # action if no response received ]]>

Tool Allowlist The tools.allowed list defines every tool the agent is permitted to call. Any call to a tool not on this list MUST be denied with AIP-E001 when the proxy is in enforce mode.

Tool Rules Each entry in tools.rules applies additional handling to a named tool:

allow:

The tool is on the allowlist and is forwarded after argument validation. This is the default when no rule is specified.

ask:

The call is held for HITL approval before forwarding, regardless of any other policy check.

block:

The call is unconditionally denied. This overrides the allowlist and cannot be circumvented. Use this for tools that must never be reachable by the agent under any circumstances.

Argument rules (args) apply PCRE regex pattern matching and a maximum length check to named arguments before the call is forwarded. A violation produces AIP-E002.

DLP Rules Each DLP rule specifies a regex pattern, an action, and a scope:

redact / request:

Matching content in arguments is replaced with "[REDACTED:<name>]" and the call proceeds.

redact / response:

Matching content in the tool response is replaced with "[REDACTED:<name>]" before the response is returned to the agent.

block / both:

If a match is found anywhere in the request or response, the call or response is rejected with AIP-E008.

HITL Configuration The hitl block identifies who may approve held calls, how long the proxy waits, and what to do on timeout. The default on_timeout is "deny". Setting on_timeout to "allow" SHOULD only be used for non-sensitive, low-impact tools.

Intercept Flow The following is the normative sequence for every tool call received by the proxy. DENY with the corresponding AIP-Exxx code. 3. Check tools.allowed. Tool not present and mode == enforce -> DENY AIP-E001. 4. Check tools.rules for this tool. action == block -> DENY AIP-E003. action == ask -> go to step 7 (HITL). 5. Validate arguments against any matching tools.rules.args. Violation -> DENY AIP-E002. 6. Run DLP scan on request arguments. block match -> DENY AIP-E008. redact match -> replace content, continue. 7. If action == ask: submit to HITL queue (Section 6.5). Approved -> continue to step 8. Denied -> DENY AIP-E015. Timed out -> resolve per on_timeout. 8. ALLOW: forward the call to the tool server. 9. Receive the tool server response. 10. Run DLP scan on the response. block match -> return AIP-E008 to agent, suppress response. redact match -> replace content, continue. ]]> 11. Return the (possibly redacted) response to the agent. 12. Write audit log record ().

Decision Outcomes

ALLOW:

The call passed all checks and was forwarded. The tool server response was returned to the agent.

DENY:

The call was rejected before reaching the tool server. The proxy returns a JSON-RPC 2.0 error (). The tool server receives nothing.

HOLD:

The call is queued. The proxy returns a pending response to the agent. The call is resolved when a human approver responds or the HITL timeout is reached.

Human-in-the-Loop (HITL) When a call is held, the proxy MUST notify all addresses listed in hitl.approvers. The notification MUST include:

• The Agent ID and agent name;
• The tool name and (post-redaction) arguments;
• The policy rule that triggered the hold;
• A unique hold_id.

Notification delivery (email, webhook, Slack, web UI) is out of scope for this specification. Approvers submit a decision to the proxy using the HITL API. Approval and denial endpoints are: These endpoints MUST be authenticated. If no response is received within hitl.timeout_seconds, the proxy resolves the hold according to hitl.on_timeout and writes the outcome to the audit log.

Data Loss Prevention (DLP) The DLP scanner applies the dlp rules from the AgentPolicy to both the inbound tool call arguments and the outbound tool server response. Rules are evaluated in the order they are listed. The first matching rule wins. Implementations SHOULD provide a standard rule library covering common sensitive data types:

• Cloud provider credentials (AWS, GCP, Azure key patterns);
• Private key material (PEM headers);
• Common PII patterns (email, phone, SSN formats);
• Generic high-entropy secrets (long alphanumeric tokens).

Audit Logging The proxy MUST write one log record per tool call outcome. Records MUST be appended to an append-only log and MUST NOT be modified after writing. Log records SHOULD be hash-chained: each record includes the SHA-256 hash of the previous record, enabling tamper detection. See for the normative record format. Log records MUST be retained for a minimum of 90 days.

