Agentpassport
БесплатноНе проверенCryptographically verifiable, scope-narrowing delegation chains for AI agents, enabling human-anchored authorization across multiple hops.
Описание
Cryptographically verifiable, scope-narrowing delegation chains for AI agents, enabling human-anchored authorization across multiple hops.
README
agentpassport
Cryptographically prove which human authorized which AI agent to do what — even 4 hops deep.
#ai-agents #identity #authorization #agentic-ai #mcp #security #oauth
The unsolved 2026 problem: ~80% of orgs running autonomous agents can't trace an agent's actions back
to a human, and 45% still authenticate agents with shared API keys. OAuth/MCP handle one hop — but the
delegation chain loses its anchor at hop 3-4. agentpassport fixes exactly that: signed, scope-narrowing
delegation chains you can verify back to a human principal.
pip install cognis-agentpassport
agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.json
agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.json # subset only
agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write
# → valid:false, violation: required scope 'write' not held at final hop ✅ escalation blocked
🔎 Example output
Real, reproducible output from the tool — runs offline:
$ agentpassport-emit --version
agentpassport 0.2.0
$ agentpassport-emit --help
usage: agentpassport [-h] [--version] {issue,delegate,verify} ...
Verifiable agent identity + multi-hop delegation.
positional arguments:
{issue,delegate,verify}
options:
-h, --help show this help message and exit
--version show program's version number and exit
Blocks above are real
agentpassportoutput — reproduce them from a clone.
Sample result format (illustrative values — run on your own data for real findings):
{
"findings": [
{
"id": "1234567890",
"title": "Suspicious Network Traffic",
"description": "Potential malicious activity detected on network 192.168.1.100",
"created_by": "cognis-connect",
"created_at": "2023-02-15T14:30:00Z"
}
]
}
Usage — step by step
- Install the tool:
pip install cognis-agentpassport - Issue a passport for an agent, anchoring it to a human principal with an explicit scope set.
--keysigns it:agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.json - Delegate to a child agent — scopes can only narrow (subset), never escalate:
agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.json - Verify the chain back to the human.
--keysis a JSON map of issuer-to-key;--requireasserts a scope must be held at the final hop:agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write # -> valid:false, violation: required scope 'write' not held at final hop (escalation blocked) echo $? # non-zero when verification fails - Automate in CI / a gateway — verify the presented passport before honoring an agent action:
- run: pip install cognis-agentpassport - run: agentpassport verify "$AGENT_PASSPORT" --keys "$TRUSTED_KEYS" --require write
Short-lived delegation (TTL / expiry)
Standing agent credentials are a blast-radius problem. Add --ttl <seconds> at issue or
delegate time and the hop carries a signed exp; verify rejects the chain once it lapses.
A child's expiry is clamped to never outlive its parent. Passports issued without a TTL
never expire (fully backward-compatible with 0.1.x credentials).
agentpassport issue deploy-agent --principal release-bot --scopes deploy:staging --key K --ttl 900 > p.json
agentpassport verify p.json --keys '{"human:release-bot":"K"}' # valid now
agentpassport verify p.json --keys '{"human:release-bot":"K"}' --at 9999999999 # valid:false — expired
--at <unix> pins the clock for deterministic checks (CI, tests); omit it in production to use
the wall clock. The verify output now also reports expires_at (earliest expiry in the chain).
Demos — real, runnable scenarios
Every passport under demos/ is a genuine HMAC-signed artifact produced by the
library (regenerate with python scripts/build_demos.py). Each folder has a SCENARIO.md with
where the data came from, the exact command, and how to act on the result.
| Demo | Scenario |
|---|---|
| 02-rag-4-hop-chain | 4-hop RAG pipeline anchored to a human; final hop can't write |
| 03-escalation-tamper | Hand-edited scopes — caught by both bad-signature and escalation checks |
| 04-ci-ttl-deploy | 15-minute CI deploy token; valid in-window, expired after |
| 05-least-privilege-fanout | One human, three sibling agents each holding only their slice |
| 06-rotated-key-mismatch | Wrong/rotated signing key → bad signature |
| 07-missing-issuer-key | Incomplete trust map fails closed |
| 08-mcp-tool-gating | Gate MCP tool calls; shell.exec blocked, fs.write allowed |
| 09-auto-narrow-subset | Over-broad delegate request auto-narrowed to a subset |
Architecture
flowchart LR
H[👤 Human principal] -->|issue scopes| A1[Agent: researcher]
A1 -->|delegate ⊆ scopes| A2[Agent: summarizer]
A2 -->|delegate ⊆ scopes| A3[Agent: tool-runner]
A3 --> V{verify chain}
V -->|walks back to| H
V --> R[valid? · principal · violations]
Why it's different
Every hop is HMAC-signed and can only narrow scopes — escalation is detected. Verification walks the whole chain back to the human anchor, so you get the one thing OAuth/MCP can't give you today: accountable, multi-hop agent authorization.
Use it from any AI stack
MCP server (agentpassport mcp), JSON in/out for any agent runtime, drop-in for
uncensored-fleet / LangChain / CrewAI delegation.
Prior art / standards
Aligned with IETF draft-klrc-aiagent-auth (AIMS), NIST agent-identity concept paper, MCP, and Mastercard Agent Pay tokenization. Production: anchor the HMAC demo in real PKI / SPIFFE.
Related
🤖 uncensored-fleet · 🛡️ guardpost · 🧰 toolguard · 🗂️ the suite
⭐ Star it — agent identity is the problem nobody's solved yet.
Interoperability
agentpassport composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Integrations
Forward agentpassport's findings to STIX/MISP/Sigma/Splunk/Elastic/Slack/webhooks via
cognis-connect. See INTEGRATIONS.md.
License
COCL v1.0 — see LICENSE.
Установка Agentpassport
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/cognis-digital/agentpassportFAQ
Agentpassport MCP бесплатный?
Да, Agentpassport MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Agentpassport?
Нет, Agentpassport работает без API-ключей и переменных окружения.
Agentpassport — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Agentpassport в Claude Desktop, Claude Code или Cursor?
Открой Agentpassport на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Agentpassport with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
