Drop-in policy proxy for AIP delegation verification on MCP and A2A
Project description
AIP Gateway
Drop-in policy proxy that adds verifiable delegation to MCP and A2A without rewriting your agents.
Before: Agent --> MCP Server
After: Agent --> AIP Gateway --> MCP Server
Quick Start
pip install aip-gateway
aip-gateway serve --policy policy.yaml
Or with Docker:
docker run -v ./policy.yaml:/etc/aip-gateway/policy.yaml -p 8090:8090 sunilp/aip-gateway
What It Does
The gateway sits between your agents and MCP servers. Every request is verified:
- Token verification -- Ed25519 signature check against trusted keys
- Policy evaluation -- agent scope, delegation depth, budget limits, workflow rules
- Header injection -- upstream gets verified caller identity (no SDK needed)
- Audit logging -- every allow/deny decision in JSONL
Policy File
gateway:
upstream: http://localhost:8080
port: 8090
trust_keys:
- z6MkYourTrustKeyHere...
agents:
credit-scorer:
identity: "aip:key:ed25519:zScorer..."
can_delegate:
- tool:check_credit
max_depth: 0
rules:
- action: tool:approve_loan
requires:
- tool:check_credit
- tool:assess_risk
deny_if:
- same_actor: [credit-scorer, loan-approver]
Demo: Loan Origination
cd examples/loan_origination
python run_demo.py
Four scenarios showing scope enforcement, prerequisite checking, and maker-checker separation:
Scenario 1: Valid chain -> ALLOW (proper segregation of duties)
Scenario 2: Scope violation -> DENY (scorer cannot approve loans)
Scenario 3: Missing prerequisite -> DENY (no approval without due diligence)
Scenario 4: Same-actor -> DENY (maker-checker separation enforced)
AIP prevents an AI agent from turning credit scoring authority into loan approval authority.
Upstream Header Enrichment
After verification, the gateway injects identity headers into forwarded requests:
X-AIP-Verified: true
X-AIP-Issuer: aip:key:ed25519:zOrchestrator...
X-AIP-Subject: aip:key:ed25519:zScorer...
X-AIP-Scope: tool:check_credit
X-AIP-Depth: 1
Your MCP server reads these without any AIP SDK dependency.
CLI
aip-gateway serve --policy policy.yaml # Start the proxy
aip-gateway validate --policy policy.yaml # Check policy syntax
aip-gateway version # Show version
Protocol
- Paper: arXiv:2603.24775
- IETF: draft-prakash-aip-00
- Spec: sunilprakash.com/aip/
- TypeScript SDK: @aip-sdk on npm
- Python SDK: agent-identity-protocol on PyPI
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aip_gateway-0.1.0.tar.gz.
File metadata
- Download URL: aip_gateway-0.1.0.tar.gz
- Upload date:
- Size: 16.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cf8e6689c2361cb245e820ecda20257d519ff55c7acb0f171e7f612fa8807a89
|
|
| MD5 |
8069dea4a8e9343365795f26dcbfcb5c
|
|
| BLAKE2b-256 |
e8a66c4df973567e9501f9ef8be54ee581694b3af9ddf735aac57ed1cdb11b08
|
File details
Details for the file aip_gateway-0.1.0-py3-none-any.whl.
File metadata
- Download URL: aip_gateway-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
abba091bb13ae902a531a0b39f1c07280f3f15b0923cdc4c719762f0b6a93b92
|
|
| MD5 |
7a8b6d043ed2ee4e6e177fcf13c85e4d
|
|
| BLAKE2b-256 |
e198782a3b8e3a39d6fe64cb2fb3a3ab5350db0ef59d12043760825e56c782b1
|
