Agent Protocols

Go implementation of agent-to-agent communication protocols for AI agent authentication and authorization.

EXPERIMENTAL: This library implements draft specifications that are subject to change.

Overview

This repository provides Go libraries for emerging agent-to-agent protocols:

• aauth - Agent Authentication using HTTP message signatures (RFC 9421) based on draft-hardt-oauth-aauth-protocol

  • Examples - Working demos (simple, delegation, token exchange)
  • PIDL Definitions - Protocol diagrams

• idjag - Identity Assertion JWT Authorization Grant based on draft-ietf-oauth-identity-assertion-authz-grant

  • Examples - Working demos
  • PIDL Definitions - Protocol diagrams

• aims - Agent Identity Management System (AIMS) based on draft-klrc-aiagent-auth-00

  • Examples - Working demos (simple WIT/WPT, mTLS)
  • PIDL Definitions - Protocol diagrams

Cross-Protocol Bridge

• bridge - Cross-protocol interoperability with unified identity representation
  • Multi-protocol HTTP middleware accepting ID-JAG, AIMS, and AAuth
  • Canonical Identity type for protocol-agnostic code
  • Protocol detection and token parsing
• bridge/observe - Observability integration via OmniObserve
  • Distributed tracing with auth spans
  • Metrics: auth.requests, auth.success, auth.failure, auth.duration
  • Structured logging with identity context

Adapters

Production-ready integrations with identity infrastructure:

• adapters/zitadel - Integration with Zitadel OIDC for all three protocols
• adapters/sharkauth - Integration with SharkAuth for agent delegation with DPoP
• adapters/ory - Integration with Ory Fosite and Hydra

Installation

go get github.com/aistandardsio/agent-protocols

Quick Start

AAuth - HTTP Message Signatures

import "github.com/aistandardsio/agent-protocols/aauth"

// Create agent with cryptographic identity
agentID, _ := aauth.NewAAuthID("calendar-bot", "example.com")
agent, _ := aauth.NewAgent(agentID, privateKey,
    aauth.WithAgentProviderURL("https://agents.example.com"))

// Create signed HTTP request
req, _ := agent.SignedRequest(ctx, "GET", "https://api.example.com/events", nil)

// Or use automatic signing transport
client := &http.Client{Transport: agent.Transport(nil)}
resp, _ := client.Get("https://api.example.com/events")

ID-JAG - Token Exchange

import "github.com/aistandardsio/agent-protocols/idjag"

// Create assertion for token exchange
assertion := idjag.NewAssertion(
    "https://issuer.example.com",
    "agent:calendar-bot",
    []string{"https://auth.example.com"},
    5 * time.Minute,
)

// Exchange for access token
client := idjag.NewTokenExchangeClient("https://auth.example.com/token")
resp, _ := client.ExchangeAssertion(ctx, signedAssertion, "read:data")

AIMS - Workload Identity

import "github.com/aistandardsio/agent-protocols/aims"

// Create SPIFFE ID for agent
spiffeID, _ := aims.NewSPIFFEID("example.com", "/agent/calendar-bot")

// Create Workload Identity Token
wit := aims.NewWIT(spiffeID, []string{"https://api.example.com"}, 1*time.Hour)
signedWIT, _ := wit.Sign(privateKey, "key-1")

Examples

Each protocol includes working demos:

AAuth:

go run ./aauth/examples/simple      # Agent authentication
go run ./aauth/examples/delegation  # Human-to-agent delegation

ID-JAG:

go run ./idjag/examples/simple      # Agent-only flow
go run ./idjag/examples/delegation  # Human-to-agent delegation

AIMS:

go run ./aims/examples/simple       # WIT/WPT authentication
go run ./aims/examples/mtls         # mTLS with X.509 SVID

Zitadel Adapter:

go run ./adapters/zitadel/examples/idjag  # ID-JAG token exchange
go run ./adapters/zitadel/examples/aims   # AIMS WIT verification
go run ./adapters/zitadel/examples/aauth  # AAuth agent authentication

SharkAuth Adapter:

go run ./adapters/sharkauth/examples/aauth  # AAuth with delegation grants

Ory Adapter:

go run ./adapters/ory/examples/idjag  # ID-JAG with Hydra

Cross-Protocol Bridge:

go run ./demos/protocol-bridge  # Multi-protocol authentication demo

Documentation

• AAuth: Overview | Getting Started | Examples
• ID-JAG: Protocol Overview | Getting Started
• AIMS: Overview | Getting Started
• Zitadel Adapter: Overview | Getting Started
• SharkAuth Adapter: Overview | Getting Started
• Ory Adapter: Overview | Getting Started
• API Reference
• Changelog
• Full Documentation

Development

# Run unit tests
go test ./...

# Run linter
golangci-lint run

# Run integration tests (all protocol examples)
./scripts/integration-test.sh

# Run integration tests (quick mode - core protocols only)
./scripts/integration-test.sh --quick

Related Specifications

• draft-hardt-oauth-aauth-protocol - AAuth Protocol specification
• draft-ietf-oauth-identity-assertion-authz-grant - ID-JAG specification
• draft-klrc-aiagent-auth-00 - AIMS specification
• draft-ietf-wimse-s2s-protocol - WIMSE S2S Protocol (WIT/WPT)
• RFC 9421 - HTTP Message Signatures
• RFC 8693 - OAuth 2.0 Token Exchange
• SPIFFE - Secure Production Identity Framework For Everyone

License

MIT License - see LICENSE for details.