OpenA2A /specs
ATP1.0.0-rc1Release candidate

Agent Trust Protocol

The protocol that issues, verifies, distributes and revokes trust assertions, recording every one in an RFC 6962 Merkle transparency log that anyone can audit.

The question it answers

How are trust statements issued, logged, audited and revoked?

If you know one thing already

It’s like Certificate Transparency (CT) logs.

SOURCE · opena2a-org/agent-trust-protocol

Why it exists

ATX is the credential; ATP is the protocol around it. It standardizes how trust assertions are issued, verified, distributed and revoked, and, above all, how every one of those acts is recorded in a public, tamper-evident log so that trusting an agent is itself auditable.

Key idea

The lesson ATP borrows from the web

After certificate authorities mis-issued certificates, the web added Certificate Transparency: log every certificate to a public append-only tree that anyone can audit. ATP adopts the same RFC 6962 structure for agent trust, so an authority cannot quietly grant a malicious agent a high trust level.

The trust assertion

A trust proof is a small, signed statement about a subject DID: its level, score, verdict and validity window. Proofs are short-lived (the spec caps validity at 24 hours) and are signed over a canonical byte form, never raw JSON, so the signature is reproducible regardless of field ordering.

Trust proof (ATP-SPEC §4.2)json
{
  "did": "did:opena2a:mcp_server:@modelcontextprotocol/server-filesystem",
  "trustLevel": 3,
  "trustScore": 0.82,
  "verdict": "passed",
  "issuedAt": "2026-03-22T14:00:00Z",
  "expiresAt": "2026-03-23T14:00:00Z",
  "issuerDid": "did:opena2a:authority:opena2a.org",
  "transparencyLogIndex": 1847293,
  "signatures": [{ "algorithm": "Ed25519", "value": "base64…" }]
}

# canonical signing form (pipe-delimited, deterministic):
# {did}|{trustLevel}|{trustScore:.6f}|{verdict}|{issuedAt}|{expiresAt}|{issuerDid}

Five trust levels

0, Blocked
Known-bad. Reject.
1, Warning
Significant concerns; proceed only with caution.
2, Listed
Catalogued, but not yet scanned.
3, Scanned
Passed security scanning. Levels 3-4 must be cosigned by a second authority.
4, Verified
Highest assurance, multiple authorities have cosigned.

The transparency log, visualized

Every issuance, revocation and key rotation becomes a leaf in an append-only Merkle tree. Two cheap proofs make the whole thing trustworthy without downloading it: an inclusion proof (this entry is in the log) and a consistency proof (the log only ever grew).

Signed Tree Head
root hash · signed every ≤5 min
h01 = H(·‖·)
h23 = H(·‖·)
h0
issued
h1
issued
h2
revoked
h3
key rotated

Inclusion proof

To prove leaf h2 is in the log, a verifier needs only h3 and h01, recompute the root and compare. ~log₂(n) hashes, not the whole log.

Consistency proof

Monitors check each new tree is a superset of the last, so the log is append-only. Nothing can be silently rewritten or back-dated.

A Signed Tree Head, the signed root hash and size, is published at least every few minutes. Independent monitors, running open-source software anyone can operate, continuously check that successive heads are consistent. If an entry were ever altered or back-dated, the proofs would fail and the monitors would raise the alarm.

The full lifecycle

  1. 1
    authorityIssue≤ 24h TTL

    Evaluate the agent (scans, provenance), build the proof, sign the canonical form with Ed25519 (optionally + ML-DSA-65).

  2. 2
    authorityLog

    Append the issuance as a leaf, recompute the Merkle root, publish a new Signed Tree Head.

  3. 3
    relying partyVerify + check inclusion

    Check expiry, issuer, signature; if a log index is present, verify the inclusion proof against the published root.

  4. 4
    relying partyCache

    Hold the proof for its validity window; poll the revocations endpoint (every ~5 min recommended).

  5. 5
    authorityRevoke< 60s

    On compromise, append a revocation leaf and push a CRL delta to federation nodes, propagated in under 60 seconds.

Three conformance levels

Level 1, Basic Trust
A single authority signs and verifies proofs, with a discovery endpoint. For one organization managing its own agents.
Level 2, Auditable Trust
Adds the transparency log, inclusion proofs, and revocation infrastructure. For a public authority that must be tamper-evident.
Level 3, Decentralized Trust
Adds federation: multi-authority cosigning for levels 3-4 and cross-authority revocation propagation. For ecosystem-wide trust.

Federation, so no one operator is a chokepoint

At Level 3, multiple authorities cosign and recognize each other's proofs. Levels 3 and 4 require at least two distinct authorities, no single organization can unilaterally hand out the highest trust. Sovereign deployments can run their own authorities, keep data in-jurisdiction, and even operate air-gapped, exporting Signed Tree Heads for external accountability.

Note

ATP and ATX, precisely

ATX is the agent-specific credential formatdefined on top of ATP's base trust proof. ATP defines the format, the did:opena2a method, the transparency-log format, the federation protocol and the revocation format. ATX adds the agent fields (capabilities, build attestation, behavioral profile, scan summary) to the proof.