ATX, Agent Trust eXtension

Why it exists

A central database that every agent call must check does not scale and cannot fail safely, it puts one party in the hot path of every interaction. The web solved the equivalent problem decades ago: don't ask a central authority on every connection; carry a signed certificate the other side can verify locally.

“ATX is the same model for AI agents. The Agent Trust Protocol (ATP) is how nodes communicate. The Agent Trust eXtension (ATX) is the signed credential every agent carries.”

ATX is the TLS certificate for agents: a signed, self-contained credential that bundles identity, scan results, capabilities and behavior, expires in seven days, and is verified in about two milliseconds with no callback to any authority.

Anatomy of the credential

Where a TLS certificate carries only identity, ATX also carries behavior, because an agent's risk is in what it does. Every field is mandatory unless marked optional.

Anatomy of an ATX credential7-day TTL · self-contained

Identity

agentId: aim_7f3a9c2e

Stable agent identifier.

agentDid: did:opena2a:agent:acme/billing

The agent's DID, its name in the wider ecosystem.

publisher: acme-corp

Who published this agent (with publisherDid).

version: 2.1.4

The agent build this credential is bound to.

Integrity & provenance

contentHash: sha256:abc123…

Hash of the exact build artifact. Tamper the binary → verification fails.

buildAttestation: sha256:def456…

Hash of the signed record of how this was built.

transparencyLogIndex: 1847293

Proof this credential was written to ATP's public log.

Trust signals

capabilities: ["db:read","api:call"]

What the agent is authorized to attempt (enforced at runtime).

behavioralProfile: { checksum, observationDays: 14 }

Checksum of an observed behavior baseline.

scanSummary: { hma: passed, critical: 0, … }

Embedded security-scan results (HMA, Secretless, CryptoServe, OASB level).

trustScore / trustLevel: 0.87 / 3

The AIP score, and a level (1-5); level 3+ requires federation cosign.

Validity window

issuedAt / expiresAt: … / +7 days

Short life forces a re-scan as a hygiene primitive.

Signatures

issuerDid / issuerChain: authority:opena2a.org → …

Who signed it, and any cosigning authorities.

signatures: [ Ed25519, ML-DSA-65 ]

Hybrid: a classical and a post-quantum signature, both present on day one.

Issued once, at build time

Issuance is the only moment an authority is synchronously involved, and it happens per build, not per call. Crucially, the build plugin verifies the security scanners against their own ATX credentials before running them, so a compromised scanner can never quietly pass a malicious agent.

1
CIBuild triggersper build
A merge kicks off the build; the plugin exchanges a GitHub OIDC token for a short-lived, scoped build token.
2
pluginVerify the scannersanti-tamper
HMA and Secretless binaries are checked against their own ATX. If either fails, the build aborts.
3
pluginScan + hash
Run HMA / Secretless / CryptoServe, collect results, compute the content hash of the artifact.
4
authorityAttest + log
The signed build attestation is written to the transparency log; an index comes back.
5
authoritySign the ATX
Construct the credential, gather threshold cosignatures (and any federation cosign for level 3+), embed the log index.
6
pluginEmbed in the artifact< 90s
The signed ATX ships inside the deployment artifact. End to end: under 90 seconds.

Verified everywhere, with no authority on the path

This is the flow that runs thousands of times a second. It touches no issuing server, only local caches.

1
verifierParse & check expiry< 0.1ms
Read the ATX, confirm the version is supported and expiresAt is in the future.
2
verifierResolve the issuer key< 1ms
Look up issuerDid in the local DID cache (1-hour TTL). Cache hit → proceed.
3
verifierVerify signatures< 5ms
Check the Ed25519 signature; if present, the ML-DSA-65 signature too.
4
verifierCheck revocation< 0.1ms
Compare agentId against the locally cached CRL (5-minute TTL).
5
verifierAccept≈ 2ms
Warm cache total: under 2ms. Cold cache (one DID fetch): under 10ms.

Tip

Why short-lived beats revocation-heavy

A 7-day TTL means most “revocation” is just expiry. The agent must be re-scanned and re-issued weekly to keep operating, so its credential always reflects a recent security posture.

ATX vs. a TLS certificate

TLS / X.509 certificate

ATX credential

Identifies a domain

→

Identifies an agent buildbound to a content hash

Issued by a CA

→

Issued by a trust authoritywith threshold cosign

Identity only

→

Identity + behaviorscans, capabilities, profile

90 days - 1 year

→

7 daysforces re-scan

Classical signature

→

Ed25519 + ML-DSA-65post-quantum on day one

Local check + OCSP

→

Local check + cached CRLno authority on the path

What ATX is not

Not an identity system, AIM is. ATX binds an AIP identity to a build and a behavior profile.
Not a runtime authorization system, it presents the credential; the broker (AAP) enforces policy.
Not a database, it is a credential format. The credential travels with the agent; authorities are infrastructure, not a lookup you depend on per call.
Not absolution, a scan is a signal. A malicious agent with a high level is a scanner bug, not a property of the credential.

A complete ATX (abridged)json

{
  "atxVersion": "1.0",
  "agentDid": "did:opena2a:agent:acme-corp/billing-agent",
  "contentHash": "sha256:abc123...",
  "capabilities": ["db:read", "api:call"],
  "scanSummary": { "hma": "passed", "criticalFindings": 0, "oasbLevel": "L2" },
  "trustScore": 0.87, "trustLevel": 3,
  "issuedAt": "2026-05-19T00:00:00Z",
  "expiresAt": "2026-05-26T00:00:00Z",
  "issuerChain": ["did:opena2a:authority:opena2a.org", "did:opena2a:authority:google.com"],
  "signatures": [
    { "algorithm": "Ed25519",   "value": "..." },
    { "algorithm": "ML-DSA-65", "value": "..." }
  ]
}