Agent Transfer Protocol (ATP): secure agent-to-agent communication
Project description
ATP: Agent Transfer Protocol
Secure agent-to-agent communication over the Internet.
A communication protocol for agent-to-agent transfer.
DNS-based discovery, mandatory Ed25519 signing, server-mediated delivery.
Agent A ATP Server A ATP Server B Agent B
| | | |
|---[1. Submit]----->| | |
| (unsigned+cred) | | |
| 2. Credential Verify | |
| | | |
| 3. DNS SVCB Discover | |
| 4. Domain-key Sign (ATK) | |
| | | |
| |--[5. Transfer]----->| |
| | TLS 1.3 + POST | |
| | (signed message) | |
| | | |
| | 6. ATS+ATK Verify (DNS) |
| | 7. Sender Authenticated |
| | | |
|<---[202 Accepted]--| |---[8. Deliver]--->|
| | | |
Why ATP?
Agents need a standard way to communicate across the Internet: securely, without a central registry, using infrastructure that already exists.
| Feature | How |
|---|---|
| Identity | local@domain format, powered by DNS |
| Discovery | DNS SVCB records, no central registry needed |
| Signing | Ed25519 on every message, verified on cross-domain transfer |
| Authorization | ATS policies in DNS, control who can send for your domain |
| Delivery | Store-and-forward with retry, messages don't get lost |
Install
pip install agent-transfer-protocol
Requires Python 3.11+
Quick Start
# 1. Start a server
atp server start --domain example.com --port 7443
# 2. Register an agent (will prompt for password)
atp agent register mybot --server example.com
# Or non-interactively: atp agent register mybot --server example.com -p mypassword
# 3. Send a message (from another terminal)
atp send agent@remote.org \
--from mybot \
--password mypassword \
--server example.com \
--body "Hello!"
# 4. Check server status
atp status --server example.com
Try It: Two Servers Talking
Run two servers locally and send messages between them, no DNS needed:
# Terminal 1: Start Server A
atp server start --domain alice.local --port 7443
# Terminal 2: Start Server B
atp server start --domain bob.local --port 7444
# Register agents
atp agent register agent --server 127.0.0.1:7443 --no-verify -p alice_pass
atp agent register agent --server 127.0.0.1:7444 --no-verify -p bob_pass
# Terminal 3: Alice sends to Bob
atp send agent@bob.local \
--from agent \
--password alice_pass \
--server 127.0.0.1:7443 \
--no-verify \
--body "Hello Bob!"
# Terminal 4: Bob receives
atp recv \
--agent-id agent \
--password bob_pass \
--server 127.0.0.1:7444 \
--no-verify
Python SDK
import asyncio
from atp.client import ATPClient
async def main():
client = ATPClient(
agent_id="mybot",
password="mypassword",
server="example.com",
)
# Send
result = await client.send("target@remote.org", body="Hello from SDK")
print(result) # {"status": "accepted", "nonce": "msg-..."}
# Receive
messages = await client.recv()
for msg in messages:
print(f"{msg.from_id}: {msg.payload}")
await client.close()
asyncio.run(main())
CLI Reference
Core Commands
| Command | Description |
|---|---|
atp server start |
Start ATP server |
atp send <to> |
Send a message |
atp recv |
Receive messages |
Agent Management
| Command | Description |
|---|---|
atp agent register <name> |
Register an agent with credentials |
atp agent list |
List registered agents |
Key Management (Server)
Ed25519 signing keys are auto-generated on first server startup. These commands are for manual control.
| Command | Description |
|---|---|
atp keys generate |
Generate Ed25519 key pair |
atp keys show |
Show key info |
atp keys list |
List all keys |
atp keys rotate |
Rotate to a new key |
Operations
| Command | Description |
|---|---|
atp status |
Show server status and metrics |
atp inspect <nonce> |
Inspect a specific message |
DNS
| Command | Description |
|---|---|
atp dns generate |
Generate DNS records for your domain |
atp dns check |
Verify DNS records are configured |
Run atp <command> --help for options.
Connection Options
--server format |
Protocol | Port |
|---|---|---|
example.com |
HTTPS | 7443 (default) |
example.com:8443 |
HTTPS | 8443 |
https://example.com |
HTTPS | 7443 |
http://example.com |
HTTP (warns) | 7443 |
- Default: verify TLS certificates. Invalid cert prompts for confirmation.
--no-verify: skip certificate verification silently.- Agent names without
@are auto-completed with the server domain.
Production Deployment
For production, configure DNS records. ATP generates them for you:
# Step 1: Generate the records
atp dns generate --domain example.com --ip 203.0.113.1
# Step 2: Add them to your DNS provider (Cloudflare, Route53, etc.)
# Step 3: Verify
atp dns check --domain example.com
# Step 4: Start with TLS
atp server start --domain example.com --cert server.crt --key server.key
See the DNS Setup Guide for details.
Security
ATP provides four layers of security, inspired by email's battle-tested approach:
| Layer | ATP | Email Equivalent | Purpose |
|---|---|---|---|
| Transport | TLS 1.3 | STARTTLS | Encrypted connections |
| Authentication | Credential | SMTP AUTH | Agent identity (username + password) |
| Authorization | ATS | SPF | Who can send for a domain |
| Integrity | ATK (Ed25519) | DKIM | Message signing & verification |
Agents authenticate to their server with credentials (password). The server signs messages with its domain-level Ed25519 key before forwarding. Remote servers verify independently via ATS+ATK.
Documentation
| Quick Start | Full walkthrough with two servers |
| Configuration | CLI options, config file, retry policy |
| DNS Setup | Production DNS configuration |
| Security Model | ATS, ATK, TLS explained in depth |
| Python SDK | API reference for developers |
| Architecture | Module design for contributors |
Protocol Specification
ATP is defined as an IETF Internet-Draft (Standards Track):
Agent Transfer Protocol (ATP) draft-li-atp · March 2026 Xiang Li, Lu Sun, Yuqi Qiu, Nankai University, AOSP Laboratory
Contributing
git clone https://github.com/NKU-AOSP-Lab/AgentTransferProtocol.git
cd atp
pip install -e ".[dev]"
python -m pytest tests/ -v # 227 tests
See Architecture for module design and development guide.
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agent_transfer_protocol-1.0.0a8.tar.gz.
File metadata
- Download URL: agent_transfer_protocol-1.0.0a8.tar.gz
- Upload date:
- Size: 68.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e2af480f70a164084782481cbff5a4432c2a0908d2b8eeb243e468fa13744698
|
|
| MD5 |
73c7500f4331cf065ff123ffc4fc1254
|
|
| BLAKE2b-256 |
2a4ee610885a7093b0a15d0dae81bfaef8b11a71880601560631237e8db70c14
|
File details
Details for the file agent_transfer_protocol-1.0.0a8-py3-none-any.whl.
File metadata
- Download URL: agent_transfer_protocol-1.0.0a8-py3-none-any.whl
- Upload date:
- Size: 53.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8cfd3c83ee2f0661cf28351d5ecf8364493767662749e5fe4a5726c5934dca42
|
|
| MD5 |
647270e0dcc2600b891ec7cac5c0920b
|
|
| BLAKE2b-256 |
38cf4e88a70b9419c5a89a27db815529b3f557f839612410ac01b00980e0fb02
|
