Open specification · v1.0
Aegis Protocol specification
A vendor-neutral, MIT-licensed protocol for issuing, verifying, and revoking cryptographic identities for autonomous AI agents.
Wire format
Canonical CBOR-encoded passport envelope with deterministic field ordering for reproducible signatures.
Signature scheme
ED25519 over the canonical envelope. Issuer keys rotate via a signed key-history chain.
Trust scoring
Deterministic 0–1000 score computed from behavior, capability drift, incident velocity, and recency.
Revocation
Gossip-based propagation across verification nodes with a hard 60-second global convergence target.
1. Passport envelope
An AI Passport is a CBOR map signed by the issuing organization. Field ordering is canonical so the signature is deterministic across runtimes.
{
"v": 1,
"id": "ap_01HRZ8…",
"issuer": "org_acme",
"subject": { "agent": "support-bot", "model": "gpt-5", "version": "2026.06" },
"capabilities": ["read:support_tickets", "write:support_replies"],
"environment": "production",
"jurisdiction": ["US", "EU"],
"issued_at": "2026-06-01T00:00:00Z",
"expires_at": "2026-09-01T00:00:00Z",
"policy_hash": "sha256:…",
"sig": "ed25519:…"
}2. Verification request
Relying parties POST a verification request to any Aegis verifier. The response is stateless and cacheable for the returned valid_until.
POST /v1/verify
{
"passport_id": "ap_01HRZ8…",
"requested_capabilities": ["read:support_tickets"],
"relying_party": "helpdesk-api",
"risk_level": "LOW"
}
→ { "decision": "ALLOW" | "REVIEW" | "DENY",
"trust_score": 0-1000,
"valid_until": "RFC3339",
"capability_token": "jwt(ES256)" }3. Revocation
Issuers publish signed revocation entries to the gossip network. Verifiers MUST reject any passport whose ID appears in a revocation entry whose timestamp is newer than the cached one. Global convergence target is 60 seconds.
4. Conformance
An implementation is conformant if it passes the open test vectors published alongside the spec and round-trips canonical envelopes byte-for-byte.