Skip to content

Agent Protocols

Go implementation of agent-to-agent communication protocols.

Experimental

This library implements draft specifications that are subject to change.

Overview

This repository provides Go libraries for emerging AI agent authentication and authorization protocols. As AI agents become more prevalent, standardized approaches to agent identity and authentication are critical for secure multi-agent systems.

Protocols

  • AAuth

    Agent Authentication using HTTP message signatures and token exchange.

    Best for: AI agent identity, cryptographic authentication, human delegation.

    Learn more

  • ID-JAG

    Identity Assertion JWT Authorization Grant for OAuth 2.0 token exchange.

    Best for: OAuth 2.0 environments, human-to-agent delegation, existing IdP integration.

    Learn more

  • AIMS

    Agent Identity Management System using SPIFFE and WIMSE standards.

    Best for: Kubernetes/cloud-native, mTLS environments, workload identity.

    Learn more

Choosing a Protocol

Aspect AAuth ID-JAG AIMS
Type Protocol Protocol Framework
Identity Model AAuth IDs OAuth JWT assertions SPIFFE IDs
Credential Format aa-agent+jwt, aa-auth+jwt Signed JWT assertions X.509 SVIDs, JWT-SVIDs, WITs
Authentication HTTP signatures + tokens Token exchange (RFC 8693) mTLS or WIT/WPT
Delegation Person Server + cnf act claim SPIFFE path conventions
Best For AI agent identity OAuth 2.0 environments Kubernetes/cloud-native
Standards RFC 9421, RFC 8693 RFC 8693, RFC 7523 SPIFFE, WIMSE

Installation

go get github.com/aistandardsio/agent-protocols

Quick Examples

import "github.com/aistandardsio/agent-protocols/aauth"

// Create agent with cryptographic identity
agentID, _ := aauth.NewAAuthID("calendar-bot", "example.com")
agent, _ := aauth.NewAgent(agentID, privateKey,
    aauth.WithAgentProviderURL("https://agents.example.com"))

// Create signed HTTP request
req, _ := agent.SignedRequest(ctx, "GET", "https://api.example.com/events", nil)

// Or use automatic signing transport
client := &http.Client{Transport: agent.Transport(nil)}
resp, _ := client.Get("https://api.example.com/events")

import "github.com/aistandardsio/agent-protocols/idjag"

// Agent authenticates as itself
assertion := idjag.NewAssertion(
    "https://issuer.example.com",
    "agent:calendar-bot",
    []string{"https://auth.example.com"},
    5 * time.Minute,
)

// Exchange for access token
client := idjag.NewTokenExchangeClient("https://auth.example.com/token")
resp, err := client.ExchangeAssertion(ctx, signedAssertion, "read:data")

import "github.com/aistandardsio/agent-protocols/aims"

// Create SPIFFE ID for agent
spiffeID, _ := aims.NewSPIFFEID("example.com", "/agent/calendar-bot")

// Create Workload Identity Token
wit := aims.NewWIT(spiffeID, []string{"https://api.example.com"}, 1*time.Hour)
signedWIT, _ := wit.Sign(privateKey, "key-1")

// Create proof token for specific request
wpt := aims.NewWPTForRequest(spiffeID.String(), "https://api.example.com", req)
wpt.BindToRequest(req, privateKey, "key-1")

Adapters

Production-ready integrations with identity infrastructure.

  • Zitadel

    Integration with Zitadel OIDC infrastructure for all three protocols.

    Learn more

  • SharkAuth

    Agent delegation with may_act_grants and DPoP proof-of-possession.

    Learn more

  • Ory

    Custom Fosite OAuth handlers and Hydra client integration.

    Learn more

Documentation

AAuth

ID-JAG

AIMS

Adapters

  • Zitadel - Integration with Zitadel OIDC infrastructure
  • SharkAuth - Agent delegation with DPoP proof-of-possession
  • Ory - Fosite handlers and Hydra client for OAuth 2.0

Releases

  • v0.3.0 - SharkAuth and Ory adapters (2026-05-11)
  • v0.2.0 - AAuth protocol, Zitadel adapter (2026-05-11)
  • v0.1.0 - ID-JAG and AIMS protocols (2026-04-19)

AAuth

ID-JAG

AIMS