All notable changes to the AgentPin project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Trust bundles for offline and air-gapped verification — pre-package discovery + revocation data
DiscoveryResolvertrait with pluggable discovery strategies:WellKnownResolver: HTTP.well-knownlookups (default)DnsTxtResolver: DNS TXT record discoveryManualResolver: Pre-configured static documents
directory_listingfield onAgentDeclarationfor multi-agent domain enumeration- JavaScript SDK: Trust bundle support, resolver abstraction
- Python SDK: Trust bundle support, resolver abstraction
- PyPI README: Added package README for PyPI listing
- npm README: Added package README, fixed package URLs
- Bumped JavaScript package to 0.1.1, Python package to 0.1.1
- ECDSA P-256 keypair generation with JWK export
- JWT credential issuance (ES256 signed, configurable TTL)
- 12-step credential verification flow:
- JWT parsing, algorithm validation (ES256 only), signature verification
- Domain binding, discovery resolution, key matching
- TOFU key pinning (JWK thumbprint), expiration, revocation
- Capability validation, delegation chain verification
- TOFU key pinning with JWK thumbprint persistence
- Delegation chains with capability narrowing and depth limits
- Mutual authentication with 128-bit nonce challenge-response
- Credential, agent, and key-level revocation
agentpin— Core library (no mandatory HTTP dependency)agentpin-cli— CLI binary (keygen,issue,verify,bundle)agentpin-server— Axum server for.well-knownendpoints
- JavaScript (
agentpinnpm package): Full protocol implementation - Python (
agentpinPyPI package): Full protocol implementation
.well-known/agent-identity.jsondiscovery document format.well-known/agent-identity-revocations.jsonrevocation endpoint- Capability-scoped credentials with constraints (
max_ttl_secs,allowed_scopes)