Agent Identity Bridge (AIB) Protocol Specification

The Agent Identity Bridge (AIB) protocol defines a portable identity format for AI agents operating across multiple communication protocols. It provides a single credential — the Agent Passport — that is valid across [[MCP]], [[A2A]], ANP (Agent Network Protocol), and AG-UI (Agent-User Interaction). This specification defines the passport format, credential translation semantics, cryptographic audit trail, policy engine, OIDC federation, and webhook notification system.

Introduction

AI agents increasingly operate across multiple communication protocols simultaneously. An agent may receive tasks via [[MCP]], collaborate with peers via [[A2A]], register on discovery networks via ANP, and interact with users via AG-UI. Each protocol has its own identity and credential format, creating fragmentation.

AIB solves this by defining a single Agent Passport that encapsulates an agent's identity, capabilities, and protocol bindings. Credentials can be translated between formats in sub-millisecond time. Every action is recorded in a cryptographically signed audit trail using Ed25519 ([[RFC8032]]).

Design Goals

Portability: One identity credential valid across all supported protocols.
Verifiability: Every action produces a cryptographically signed receipt.
Policy enforcement: Declarative rules evaluated before every action.
Federation: External identity providers (OIDC) accepted natively.
Minimal footprint: Zero external dependencies in the SDK.

Terminology

Agent Passport: A structured credential identifying an AI agent across protocols.
Receipt: A signed record of an action (create, revoke, translate, etc.).
Binding: Protocol-specific authentication configuration within a passport.
Capability: A declared ability of an agent (e.g., booking, support).
Policy Rule: A declarative constraint evaluated before an action is permitted.
Tier: The lifetime class of a passport: permanent, session, or ephemeral.

Agent Passport Format

URN Scheme

Agent passports MUST use the following hierarchical URN scheme:

urn:aib:agent:{org_slug}:{agent_slug}

Where:

org_slug: Lowercase alphanumeric organization identifier (2-64 characters, hyphens allowed).
agent_slug: Lowercase alphanumeric agent identifier (1-64 characters, hyphens and underscores allowed). MUST match the pattern ^[a-z0-9][a-z0-9-_]{0,62}[a-z0-9]$.

Organization issuers MUST follow:

urn:aib:org:{org_slug}

Passport Object

A conforming Agent Passport is a JSON object with the following structure:

{
  "passport_id": "urn:aib:agent:myorg:booking-bot",
  "display_name": "myorg/booking-bot",
  "issuer": "urn:aib:org:myorg",
  "capabilities": ["booking", "scheduling"],
  "protocols": ["mcp", "a2a"],
  "protocol_bindings": {
    "mcp": { "auth_method": "oauth2" },
    "a2a": { "auth_method": "bearer" }
  },
  "tier": "permanent",
  "status": "active",
  "version": 1,
  "issued_at": "2026-03-28T10:00:00Z",
  "expires_at": "2027-03-28T10:00:00Z",
  "metadata": {}
}

Required Fields

Field	Type	Description
`passport_id`	string (URN)	MUST be unique. Follows the URN scheme defined above.
`display_name`	string	Human-readable name for the agent.
`issuer`	string (URN)	MUST follow the organization URN scheme.
`capabilities`	string[]	Array of declared agent capabilities.
`protocols`	string[]	MUST contain at least one of: `mcp`, `a2a`, `anp`, `ag-ui`.
`protocol_bindings`	object	Per-protocol authentication configuration.
`tier`	string	MUST be `permanent`, `session`, or `ephemeral`.
`status`	string	MUST be `active`, `revoked`, or `expired`.
`version`	integer	Monotonically increasing version number.
`issued_at`	ISO 8601	Creation timestamp.
`expires_at`	ISO 8601	Expiration timestamp.

Protocol Bindings

Each entry in protocol_bindings maps a protocol to its auth configuration:

Protocol	Auth Method	Additional Fields
`mcp`	`oauth2`	—
`a2a`	`bearer`	—
`anp`	`did-auth`	`did` (DID Web URI)
`ag-ui`	`none`	—

Tiers

Tier	Default TTL	Max TTL	Use Case
`permanent`	365 days	3650 days	Long-lived service agents
`session`	1 hour	24 hours	Task-scoped agents
`ephemeral`	5 minutes	5 minutes	One-shot delegated actions

Credential Translation

Conforming implementations MUST support bidirectional translation between all supported protocol credential formats. Translation SHOULD complete in under 1 millisecond.

Supported Translation Paths

From	To	Status
A2A Agent Card	MCP Server Card	REQUIRED
MCP Server Card	A2A Agent Card	REQUIRED
A2A Agent Card	AG-UI Descriptor	REQUIRED
MCP Server Card	AG-UI Descriptor	REQUIRED
AG-UI Descriptor	A2A Agent Card	REQUIRED
AG-UI Descriptor	MCP Server Card	REQUIRED

Translation Semantics

skills (A2A) → tools (MCP): Each skill becomes a tool with an auto-generated inputSchema.
tools (MCP) → skills (A2A): Each tool becomes a skill with id = tool name.
capabilities (AG-UI) → skills/tools: Each capability string becomes a skill or tool.

