AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A

AI agents increasingly call tools via the Model Context Protocol (MCP) and delegate to other agents via Agent-to-Agent (A2A), yet neither protocol verifies agent identity. A scan of approximately 2,000 MCP servers found all lacked authentication. In our survey, we did not identify a prior implemented protocol that jointly combines public-key verifiable delegation, holder-side attenuation, expressive chained policy, transport bindings across MCP/A2A/HTTP, and provenance-oriented completion records. We introduce Invocation-Bound Capability Tokens (IBCTs), a primitive that fuses identity, attenuated authorization, and provenance binding into a single append-only token chain. IBCTs operate in two wire formats: compact mode (a signed JWT for single-hop cases) and chained mode (a Biscuit token with Datalog policies for multi-hop delegation). We provide reference implementations in Python and Rust with full cross-language interoperability. Compact mode verification takes 0.049ms (Rust) and 0.189ms (Python), with 0.22ms overhead over no-auth in real MCP-over-HTTP deployment. In a real multi-agent deployment with Gemini 2.5 Flash, AIP adds 2.35ms of overhead (0.086% of total end-to-end latency). Adversarial evaluation across 600 attack attempts shows 100% rejection rate, with two attack categories (delegation depth violation and audit evasion through empty context) uniquely caught by AIP’s chained delegation model that neither unsigned nor plain JWT deployments detect.

💡 Research Summary

The paper addresses a critical gap in the emerging ecosystem of AI agents that interact through the Model Context Protocol (MCP) for tool invocation and Agent‑to‑Agent (A2A) for inter‑agent collaboration. Although these protocols define message formats, they provide no mechanism for authenticating the identity of the calling or delegating agents. A survey of roughly 2,000 publicly accessible MCP servers revealed that none enforce authentication, and a systematic review of eleven categories of prior work shows that existing solutions each miss at least one of seven essential properties for agent identity: public‑key verification without shared secrets, holder‑side scope attenuation, expressive policy language, cross‑protocol identity flow, provenance binding of outcomes, independence from blockchain or heavy infrastructure, and support for short‑lived, ephemerally granted agents.

To fill this gap, the authors introduce the Agent Identity Protocol (AIP) built around a novel primitive called Invocation‑Bound Capability Tokens (IBCTs). IBCTs come in two wire formats. The “compact mode” is a signed JWT suitable for single‑hop MCP calls, while the “chained mode” leverages the Biscuit token format (Ed25519 signatures, append‑only blocks, Datalog policies) to support multi‑hop delegation chains. Each block can add attenuation constraints, and a special “completion block” binds the final execution result to the entire delegation chain, enabling audit‑ready provenance.

AIP defines a DNS‑based identity resolution scheme (aip:web and aip:key) and embeds protocol‑specific bindings: an HTTP header (X‑AIP‑Token) for MCP and a field (aip_identity) in A2A agent cards. Tokens also carry metadata such as maximum delegation depth, allowance for ephemeral grants, and expiration timestamps. Policy profiles (Simple, Standard, Advanced) let developers choose the appropriate level of expressiveness.

Reference implementations in Rust and Python share the same token format, ensuring cross‑language interoperability. Performance measurements show sub‑millisecond verification: 0.049 ms in Rust and 0.189 ms in Python for compact tokens, and linear scaling of chained tokens at roughly 340–380 bytes per delegation block with verification under 1 ms even at depth five. In a real‑world MCP‑over‑HTTP deployment, AIP adds only 0.22 ms of overhead compared with a no‑auth baseline. In a multi‑agent scenario using Gemini 2.5 Flash, the added latency is 2.35 ms, representing just 0.086 % of total end‑to‑end latency.

Security evaluation involved 600 adversarial attempts across six attack categories, including delegation‑depth violations and audit‑evasion via empty contexts. AIP rejected 100 % of these attempts; notably, the chained delegation model detected attacks that unsigned tokens or plain JWTs could not. The threat model covers token forgery, privilege escalation, and provenance tampering, with defenses based on signature verification, Datalog policy evaluation, and completion‑block integrity checks.

The authors acknowledge limitations: token size grows linearly with delegation depth, potentially increasing bandwidth costs; reliance on DNS for identity resolution may be vulnerable to DNS outages; and current SDKs are limited to Rust and Python, requiring further work for broader language support. Future directions include token compression techniques, alternative discovery mechanisms (e.g., decentralized identifiers without blockchain), and expanded SDKs.

In conclusion, AIP is the first implemented protocol that simultaneously satisfies all seven identified requirements for trustworthy agent delegation across MCP, A2A, and generic HTTP. By unifying identity verification, holder‑side attenuation, expressive policies, cross‑protocol bindings, and provenance‑aware completion records, AIP offers a practical, low‑overhead solution that can be adopted by emerging AI‑agent ecosystems to achieve secure, auditable, and flexible delegation.