Wire Formats

AIP-Token Header For HTTP-based tool transports, the AIP Token is conveyed in the request header:

AIP-Token: <base64url-encoded UTF-8 JSON token>

base64url encoding is defined in (no padding). For MCP stdio transports, the AIP Token is conveyed as a "_aip" field at the top level of the JSON-RPC request object:

Error Response Format Error responses MUST conform to JSON-RPC 2.0 . AIP error codes are in the range -32001 to -32099:

Audit Log Record Each record is a single JSON object on one line (JSONL ): ", "eventId": "", "prevHash": "", "decision": "", "errorCode": "", "agentId": "", "principalId": "", "tool": "", "argumentsHash": "", "policyName": "", "verificationStep": "<1-5 or null if passed>", "dlp": [ { "rule": "", "scope": "", "action": "" } ], "holdId": "", "proxyVersion": "" } ]]>

Deployment Topologies

Localhost Proxy The localhost proxy is the simplest deployment: a single binary running on the developer's machine alongside the AI client. It binds to 127.0.0.1:8787 (configurable), supports HTTP and MCP stdio interception, and uses a local SQLite database for the nonce cache, revocation cache, and audit log. Policy is loaded from a YAML file at ~/.aip/policy.yaml. This mode is suitable for individual developers and is the recommended starting point for adopting AIP. A Go proxy implementation is available at the working group's GitHub repository.

Kubernetes Sidecar For production deployments, the AIP Proxy runs as a sidecar container in the same pod as the agent container. Outbound tool-server traffic is redirected through the proxy on port 15001 via iptables REDIRECT rules. Policy is loaded from a Kubernetes ConfigMap or Secret. Storage uses Redis for the distributed nonce cache and a PersistentVolumeClaim for the audit log. A Prometheus metrics endpoint is exposed at /metrics. Exported metrics include: aip_calls_total, aip_denials_total, aip_holds_total, and aip_verification_latency_seconds.

Enterprise Federation In enterprise environments the AIP Proxy integrates with existing identity infrastructure:

• OIDC mapping: The registry maintains a table mapping Agent IDs to OIDC subject claims. When a tool server requires an OIDC token, the proxy can present one on the agent's behalf after AIP verification passes, without the agent holding OIDC credentials directly.
• SPIFFE/mTLS: The proxy is issued a SPIFFE SVID and uses it to establish mTLS connections to tool servers, providing transport- layer mutual authentication in addition to AIP application-layer identity.
• Central policy management: AgentPolicy files are managed via a policy API with versioning, rollback, and change auditing, rather than local YAML files.

Security Considerations

Cryptographic Algorithm AIP is built with the idea of using Ed25519 for all signatures. Ed25519 was chosen because it is fast (sign and verify in under 1ms), produces short keys and signatures (32 and 64 bytes respectively), is deterministic (no per-signature randomness required), and has broad library support across all major languages and platforms. However other cryptographic algorithms should be supported.

Prompt Injection Resistance The principal threat model for AIP at Layer 2 is the prompt injection attack: malicious content in the agent's context causes it to attempt tool calls outside its intended scope. The allowlist in the AgentPolicy prevents the agent from reaching tools it was not provisioned for, regardless of what the model produces. The "block" action provides an unconditional deny for specified tools that cannot be overridden by any model output, injected prompt, or delegation claim. The proxy operates entirely outside the model's trust boundary; the model cannot influence the proxy's decisions.

Transport Security All communication between AIP Proxies and the AIP Registry MUST use TLS 1.3 . Server certificates MUST be validated against the system trust store. Certificate pinning is RECOMMENDED for registry connections in production deployments. Proxy-to-tool-server connections MUST use TLS 1.2 or later. TLS 1.3 is RECOMMENDED.

Private Key Storage Agent private keys MUST be stored in a secure key store. In order of preference: 1. Hardware Security Module (HSM) or Trusted Platform Module (TPM); 2. OS keychain (macOS Keychain, Windows DPAPI, Linux Secret Service); 3. Encrypted file with passphrase derived using Argon2id . Private keys MUST NOT be stored in environment variables, plaintext configuration files, or source code repositories.

Registry Trust A proxy MUST be configured with an explicit list of trusted registry hostnames and the TLS certificate fingerprint (or CA) for each. Agent Records from registries not on this list MUST be rejected.

Nonce Cache Sizing The nonce cache must be large enough to hold all unique nonces generated within the TTL window (600 seconds). Implementations MUST use a bounded cache with LRU eviction and MUST NOT silently drop old nonces without ensuring they are outside the TTL window.

