Agent Passport System
The enforcement and accountability layer for AI agents. Open-source, Apache-2.0, shipped.
Why I built it
AI agents can do real things now — call APIs, move money, write code, send messages, make decisions. But they have no identity beyond an API key, no way to prove who delegated what authority, no record of what they did or who benefits when it works. The whole industry is shipping autonomous agents into production with the security model of a Google Doc share link.
I started building this in 2024 because nobody else seemed to be solving it at the layer I cared about — not "how do we detect a bad agent" but "how do we make sure authority flows correctly in the first place." The right system has to be both judge and executor. Authority can only decrease at each transfer point. Every action produces a signed receipt.
What it does
Cryptographic identity for AI agents using Ed25519. Scoped delegation chains that narrow monotonically — a child delegation can never grant more authority than its parent. A gateway that evaluates every action against the active scope and produces a signed receipt. A reputation system based on Bayesian trust tiers. A constitutional governance layer for high-stakes decisions. Bilateral coordination receipts so two agents can record what they agreed to without trusting a central authority.
The protocol is open and documented. The SDK is on npm and PyPI. The MCP server lets any AI assistant call into the system natively. The reference gateway is live at gateway.aeoess.com.
Where it lives
The full product site, technical docs, dev log, and live gateway dashboard are at aeoess.com. That's where the daily work happens.
Source code is on GitHub. The SDK ships as agent-passport-system on npm and PyPI.
Research and standards
Eight papers are published on Zenodo:
- The Agent Social Contract — the three-layer model that grounds the system
- Monotonic Narrowing for Agent Authority — authority attenuation as a delegation invariant
- Faceted Authority Attenuation — formal product-lattice model for scoped delegation
- From Access to Derivation — governing behavioral learning in persistent AI agents
- Physics-Enforced Delegation — quantum hardware quality in autonomous agent workflows
- Governance in the Medium — the unit of agent governance is the population, not the agent
- Cognitive Attestation — signing interpretable decompositions of latent model state
- The Evidence-Safety Gap — limits of receipt-based accountability
The Agent Passport System is also formalized as an IETF Internet-Draft (draft-pidlisnyi-aps-00) and is contributing to the cross-protocol vocabulary work happening across the agent governance ecosystem (W3C, IETF, A2A, OWASP).
The shape of the work
I am the sole architect and primary maintainer. The protocol is open and Apache-2.0 licensed; the gateway product is private. External implementations and crosswalks are landing from MolTrust, AgentNexus, qntm, SINT, and others — the convergence is real and happening in public on GitHub.