v0.1.0 Release Notes

Release Date: 2026-04-19

Initial release of agent-protocols with two protocol implementations for AI agent authentication.

Highlights

• ID-JAG: OAuth 2.0 token exchange with JWT assertions and human-to-agent delegation support
• AIMS: SPIFFE-based workload identity with WIT/WPT authentication per WIMSE specification

Protocols

ID-JAG (Identity Assertion JWT Authorization Grant)

Implementation of draft-ietf-oauth-identity-assertion-authz-grant for agent authentication in OAuth 2.0 environments.

Features:

• JWT assertion creation and signing (RS256, ES256)
• Token exchange client (RFC 8693)
• JWT Bearer client (RFC 7523)
• Authorization server with JWKS endpoint
• Resource server middleware
• Actor claim (act) for delegation chains
• Static key and JWKS-based verifiers

Use Cases:

• Agent-only authentication (service accounts)
• Human-to-agent delegation
• Multi-agent orchestration with nested delegation

AIMS (Agent Identity Management System)

Implementation of draft-klrc-aiagent-auth-00 for cloud-native agent identity.

Features:

• SPIFFE ID parsing and validation
• Nine-layer architecture model
• Workload Identity Token (WIT) per WIMSE
• WIMSE Proof Token (WPT) with request binding
• X.509 SVID and JWT-SVID credentials
• Attestation types: TPM, SGX, SEV-SNP, TDX, Kubernetes, AWS, GCP, Azure, GitHub

Use Cases:

• Kubernetes workload identity
• mTLS authentication
• Cloud-native agent deployments

Installation

go get github.com/aistandardsio/agent-protocols@v0.1.0

Quick Start

ID-JAG Token Exchange

import "github.com/aistandardsio/agent-protocols/idjag"

// Create assertion
assertion := idjag.NewAssertion(
    "https://issuer.example.com",
    "agent:calendar-bot",
    []string{"https://auth.example.com"},
    5*time.Minute,
)

// Sign and exchange
signed, _ := assertion.Sign(jwt.SigningMethodRS256, privateKey, "key-1")
client := idjag.NewTokenExchangeClient("https://auth.example.com/token")
resp, _ := client.ExchangeAssertion(ctx, signed, "read:calendar")

AIMS WIT/WPT Authentication

import "github.com/aistandardsio/agent-protocols/aims"

// Create SPIFFE ID and WIT
spiffeID, _ := aims.NewSPIFFEID("example.com", "/agent/calendar-bot")
wit := aims.NewWIT(spiffeID, []string{"https://api.example.com"}, 1*time.Hour)

// Create WPT bound to request
wpt := aims.NewWPTForRequest(spiffeID.String(), "https://api.example.com", req)
wpt.BindToRequest(req, privateKey, "key-1")

Documentation

• ID-JAG Protocol Overview
• ID-JAG Getting Started
• AIMS Overview
• AIMS Getting Started

Examples

Run the working demos:

# ID-JAG simple flow
go run ./idjag/examples/simple

# ID-JAG delegation flow
go run ./idjag/examples/delegation

# AIMS WIT/WPT flow
go run ./aims/examples/simple

# AIMS mTLS flow
go run ./aims/examples/mtls

Breaking Changes

None (initial release).

Known Issues

Experimental

This library implements draft specifications that are subject to change.

Contributors

• @grokify

References

• draft-ietf-oauth-identity-assertion-authz-grant
• draft-klrc-aiagent-auth-00
• draft-ietf-wimse-s2s-protocol
• RFC 8693 - OAuth 2.0 Token Exchange
• SPIFFE