A passport-based identity system for AI agents on the public internet.
Open protocol, edge-verified, sub-50 ms, vendor-neutral, chain-agnostic — built so legitimate agents pass bot-defense and the rest stay blocked.
Apache 2.0 · open spec · interop with MCP, A2A, Kite, SPIFFE, OWASP ANS
Built across the stack
Layer 01
Cryptographic identity for AI agents, as an open standard.
Layer 02
Distinguish legitimate agents from abuse, at the edge, in milliseconds.
Layer 03
Issue, manage, and revoke identities for the agents you operate.
Layer 04
See whether the AI agents you encounter are verified, on any device.
Layer 05+ · not pictured
The four shipped above are the open, public, no-strings-attached stack — everything anyone needs to verify AI agents today. We have additional layers in development that compound on these and form the next chapters. Get in touch for the brief.
Why now
Anthropic, OpenAI, Google all shipped autonomous browsing in 2025. Most websites cannot yet distinguish a real agent from a scraper or scammer. The trust gap widens daily.
Same shape: a new cryptographic primitive solving the next layer of trust on the internet. Adoption took a decade; the protocol owner shaped the next 20 years of the web.
Every issuer makes the consumer side more valuable. Every consumer install makes the issuer side more valuable. Classic compounding flywheel.
The standard wins. Apache-licensed protocol means every other player is a potential customer of the reference infra, not a competitor.
Bot-defense market today
Projected agent traffic 2026 → 2028
Coming soon · The Chrome extension — pending Chrome Web Store review
The AgentPKI Chrome extension is the consumer end of the standard. It detects AI agents on any page, verifies their cryptographic passport, and surfaces a one-glance trust badge. Free, open source, zero telemetry. Pending Chrome Web Store review — install link will go here as soon as it ships.
You open a banking site. The agent on the page hasn’t been examined yet — badge is gray.
□ Gray
Badge starts gray. Page loaded, nothing examined yet.
⚠ Yellow
An AI agent is on the page (LangChain, Vercel AI SDK, Anthropic SDK…) but presented no passport.
✓ Green
Cryptographic passport checked against the AgentPKI verifier. Click for issuer, scopes, reputation.
⛔ Red
Passport was revoked, reported for abuse, or you blocked it. Close the tab.
The extension is submitted to the Chrome Web Store and waiting for approval (typically 1–7 days). In the meantime you can audit the code, see the full feature set, or use the web verifier at agentpki.dev/check — no install required.
MIT license · no account · no telemetry · one-click abuse reports via anonymous UUIDs
The trust flow · live
An agent platform (e.g., anthropic.com) signs a short-lived PASETO v4 passport with its Ed25519 private key. Key lives in an HSM and rotates every 90 days. The passport carries the agent's identity, scope, and trust tier.
Either as a bearer header (Mode A, simple) or via RFC 9421 HTTP Message Signatures bound to the request body (Mode B, integrity). One-line integration for the agent platform.
The verifier fetches the issuer's public key from /.well-known/agentpki-issuer.json (KV-cached), checks the Ed25519 signature, consults the CRL, applies site policy, returns allow / throttle / deny.
No shared secrets. No blockchain. No callout to a vendor's API. The site doesn't trust any single bot-defense vendor — only the issuer's published public key.
Watch it run livep99 verify · edge global
RFC 8032 signing throughout
passport lifetime · short-lived
DNS · KYB · hardware-attested
AgentPKI is the cross-vendor edge identity layer. It plugs into the protocols you already care about — and stays out of the way of the ones you don't.
Each adjacent protocol owns a piece. AgentPKI is the piece that lets any system verify "this agent is who it says it is" without trusting any single vendor — the same role TLS plays for service-to-service trust on the rest of the web.
Mint passports for your agent fleet. T1 DNS-verified is free. T2 KYB-verified unlocks paid scopes and commerce flows. T3 hardware-attested for high-stakes financial and healthcare use.
Claim your domain →Verify agents at the edge before serving. Set a policy (minimum tier, required scopes, abuse threshold) and let the verifier decide. Allow, throttle, or deny — your call.
Read the policy spec →Drop-in trust signal for your decision pipeline. Native modules planned for Cloudflare, DataDome, hCaptcha, Arkose. Stops false positives on real agent traffic without weakening anti-abuse.
See the 30-line drop-in →Free DNS-tier (T1) signup. Verify your domain, mint Ed25519 keys, deploy a real-issuer Worker — all from a self-serve dashboard.
Bot-defense vendors, enterprise design partners, and agent platforms — personal reply within 48 hours.
