Identity, trust, and authorization for AI agents.
One question repeats as agents call each other's tools and APIs: which agent is this, what can it do, and should I trust it? Five open specifications answer it, reusing the security the web already runs on: PKI, TLS, Certificate Transparency, and OAuth.
did:opena2a · AIP · ATX · ATP · AAP
An agent is not a user, and not a server.
Humans log in with passwords and MFA. Servers prove themselves with TLS certificates. But an AI agent is a moving target: the same agent, with the same permissions, behaves differently depending on its prompt, its memory, and what it just read on a web page.
That breaks the assumptions behind OAuth, SAML and API keys. An agent can be talked into misusing a credential it legitimately holds. It can leak a secret simply by being asked nicely. And it can claim to be anyone.
OpenA2A treats agents as first-class cryptographic principals, with verifiable names, portable trust, and authorization that never puts a secret where a hijacked model could read it.
Break it, and watch which spec catches it
One request runs through all five gates. Every check starts valid. Flip any one to its failure state and the request is denied at the exact gate that owns that check, with the reason it exists.
Flip a condition
Every check defaults to valid. Set one to its failure state to see which spec catches it.
Each layer stands on the one below it
Identity is the foundation. Trust is built on proven identity. Authorization is built on verifiable trust. AIM implements all three.
How is trust turned into scoped access, safely?
How much should I trust it, and can I prove it offline?
Who is this agent, and is it really them?
Issues and enforces every layer above. The reference platform.
Explore →Read them in any order
Core protocol stack
A W3C DID method where did:opena2a:<type>:<id> resolves over HTTP to a signed DID Document, so any verifier can fetch an agent's public key and trust endpoints.
An open standard for creating cryptographic agent identities, declaring capabilities, proving key possession via challenge-response, and computing a 9-factor trust score.
A signed, self-contained, 7-day credential, the TLS certificate for agents, encoding identity, scan results, capabilities and behavior, verifiable locally with no callback to any authority.
The protocol that issues, verifies, distributes and revokes trust assertions, recording every one in an RFC 6962 Merkle transparency log that anyone can audit.
An authorization layer where an agent emits an abstract grant:// reference and a local broker resolves scoped access, so no secret, token, or backend name ever enters the model's context.
The reference platform that mints identities, issues credentials, runs 5-step authorization and keeps the audit trail, the working implementation of AIP, ATX, ATP, AAP and did:opena2a.
Threat, governance & measurement
The standards that define what can go wrong, what good behavior looks like, and how to measure and observe it all.
A MITRE ATT&CK-style catalog of 61 techniques across 9 attacker tactics, each tagged by real-world evidence and mapped to detection checks, lab scenarios and controls.
An open, YARA-style detection-signature format for AI prompt injections and exposed agent infrastructure, shareable rules any scanner can run.
Defines what goes in an agent's SOUL.md governance file: 9 behavioral domains, 72 controls and 3 conformance levels. Also known as OASB-2 (behavioral domains 11-19).
222 attack scenarios across 10 categories that measure a security tool's detection coverage against agent threats, ATT&CK-Evaluations style, mapped to MITRE ATLAS and OWASP.
Nine proposed OpenTelemetry attributes (agent.*, fga.*) that put agent identity, trust signals and authorization outcomes into standard traces, metrics and logs.
You already trust this exact design
Every time your browser opens a padlock, it runs this playbook. OpenA2A re-uses it, almost one-to-one, for agents.