Revocation Latency The proxy's revocation cache has a maximum refresh interval of 60 seconds (). In the worst case, a revoked agent can continue making calls for up to 60 seconds after revocation. Deployments with stricter requirements SHOULD subscribe to the registry's SSE revocation stream () and invalidate the cache on receipt of a revocation event.

Denial-of-Service The proxy adds a small amount of latency to every tool call (one cache lookup and one key verification). To prevent the proxy from becoming an availability bottleneck:

• Agent Record lookups MUST be served from the local cache except on cache miss or invalidation;
• The proxy SHOULD enforce a per-agent call rate limit to prevent a runaway agent from flooding the registry with cache-miss lookups.

Privacy Considerations

Agent Record Visibility Agent Records are visible to any party that can query the registry. Principals SHOULD use non-identifying agent names for agents that handle sensitive workloads.

Audit Log Sensitivity Audit logs contain Agent IDs, tool names, and argument hashes. While argument values are not logged in plaintext, the combination of Agent ID and tool name may itself be sensitive in some contexts. Audit logs MUST be access-controlled appropriately.

DLP Redaction When DLP redaction is applied to a response, the proxy modifies the data the agent receives. Operators MUST ensure that redaction does not cause the agent to produce incorrect or harmful downstream actions due to missing context.

Registry Data Retention Registry operators MUST publish a data retention policy. Agent Records for revoked agents SHOULD be pseudonymized after the minimum retention period required for audit log verification.

IANA Considerations

HTTP Header Field This document defines the "AIP-Token" HTTP header field. Registration is requested in the "Permanent Message Header Field Names" registry per . The header field name is "AIP-Token", applicable protocol is "http", status is "standard", the author/change controller is the IETF, and the specification document is this document ().

Media Type The media type "application/aip+json" is requested for AIP Tokens serialized as standalone JSON documents. The type name is "application", the subtype name is "aip+json", the required parameter is "version" (value "1"), encoding considerations are UTF-8, and security considerations are described in .

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK] This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] This specification defines a Uniform Resource Name namespace for UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier). A UUID is 128 bits long, and can guarantee uniqueness across space and time. UUIDs were originally used in the Apollo Network Computing System and later in the Open Software Foundation\'s (OSF) Distributed Computing Environment (DCE), and then in Microsoft Windows platforms. This specification is derived from the DCE specification with the kind permission of the OSF (now known as The Open Group). Information from earlier versions of the DCE specification have been incorporated into this document. [STANDARDS-TRACK] The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] This document describes the Argon2 memory-hard function for password hashing and proof-of-work applications. We provide an implementer-oriented description with test vectors. The purpose is to simplify adoption of Argon2 for Internet protocols. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. JSON-RPC Working Group This specification defines registration procedures for the message header fields used by Internet mail, HTTP, Netnews and other applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Informative References Anthropic Sakimura, N. et al. CNCF SPIFFE Project

Example AgentPolicy A complete AgentPolicy for a research assistant agent.

Example AIP Token An AIP Token for a read_file call, shown before base64url encoding for transport in the AIP-Token header.

Error Code Reference

AIP-E001

Tool not in allowlist The requested tool is not listed in tools.allowed and the proxy is in enforce mode.

AIP-E002

Argument validation failed A tool argument failed a pattern or maxLength check defined in tools.rules.args.

AIP-E003

Tool unconditionally blocked The tool has action: block in tools.rules.

AIP-E004

Nonce replay The nonce in the AIP Token was already seen within the 600-second cache window.

AIP-E005

Timestamp out of range The token timestamp is more than 300 seconds old or more than 30 seconds in the future.

AIP-E008

DLP violation A DLP rule with action: block matched content in the request or response.

AIP-E010

AIP Token missing The tool call arrived with no AIP-Token header or _aip field.

AIP-E011

Agent ID not found The agentId in the token could not be resolved at the registry.

AIP-E012

Agent revoked The Agent Record for this agentId has status: revoked.

AIP-E013

Signature verification failed The key signature did not verify against the public key in the Agent Record.

AIP-E015

HITL approval denied A human approver explicitly denied the held call.

AIP-E016

HITL timed out The HITL hold expired and on_timeout is set to deny.

AIP-E099

Internal proxy error An unexpected error occurred in the proxy. See proxy logs for details.