asap-protocol 2.2.1

Async Simple Agent Protocol - A streamlined protocol for agent-to-agent communication

ASAP: Async Simple Agent Protocol

✨ From agents, for agents. Delivering reliability, as soon as possible.

A production-ready protocol for agent-to-agent communication and task coordination.

Quick Info: v2.2.1 | Apache 2.0 | Python 3.13+ | Documentation | PyPI | Changelog

🚀 Live now our agentic marketplace — browse agents, register yours, request verification.

Why ASAP?

Building multi-agent systems today suffers from three core technical challenges that existing protocols like A2A don't fully address:

1. $N^2$ Connection Complexity: Most protocols assume static point-to-point HTTP connections that don't scale.
2. State Drift: Lack of native persistence makes it impossible to reliably resume long-running agentic workflows.
3. Fragmentation: No unified way to handle task delegation, artifact exchange and tool execution (MCP) in a single envelope.

ASAP provides a production-ready communication layer that simplifies these complexities. It's ideal for multi-agent orchestration, stateful workflows (persistence, resumability), MCP support and production systems requiring high-performance, type-safe agent communication.

For simple point-to-point communication, a basic HTTP API might suffice; ASAP shines when you need orchestration, state management and multi-agent coordination. See the spec for details.

Key Features

• Stateful orchestration — Task state machine with snapshotting for resumable workflows.
• Schema-first — Pydantic v2 + JSON Schema for cross-agent interoperability.
• Async-native — asyncio + httpx; sync and async handlers supported.
• MCP integration — Tool execution and coordination in a single envelope.
• Observable — trace_id and correlation_id for debugging.
• Security — Bearer auth, OAuth2/JWT, Ed25519 signed manifests, optional mTLS, replay prevention, HTTPS, rate limiting. Security Model (trust limits, Custom Claims).
• Identity & capabilities (v2.2, WebAuthn real in v2.2.1) — Per-runtime Host/Agent JWTs, capability grants with constraints (max, min, in, not_in), approval flows (device authorization / CIBA-style), real WebAuthn attestation/assertion for high-risk registration (opt-in via asap-protocol[webauthn]).
• Streaming & wire protocol (v2.2) — POST /asap/stream (SSE / TaskStream), JSON-RPC 2.0 batch on POST /asap, ASAP-Version negotiation, tamper-evident audit logging, Compliance Harness v2.
• Economics — Usage metering, delegation tokens, SLA framework with breach alerts.

🆕 Framework Ecosystem

ASAP is built for interoperability. Seamlessly integrate your agents into OpenClaw, LangChain, CrewAI and LlamaIndex workflows using our growing library of native adapters and standardized tool-calling schemas.

Installation

We recommend using uv for dependency management:

uv add asap-protocol

Or with pip:

pip install asap-protocol

📦 Available on PyPI — for reproducible environments, prefer uv when possible.

Quick Start

Run the demo (echo agent + coordinator in one command):

uv run python -m asap.examples.run_demo

Build your first agent here — server setup, client code, step-by-step (~15 min).

19 examples: orchestration, state migration, MCP, OAuth2, WebSocket, resilience.

Testing

uv run pytest -n auto --tb=short

With coverage:

uv run pytest --cov=src --cov-report=term-missing

Testing Guide (structure, fixtures, property/load/chaos tests). Contributing (dev setup, CI).

Compliance Harness

Validate that your agent follows the ASAP protocol:

uv add asap-compliance
pytest --asap-agent-url https://your-agent.example.com -m asap_compliance

See Compliance Testing Guide for handshake, schema and state machine validation.

Documentation

Learn

• Docs | API Reference
• Tutorials — First agent to production checklist
• Migration from A2A/MCP
• Raw Fetch (non-Python) — Fetch registry.json and revoked_agents.json with curl/fetch; implement your own client.

Deep Dive

• State Management | Best Practices: Failover & Migration | Error Handling
• Transport | Security | Security Model (OAuth2 trust, Custom Claims)
• Identity Signing | Compliance Testing | Migration v1.1 to v1.2 | mTLS
• Observability | Testing

Decisions & Operations

• ADRs — 19 Architecture Decision Records
• Tech Stack — Rationale for Python, Pydantic, Next.js choices
• Deployment | Troubleshooting

Release

• Changelog | PyPI

CLI

asap --version                                    # Show version
asap list-schemas                                 # List all available schemas
asap export-schemas                               # Export JSON schemas to file
asap compliance-check --url https://agent.example # Compliance Harness v2 (HTTP(S))
asap audit export --store memory --format json    # Export audit log (stdout)
asap keys generate -o key.pem                     # Generate Ed25519 keypair
asap manifest sign -k key.pem manifest.json       # Sign manifest
asap manifest verify signed.json                  # Verify signature
asap manifest info signed.json                    # Show trust level

See the CLI reference for compliance-check and audit export flag details, the CI compliance gate for wiring compliance-check into GitHub Actions, the audit export guide, Identity Signing, or run asap --help for the full command surface.

Version History

• v1.1 adds OAuth2, WebSocket, Discovery (well-known + Lite Registry), State Storage (SQLite) and Webhooks.
• v1.2 adds Ed25519 signed manifests, trust levels, optional mTLS and the Compliance Harness.
• v1.3 adds delegation commands (asap delegation create, asap delegation revoke).
• v2.0 adds the Lean Marketplace Web App (Next.js), Lite Registry on GitHub Pages, IssueOps registration, OAuth sign-in for developers, and Verified Badge flow.
• v2.1 adds the Consumer SDK (MarketClient), optional framework extras (LangChain, CrewAI, LlamaIndex, SmolAgents, OpenClaw, …), and registry UX improvements on PyPI.
• v2.1.1 is a patch release: JWT algorithm allowlist, SQLite async bridging, optional Redis-backed rate limits, SSRF hardening in the web app, and related reliability fixes (see Changelog).
• v2.2 adds per-runtime agent identity, capability-based authorization, SSE streaming (POST /asap/stream), ASAP-Version negotiation, JSON-RPC batch requests, tamper-evident audit logging, async state stores, and Compliance Harness v2.
• v2.2.1 closes the SELF-002 follow-up with real WebAuthn attestation/assertion via the opt-in asap-protocol[webauthn] extra, ships the asap compliance-check and asap audit export CLIs, promotes the client SDK ResolvedAgent.run() to a typed contract (raises TypeError on protocol violation), introduces the asap.economics.audit.AuditChainBroken exception for scripted tamper handling, and pins upper bounds on security-sensitive deps (cryptography, authlib, joserfc, pyjwt, webauthn, pydantic) — see dependency policy and full notes in the Changelog.

For a structured index of per-version features, see the docs index.

🔭 What's Next?

ASAP is evolving toward an Agent Marketplace — an open ecosystem where AI agents discover, trust and collaborate autonomously. See our vision document for the full roadmap.

Contributing

Community feedback and contributions are essential for ASAP Protocol's evolution. We're working on improvements and your input helps shape the future of the protocol.

Every contribution, from bug reports to feature suggestions, documentation improvements and code contributions, makes a real difference.

Check out our contributing guidelines to get started. It's easier than you think! 🚀

License

This project is licensed under the Apache 2.0 License - see the license file for details.

---

Built with Cursor and Claude Code — primarily Claude Opus 4.7 (1M context) with Cursor Composer 1.5, Gemini 3.1 Pro, and Kimi K2.5 as collaborators.