v0.1 draft · published 2026-05-21
An open protocol and edge-verified PKI for the agentic web. Stateless, sub-50 ms, vendor-neutral, chain-agnostic — built so legitimate agents pass bot-defense and the rest stay blocked.
Apache 2.0 · open spec · interop with MCP, A2A, Kite, SPIFFE, OWASP ANS
Issuer signs a passport. Agent presents it. Verifier validates it. All in under 50 milliseconds — globally, at the edge.
p99 verify · edge global
RFC 8032 signing throughout
passport lifetime · short-lived
DNS · KYB · hardware-attested
Bot-defense systems — Cloudflare, DataDome, hCaptcha, Arkose — cannot tell a legitimate Anthropic, OpenAI, or Mistral agent apart from a scraper. They either overblock (and frustrate human users whose agents are doing benign work on their behalf) or underblock (and bleed data and revenue to actual abuse).
Every major agent platform is solving identity inside its own ecosystem — MCP authentication, A2A, AP2. None of them are building the cross-vendor neutral layer that the rest of the web needs.
Blockchain-anchored approaches solve the commerce case at the cost of 1–12 second finality, gas fees, and an audit story that won't pass SOC 2 or the EU AI Act. The 90% of agent traffic that isn't commerce — research, scheduling, automation, reading — needs a classical-PKI answer.
AgentPKI is the cross-vendor edge identity layer. It plugs into the protocols you already care about — and stays out of the way of the ones you don't.
Each adjacent protocol owns a piece. AgentPKI is the piece that lets any system verify "this agent is who it says it is" without trusting any single vendor — the same role TLS plays for service-to-service trust on the rest of the web.
Three participants, one verification path.
The agent platform signs a short-lived passport with Ed25519 — PASETO v4 envelope, 24h max lifetime, agent identity plus capability scope plus trust tier. Keys live in a managed HSM or hardware-attested enclave.
The SDK attaches the passport to every outbound request — either as a bearer header for simple flows, or via RFC 9421 HTTP Message Signatures bound to the request body. Two lines of integration.
A Cloudflare Workers edge resolves the issuer public key, verifies the signature, checks the revocation Bloom filter, applies site policy, and returns a verdict — all in under 50 milliseconds, globally.
No proprietary crypto. No bespoke tokens. Just the well-vetted primitives the rest of the internet runs on.
Platform-Agnostic Security Tokens. Modern alternative to JWT — no algorithm-confusion footgun.
EdDSA curve. Fast, deterministic, side-channel resistant. The crypto every modern stack agrees on.
Mode B binds the passport to method, URL, and body — kills replay attacks within the signature window.
Standard X.509 public-key envelope. Drop into existing PKI tooling without translation.
Spec under Apache 2.0 (patent grant). SDKs and reference verifier under MIT. Forkable, embeddable, no rug-pull.
Credential-envelope abstraction in the spec lets a Verifiable-Credential mode slot in backward-compatibly.
Agents sign with the SDK. Sites verify with a single POST.
import { AgentPKI } from '@agentpki/sdk';
const agent = new AgentPKI({
issuer: 'anthropic.com',
agentId: 'agent:anthropic.com/research-bot-v3',
scope: ['read:articles', 'read:public-data'],
});
// Auto-signs every outbound request
// (RFC 9421 Mode B by default)
const res = await agent.fetch(
'https://reuters.com/api/article/123'
);POST https://verify.agentpki.dev/v1/verify
Content-Type: application/json
{
"token": "v4.public.eyJpc3M...",
"mode": "B",
"request": {
"method": "GET",
"url": "https://reuters.com/..."
}
}
→ HTTP 200 (21ms warm · 50ms cold)
{
"verdict": "allow",
"passport": {
"issuer": "anthropic.com",
"tier": 2,
"scopes": ["read:articles"]
},
"abuse_score": 0.02,
"crl_fresh": true,
"replay_checked": true
}live on production infrastructure
Run the mint → verify pipeline against the deployed Workers right now. No signup, no install — one click in your browser.
demo.agentpki.dev/mint → verify.agentpki.dev/v1/verify Runs entirely in your browser. CORS-enabled on both Workers — the page itself has no backend. The demo issuer uses a hardcoded keypair clearly labeled DEMO-ONLY in source; production issuers use HSM-resident keys per spec §5.3.
Mint passports for your agent fleet. T1 DNS-verified is free. T2 KYB-verified unlocks paid scopes and commerce flows. T3 hardware-attested for high-stakes financial and healthcare use.
Verify agents at the edge before serving. Set a policy (minimum tier, required scopes, abuse threshold) and let the verifier decide. Allow, throttle, or deny — your call.
Drop-in trust signal for your decision pipeline. Native modules planned for Cloudflare, DataDome, hCaptcha, Arkose. Stops false positives on real agent traffic without weakening anti-abuse.
We're working with a small set of agent platforms, bot-defense vendors, and design partners on the v0.1 spec and reference implementations. Tell us who you are.
We'll respond personally within 48 hours.