Verifiable cryptographic identity and delegation for AI agents across MCP and A2A
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
Agent Identity Protocol (AIP)
Add identity and auth to AI agents in 5 lines of code.
The problem
MCP has no authentication. A2A has self-declared identities with no attestation. Your agents call tools anonymously, delegate to other agents without verification, and leave no audit trail. When something goes wrong, you have no way to trace who authorized what.
The fix
pip install aip-agents[crewai]
from aip_agents.adapters.crewai import CrewAIPlugin
plugin = CrewAIPlugin(app_name="my-app")
plugin.setup(crew) # every agent gets a cryptographic identity
headers = plugin.get_auth_headers("researcher") # signed token for tool calls
That's it. Every agent now has an Ed25519 identity, scoped delegation tokens, and MCP-compatible auth headers.
Google ADK
pip install aip-agents[adk]
from aip_agents.adapters.adk import ADKPlugin
plugin = ADKPlugin(app_name="my-app")
plugin.setup(root_agent) # walks the agent tree, assigns identities
headers = plugin.get_auth_headers("specialist")
LangChain
pip install aip-agents[langchain]
from aip_agents.adapters.langchain import LangChainPlugin
plugin = LangChainPlugin(app_name="my-app")
plugin.register(executor, name="researcher")
headers = plugin.get_auth_headers("researcher")
What this gives you
- Cryptographic identity -- every agent gets an Ed25519 keypair and an AIP identifier
- Scoped delegation -- when agents delegate, each hop can only narrow scope, never widen
- MCP auth headers -- signed
X-AIP-Tokenheaders that any MCP server can verify - Audit trail -- every token records who authorized what, through which agents, with what scope
- Two token modes -- compact (JWT) for single-hop, chained (Biscuit) for multi-agent delegation
Multi-agent delegation
When agents delegate to other agents, each hop cryptographically narrows scope:
from aip_core.crypto import KeyPair
from aip_token.chained import ChainedToken
root_kp = KeyPair.generate()
# Orchestrator: broad authority
token = ChainedToken.create_authority(
issuer="aip:web:myorg.com/orchestrator",
scopes=["tool:search", "tool:email"],
budget_cents=500,
max_depth=3,
ttl_seconds=3600,
keypair=root_kp,
)
# Delegate to specialist: only search, lower budget
delegated = token.delegate(
delegator="aip:web:myorg.com/orchestrator",
delegate="aip:web:myorg.com/specialist",
scopes=["tool:search"],
budget_cents=100,
context="research task for user query",
)
# Specialist can search, but not email
delegated.authorize("tool:search", root_kp.public_key_bytes()) # passes
delegated.authorize("tool:email", root_kp.public_key_bytes()) # raises
MCP Auth Proxy
Protect any MCP server with one command:
pip install agent-identity-protocol
aip-proxy --upstream http://localhost:3000 --port 8080 --trust-key z6Mkf...
The proxy verifies every request's AIP token, runs a security self-audit (TTL, scope, budget, chain depth), and forwards to your MCP server. Rejects anything unauthorized. Zero changes to your server code.
MCP proxy guide | Security model
Installation
# Core library (if building directly on the protocol)
pip install agent-identity-protocol
# Framework adapters (recommended)
pip install aip-agents[crewai] # CrewAI
pip install aip-agents[adk] # Google ADK
pip install aip-agents[langchain] # LangChain
pip install aip-agents[all] # all frameworks
PyPI: agent-identity-protocol | aip-agents
Rust reference implementation available in rust/.
Documentation
- sunilprakash.com/aip/ -- project hub with guides and tutorials
- Quickstart -- 5 minutes to your first AIP token
- Delegation guide -- chained tokens, scope attenuation, policy profiles
- Competitive analysis -- AIP vs OAuth, DID, UCAN, Macaroons, Biscuit, SPIFFE
- Specification -- full protocol spec
Examples
- Single-agent MCP -- agent authenticates to MCP tool server
- Multi-agent delegation -- orchestrator delegates to specialist, calls tool server
Paper
Sunil Prakash. AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A. arXiv preprint arXiv:2603.24775, 2026. https://arxiv.org/abs/2603.24775
IETF Internet-Draft: draft-prakash-aip-00
@article{prakash2026aip,
title={AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A},
author={Prakash, Sunil},
journal={arXiv preprint arXiv:2603.24775},
year={2026}
}
Related papers
AIP is part of a multi-agent trust stack:
| Layer | Paper | arXiv |
|---|---|---|
| Identity | AIP: Verifiable Delegation Across MCP and A2A | 2603.24775 |
| Provenance | The Provenance Paradox in Multi-Agent LLM Routing | 2603.18043 |
| Protocol | LDP: An Identity-Aware Protocol for Multi-Agent LLM Systems | 2603.08852 |
| Reasoning | DCI: Structured Collective Reasoning with Typed Epistemic Acts | 2603.11781 |
Tests
cd python && pytest tests/ -v
License
Apache 2.0
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agent_identity_protocol-0.2.0.tar.gz.
File metadata
- Download URL: agent_identity_protocol-0.2.0.tar.gz
- Upload date:
- Size: 31.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
15f5dbf22f8775f35492de31236905c8b5cf2f0af55cc5c55e64c6af0ebd3fe9
|
|
| MD5 |
d4ee407d11a929ff50848c31775be265
|
|
| BLAKE2b-256 |
1ac291b6e7f51bb5dab6799ac67a0459c1d74ba3ba45b7a7690905574fd1e1ac
|
Provenance
The following attestation bundles were made for agent_identity_protocol-0.2.0.tar.gz:
Publisher:
publish-core.yml on sunilp/aip
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agent_identity_protocol-0.2.0.tar.gz -
Subject digest:
15f5dbf22f8775f35492de31236905c8b5cf2f0af55cc5c55e64c6af0ebd3fe9 - Sigstore transparency entry: 1281073043
- Sigstore integration time:
-
Permalink:
sunilp/aip@9f39631c0b7a731e9289aeead2975458c26584fc -
Branch / Tag:
refs/tags/aip-core-v0.2.0 - Owner: https://github.com/sunilp
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-core.yml@9f39631c0b7a731e9289aeead2975458c26584fc -
Trigger Event:
push
-
Statement type:
File details
Details for the file agent_identity_protocol-0.2.0-py3-none-any.whl.
File metadata
- Download URL: agent_identity_protocol-0.2.0-py3-none-any.whl
- Upload date:
- Size: 21.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4675127cd13b429b424ea0ac16180deafd22fc2ff3a40e2bd00cf0d1b79318e1
|
|
| MD5 |
219ea521ca0107eab6d13ab7c6b0e5e4
|
|
| BLAKE2b-256 |
53a5d28ef22ae887d7950c7d19921ab7961b3f243b1bddf94431308de6a2b1a8
|
Provenance
The following attestation bundles were made for agent_identity_protocol-0.2.0-py3-none-any.whl:
Publisher:
publish-core.yml on sunilp/aip
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agent_identity_protocol-0.2.0-py3-none-any.whl -
Subject digest:
4675127cd13b429b424ea0ac16180deafd22fc2ff3a40e2bd00cf0d1b79318e1 - Sigstore transparency entry: 1281073072
- Sigstore integration time:
-
Permalink:
sunilp/aip@9f39631c0b7a731e9289aeead2975458c26584fc -
Branch / Tag:
refs/tags/aip-core-v0.2.0 - Owner: https://github.com/sunilp
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-core.yml@9f39631c0b7a731e9289aeead2975458c26584fc -
Trigger Event:
push
-
Statement type:
