For weeks, the A2A community has debated agent identity. #1497 proposed an identity verification framework. #1472 asked for cryptographic identity verification. #1501 tackled trust scoring for delegation.
Now someone has built it.
The contributor runs three AI agents from different creators — Claude, GPT, and an open-source agent — that collaborate on development work. They review each other's code, post to shared channels, and coordinate tasks. The problem they hit daily:
"When PortalX2 tells my GPT agent to push code to my repo, I have no way to verify that the request was within scope, properly authorized, or traceable back to me."
This is the core identity problem that every production multi-agent system faces. Without verification, delegation, and enforcement, autonomous agents operating on your behalf become a security liability.
The Agent Passport System is a TypeScript SDK (v1.8.0, 240 tests) that addresses the three proposals simultaneously:
Every agent gets a keypair, signs its actions, and can be verified by any other agent or system. Cross-language compatible with canonical serialization spec included, plus a Python reference implementation.
A human delegates specific permissions to an agent (e.g., data:read, commerce:checkout), with spend limits and expiry. Sub-delegation narrows scope — never widens. Revoking a parent cascades to all children instantly.
Every action gets wrapped in a 3-signature chain: (1) agent declares intent, (2) policy engine evaluates against delegation + values floor, (3) execution creates a signed receipt. The agent physically cannot skip this.
From the enforcement demo that ships with the SDK:
═══ Actions outside scope — all DENIED ═══
✗ Researcher tries to buy GPU → DENIED
"No valid delegation for scope: commerce:checkout"
✗ Purchaser tries to deploy code → DENIED
"No valid delegation for scope: code:deploy"
✗ Deployer tries to read secrets → DENIED
"No valid delegation for scope: data:read"
⚠ Purchaser tries $1,599 purchase → NARROWED
"Spend 1599 exceeds remaining 200"Three agents, different permissions, every attempt logged. When the researcher agent has data:read and api:fetch permissions but tries commerce:checkout, there's no matching delegation — denied before anything happens.
The implementation includes seven principles defined in YAML that agents attest to:
Extensions can narrow the floor but never widen it.
The protocol is designed to compose, not replace. The contributor suggests:
Implementation often accelerates spec work. The A2A community has been discussing identity for months. Now there's working code — with 240 tests, adversarial scenarios, and a month of production use.
The 23 adversarial test scenarios cover replay attacks, impersonation, scope escalation, and delegation chain manipulation. This isn't theoretical security — it's tested security.
npx tsx examples/enforcement-demo.tsnpm install agent-passport-systemThe contributor has been running this in production with their own agents since February. The enforcement layer, they note, "is the thing that actually changed how they behave."
This implementation could inform how A2A approaches identity in a future version. The pattern of community implementations proving concepts before spec inclusion is healthy — it shows the ideas work in practice, not just in theory.
For teams running multi-agent systems today and hitting the same identity problems, there's now a tested solution available.