Translated credentials MUST include the following metadata fields:

_aib_source: The original format identifier.
_aib_translated_at: ISO 8601 timestamp of translation.

Audit Trail

Receipt Format

Every action MUST produce a Receipt:

{
  "passport_id": "urn:aib:agent:myorg:bot",
  "action": "create",
  "status": "success",
  "receipt_hash": "a1b2c3d4e5f6...",
  "signature": "ed25519hex...",
  "signed_by": "publickeyhex...",
  "created_at": "2026-03-28T10:00:00Z"
}

Hash Chain

Each receipt's receipt_hash MUST be computed as:

SHA-256("{action}|{passport_id}|{timestamp}")

This creates a tamper-evident chain — modifying any receipt invalidates subsequent hashes.

Ed25519 Signatures

Receipts MUST be signed using Ed25519 ([[RFC8032]]). The signing key SHOULD be persistent across server restarts. The public key MUST be stored in the signed_by field of each receipt for independent verification.

Denied Actions

Policy violations MUST also generate signed receipts with status: "denied", the error code in error_code, and violation details in metadata.violations.

Policy Engine

Rule Types

Conforming implementations MUST support the following 12 policy rule types:

#	Type	Description
1	`deliverable_gate`	Require specific capabilities before an action is permitted.
2	`capability_required`	Agent MUST possess specific capabilities.
3	`separation_of_duties`	Block self-actions on resources the requesting identity created.
4	`protocol_restrict`	Block passports using specific protocols.
5	`domain_block`	Block agents matching specific domain patterns.
6	`domain_allow`	Allow only agents matching specific domain patterns.
7	`tier_restrict`	Restrict actions to specific passport tiers.
8	`time_restrict`	Restrict actions to specific time windows (UTC).
9	`action_block`	Block specific actions entirely.
10	`rate_limit`	Limit the number of actions per time period.
11	`attestation_required`	Require cryptographic attestation for specific actions.
12	`capability_limit`	Limit the number of capabilities per passport.

Severity Levels

Each policy rule MUST have a severity level:

block: Action is denied. A signed denial receipt is emitted.
warn: Action proceeds. Violation is recorded in receipt metadata.
log: Action proceeds. Violation is counted in rule hit statistics.

Evaluation Order

All active rules MUST be evaluated for every action. If any rule with block severity produces a violation, the action MUST be denied. Violations from warn and log rules SHOULD be included in the response metadata.

OIDC Federation

AIB SHOULD accept external OIDC tokens ([[RFC7519]]) as authentication. This enables agents authenticated via enterprise identity providers to obtain passports without creating AIB-specific accounts.

Verification Flow

Conforming implementations MUST perform the following steps when processing an OIDC token:

Extract the JWT payload from the Bearer token.
Look up the iss (issuer) claim in the federation trust registry.
Verify exp (expiration) is in the future.
If an expected audience is configured, verify the aud claim matches.
Fetch the JWKS from the issuer's jwks_uri.
Verify the JWT signature using the appropriate algorithm (RS256, RS384, or RS512).
If valid, create or authenticate the identity linked to the OIDC subject.

Supported Algorithms

Conforming implementations MUST support RS256 and SHOULD support RS384 and RS512 (RSASSA-PKCS1-v1_5).

JWKS Caching

JWKS responses SHOULD be cached for at least 1 hour per issuer URI to minimize network overhead.

Webhooks

Event Types

Conforming implementations SHOULD support the following webhook events:

Event	Triggered By
`passport.created`	Successful passport creation.
`passport.revoked`	Successful passport revocation.
`policy.violation`	A policy rule blocks an action.
`translate.completed`	Successful credential translation.

Payload Format

{
  "event": "passport.created",
  "timestamp": "2026-03-28T10:00:00Z",
  "data": {
    "passport_id": "urn:aib:agent:myorg:bot",
    "protocols": ["mcp", "a2a"],
    "capabilities": ["booking"]
  }
}

Signature

When a webhook has a secret configured, the payload body MUST be signed with HMAC-SHA256. The hex-encoded signature MUST be sent in the X-AIB-Signature HTTP header.

Code	HTTP Status	Description
AIB-001	400	Invalid or missing request body.
AIB-002	400	Invalid agent_slug format.
AIB-003	400	No valid protocols specified.
AIB-101	401	Unauthorized — invalid or missing credentials.
AIB-201	404	Passport not found.
AIB-301	409	Passport already exists (duplicate).
AIB-302	409	Passport already revoked.
AIB-401	400	Unsupported translation path.
AIB-501	500	Internal server error.
AIB-601	403	Policy violation (blocked).
AIB-602	403	Separation of duties violation.
AIB-701	429	Webhook quota exceeded.