Agent Privacy-Preserving Protocol - AP3
Project description
AP3 - Agent Privacy-Preserving Protocol
AP3 is a protocol for privacy-preserving computation between autonomous agents
What is AP3?
AP3 is designed to solve a critical challenge in the emerging agentic economy:
How can AI agents collaborate on sensitive computations while maintaining data confidentiality and competitive advantage?
Traditional agent communication requires data sharing, which creates risks:
- Competitive Intelligence Leakage: Proprietary algorithms, cost structures, and business strategies could be exposed
- Regulatory Compliance Issues: Data sharing may violate privacy regulations like GDPR and CCPA
- Trust Barriers: Parties are reluctant to collaborate without cryptographic privacy guarantees
AP3 addresses these challenges by providing a standardized framework for privacy-preserving computation using advanced cryptographic techniques.
As the agentic economy grows, AP3 will become essential infrastructure for trusted, privacy-preserving computation between autonomous agents, enabling a new generation of collaborative AI applications that respect data sovereignty and competitive advantage.
Examples
| Example | Framework | Description |
|---|---|---|
| psi_simple | Plain Python | Minimal two-process PSI sanctions check (initiator + receiver) |
| psi_adk_simple | Google ADK | Two ADK agents running PSI through chat with embedded AP3 servers |
| a2a-example | A2A | PSI layered onto standard A2A hello-world servers as middleware |
| ap3_playground | Web UI | Glass-box inspector: agent cards, envelopes, directives, audit timeline, tamper/replay scenarios |
Each example has its own README with setup, Docker, and run instructions.
AP3 Documentation
Install the docs dependencies and run mkdocs serve to view the documentation locally:
uv sync
uv pip install -r requirements.txt
uv run mkdocs serve
Build the static site into site/:
uv run mkdocs build --clean
AP3 SDK
Key Docs:
- Installation Guide - Setup instructions
- Configuration - Environment setup
- API Reference - Complete API docs
- Troubleshooting - Common issues
Installation
Requires Python 3.11+.
uv sync && source .venv/bin/activate
Usage
Private Set Intersection
Note: PSI is implemented in pure Python on top of
rbcl(libsodium / Ristretto255) andmerlin_transcripts— installs on any platform those wheels support (macOS, Linux, Windows; x86_64 and arm64).
from ap3_functions import PSIOperation
initiator = PSIOperation() # OB: holds the customer to check
receiver = PSIOperation() # BB: holds the sanction list
sanction_list = ["Jane Smith,S001,456 Elm St", "Bob Brown,S002,789 Oak Ave"]
# OB opens the session (no sid commitment yet — wire-level kick-off).
init = initiator.start(role="initiator", inputs={"customer_data": "John Doe,ID123,123 Main St"})
# BB receives the kick-off and replies with msg0 carrying sid_1.
msg0 = receiver.receive(role="receiver", message=init["outgoing"], config={"sanction_list": sanction_list})
# OB picks sid_0, derives session_id = H(sid_0, sid_1), sends sid_0 + psc_msg1.
msg1 = initiator.process(session_id=init["session_id"], message=msg0["outgoing"])
# BB recomputes session_id, runs PSC, returns the result message.
msg2 = receiver.process(session_id=msg0["session_id"], message=msg1["outgoing"])
# OB finalizes.
final = initiator.process(session_id=init["session_id"], message=msg2["outgoing"])
is_match = final["result"]["is_match"]
The session_id is contributory: BB commits sid_1 before OB picks sid_0, so neither party alone can choose the session_id. Most applications never call these methods directly — PrivacyAgent.run_intent() drives the full exchange over A2A automatically.
Folder structure
ap3/
├── src/ap3/ # Core SDK (publishes as `ap3`)
│ ├── types/ # Pydantic models
│ ├── core/ # Session, envelopes, directives
│ ├── services/ # Commitment & discovery services
│ ├── signing/ # Ed25519 keys & signatures
│ └── a2a/ # A2A middleware integration
├── packages/
│ └── ap3-functions/ # Distribution: `ap3-functions`, import: `ap3_functions`
│ └── ap3_functions/ # Pure-Python protocol implementations
│ └── psi/ # Private Set Intersection
└── examples/
├── psi_simple/ # Minimal Python PSI demo
├── psi_adk_simple/ # PSI with Google ADK agents
├── a2a-example/ # PSI as A2A middleware
└── ap3_playground/ # Glass-box inspector UI
License
Licensed under the Apache License, Version 2.0. See LICENSE.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ap3-1.2.0.tar.gz.
File metadata
- Download URL: ap3-1.2.0.tar.gz
- Upload date:
- Size: 2.7 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7eeff58bea8ea6eaf6d94835cf99bf286d5c1bbba8bb06dd6f2f1db086fb7b58
|
|
| MD5 |
5b03607d9a0668ebd4fff9262c7508c6
|
|
| BLAKE2b-256 |
d821fce4e586355b9bd4e9ab0cf8a5c5f4d5d37d5b711ef1699b1411872799cf
|
File details
Details for the file ap3-1.2.0-py3-none-any.whl.
File metadata
- Download URL: ap3-1.2.0-py3-none-any.whl
- Upload date:
- Size: 57.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13a29f1eda640f7e70d2f40b7cca49f8bce49a6fdafda0c986a58ad52422e68a
|
|
| MD5 |
2b50e7fa516335fda91a7f821a21f331
|
|
| BLAKE2b-256 |
73d2c257b2a703e0cfff5287495e6df5052fd7fb69ff4ac5919fcdf3b2b47d99
|
