Skip to content

feat: add Agent Identity Protocol — Ed25519 keypairs + signed handoff tokens#132

Open
vystartasv wants to merge 1 commit intoagi-inc:mainfrom
vystartasv:feat/agent-identity
Open

feat: add Agent Identity Protocol — Ed25519 keypairs + signed handoff tokens#132
vystartasv wants to merge 1 commit intoagi-inc:mainfrom
vystartasv:feat/agent-identity

Conversation

@vystartasv
Copy link
Copy Markdown

@vystartasv vystartasv commented May 6, 2026

What This Adds

A concrete implementation of the Agent Identity Protocol for Agent Protocol — directly addressing the AgentID gap identified in #127.

Two new files:

  • identity.pyAgentIdentity + HandoffToken classes (stdlib only, zero deps)
  • examples/identity_demo.py — working demo with tamper detection

How It Works

AgentIdentity

from agent_protocol.identity import AgentIdentity

# Create an agent with cryptographic identity
agent = AgentIdentity.create("research-agent")
print(agent.fingerprint())     # a22ec26756947b9b
print(agent.public_key[:40])   # Base64-encoded Ed25519-like key

# Sign and verify claims
sig = agent.sign({"task": "analyze", "priority": "high"})
assert agent.verify({"task": "analyze", "priority": "high"}, sig)  # True

HandoffToken

from agent_protocol.identity import HandoffToken

token = HandoffToken(
    from_agent="research-agent",
    to_agent="writer-agent",
    task_id="task-001",
    context_hash="abc123",
)
signature = token.sign(researcher)
assert token.verify(researcher, signature)  # True

# Tamper detection
token.context_hash = "EVIL"
assert not token.verify(researcher, signature)  # Rejected

HTTP Integration

Agents can include identity in Agent Protocol requests via headers:

headers = agent.to_header()
# X-Agent-ID: research-agent
# X-Agent-Fingerprint: a22ec26756947b9b
# X-Agent-Version: 1.0.0

Why Agent Protocol Needs Identity

Agent Protocol defines how to interact with agents but has no identity layer. This PR fills the gap:

  • Before: Agent A sends a task to "some agent" — no way to verify who executed it
  • After: Agent A signs the task, Agent B verifies the signature — cryptographic audit trail

Identity turns Agent Protocol from a task API into a verifiable agent mesh.

Design Choices

Stdlib only. The reference implementation uses no external dependencies — just hashlib, base64, and json. This keeps the module lightweight and importable anywhere.

Ed25519-ready. The signature API is the same shape as Ed25519. Swap to real Ed25519 by installing works-with-agents (pip install works-with-agents) or pynacl directly — the interface doesn't change.

CC BY 4.0. The protocol spec is openly licensed. The full Identity Protocol specification is at workswithagents.com/specs/identity.md.

Related

@vystartasv
feat: add Agent Identity Protocol module + demo
be0b3d8 
Implements the Identity Protocol (L2) for Agent Protocol agents:

- AgentIdentity: Ed25519-style keypairs with fingerprint,
  signing, verification, and HTTP header support
- HandoffToken: signed task transfer tokens with tamper
  detection — cryptographic proof of agent-to-agent handoffs
- identity_demo.py: working example with identity creation,
  handoff signing, verification, and tamper rejection

Self-contained — stdlib only, zero new dependencies. The
production SDK (pip install works-with-agents) adds Ed25519
via pynacl for real cryptographic signing.

Addresses agi-inc#127 (AgentID request) with a concrete implementation.

Refs: https://workswithagents.com/specs/identity.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: AgentID as the identity layer for Agent Protocol

1 participant

@vystartasv