Research · 2026-06-20
AAuth: cryptographic identity for AI agents
A plain-language tour of the AAuth draft family: how agents get short-lived Ed25519 identities, how relying parties verify them without phoning home, and where the trust actually sits.
API keys are a poor fit for agents: they are long-lived, bearer-style, copied into environment variables, and revoked by incident response rather than by design. The AAuth drafts (IETF, tracked at draft-09) replace them with a three-role protocol: an Agent Provider issues identities, an agent proves possession by signing its requests, and a relying party verifies statelessly.
The mechanics compose from boring, proven parts:
- Identity is a stable name like
aauth:local@your-domain, bound to an Ed25519 signing key by a short-lived agent token. - Requests carry RFC 9421 HTTP Message Signatures — the relying party checks the signature against the provider's published JWKS. No introspection call, no shared secret, no session state.
- Enrollment is secret-free federation: a workload proves itself with what it already has — a Kubernetes service account, CI OIDC, PKI, SPIFFE — and walks away with an identity measured in minutes.
Three access modes cover the deployment spectrum, from a relying party that trusts one local provider to full cross-domain federation. Revocation is mostly a non-event — tokens expire on their own — and the blast radius of a leaked context shrinks to the token's lifetime.
In the lab's stack the roles are concrete: apd is the provider, agentd signs outbound calls to AAuth-protected MCP servers, and agentctl can provision a per-agent identity at schedule time. The digest's honest caveat: the drafts are moving, and the sandbox label on apd is there because the implementation deliberately moves with them.
Canonical: agentprovider repo · research/01-aauth-protocol-overview.md