agent-protocols

module

v0.3.0 Latest Latest Go to latest Published: May 11, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aistandardsio/agent-protocols

Links

Open Source Insights

README ¶

Agent Protocols

Go implementation of agent-to-agent communication protocols for AI agent authentication and authorization.

EXPERIMENTAL: This library implements draft specifications that are subject to change.

Overview

This repository provides Go libraries for emerging agent-to-agent protocols:

aauth - Agent Authentication using HTTP message signatures (RFC 9421) based on draft-hardt-oauth-aauth-protocol
- Examples - Working demos (simple, delegation, token exchange)
- PIDL Definitions - Protocol diagrams
idjag - Identity Assertion JWT Authorization Grant based on draft-ietf-oauth-identity-assertion-authz-grant
- Examples - Working demos
- PIDL Definitions - Protocol diagrams
aims - Agent Identity Management System (AIMS) based on draft-klrc-aiagent-auth-00
- Examples - Working demos (simple WIT/WPT, mTLS)
- PIDL Definitions - Protocol diagrams

Adapters

Production-ready integrations with identity infrastructure:

adapters/zitadel - Integration with Zitadel OIDC for all three protocols
adapters/sharkauth - Integration with SharkAuth for agent delegation with DPoP
adapters/ory - Integration with Ory Fosite and Hydra

Installation

go get github.com/aistandardsio/agent-protocols

Quick Start

AAuth - HTTP Message Signatures

import "github.com/aistandardsio/agent-protocols/aauth"

// Create agent with cryptographic identity
agentID, _ := aauth.NewAAuthID("calendar-bot", "example.com")
agent, _ := aauth.NewAgent(agentID, privateKey,
    aauth.WithAgentProviderURL("https://agents.example.com"))

// Create signed HTTP request
req, _ := agent.SignedRequest(ctx, "GET", "https://api.example.com/events", nil)

// Or use automatic signing transport
client := &http.Client{Transport: agent.Transport(nil)}
resp, _ := client.Get("https://api.example.com/events")

ID-JAG - Token Exchange

import "github.com/aistandardsio/agent-protocols/idjag"

// Create assertion for token exchange
assertion := idjag.NewAssertion(
    "https://issuer.example.com",
    "agent:calendar-bot",
    []string{"https://auth.example.com"},
    5 * time.Minute,
)

// Exchange for access token
client := idjag.NewTokenExchangeClient("https://auth.example.com/token")
resp, _ := client.ExchangeAssertion(ctx, signedAssertion, "read:data")

AIMS - Workload Identity

import "github.com/aistandardsio/agent-protocols/aims"

// Create SPIFFE ID for agent
spiffeID, _ := aims.NewSPIFFEID("example.com", "/agent/calendar-bot")

// Create Workload Identity Token
wit := aims.NewWIT(spiffeID, []string{"https://api.example.com"}, 1*time.Hour)
signedWIT, _ := wit.Sign(privateKey, "key-1")

Examples

Each protocol includes working demos:

AAuth:

go run ./aauth/examples/simple      # Agent authentication
go run ./aauth/examples/delegation  # Human-to-agent delegation

ID-JAG:

go run ./idjag/examples/simple      # Agent-only flow
go run ./idjag/examples/delegation  # Human-to-agent delegation

AIMS:

go run ./aims/examples/simple       # WIT/WPT authentication
go run ./aims/examples/mtls         # mTLS with X.509 SVID

Zitadel Adapter:

go run ./adapters/zitadel/examples/idjag  # ID-JAG token exchange
go run ./adapters/zitadel/examples/aims   # AIMS WIT verification
go run ./adapters/zitadel/examples/aauth  # AAuth agent authentication

SharkAuth Adapter:

go run ./adapters/sharkauth/examples/aauth  # AAuth with delegation grants

Ory Adapter:

go run ./adapters/ory/examples/idjag  # ID-JAG with Hydra

Documentation

AAuth: Overview | Getting Started | Examples
ID-JAG: Protocol Overview | Getting Started
AIMS: Overview | Getting Started
Zitadel Adapter: Overview | Getting Started
SharkAuth Adapter: Overview | Getting Started
Ory Adapter: Overview | Getting Started
API Reference
Changelog
Full Documentation

draft-hardt-oauth-aauth-protocol - AAuth Protocol specification
draft-ietf-oauth-identity-assertion-authz-grant - ID-JAG specification
draft-klrc-aiagent-auth-00 - AIMS specification
draft-ietf-wimse-s2s-protocol - WIMSE S2S Protocol (WIT/WPT)
RFC 9421 - HTTP Message Signatures
RFC 8693 - OAuth 2.0 Token Exchange
SPIFFE - Secure Production Identity Framework For Everyone

License

MIT License - see LICENSE for details.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
aauth Package aauth implements the AAuth protocol for agent-to-resource authentication.	Package aauth implements the AAuth protocol for agent-to-resource authentication.
examples/delegation command Package main demonstrates the AAuth delegation flow.	Package main demonstrates the AAuth delegation flow.
examples/resource-managed command Package main demonstrates the AAuth resource-managed flow.	Package main demonstrates the AAuth resource-managed flow.
examples/simple command Package main demonstrates the AAuth identity-only flow.	Package main demonstrates the AAuth identity-only flow.
httpsig Package httpsig implements HTTP Message Signatures per RFC 9421.	Package httpsig implements HTTP Message Signatures per RFC 9421.
adapters
ory Package ory provides integration between agent-protocols and Ory infrastructure.	Package ory provides integration between agent-protocols and Ory infrastructure.
ory/examples/idjag command Package main demonstrates ID-JAG integration with Ory Hydra.	Package main demonstrates ID-JAG integration with Ory Hydra.
ory/fosite Package fosite provides custom OAuth 2.0 grant handlers for Ory Fosite.	Package fosite provides custom OAuth 2.0 grant handlers for Ory Fosite.
ory/hydra Package hydra provides a client for Ory Hydra's APIs with agent token support.	Package hydra provides a client for Ory Hydra's APIs with agent token support.
sharkauth Package sharkauth provides adapters integrating agent-protocols with SharkAuth, a purpose-built OAuth 2.0 server for agent delegation.	Package sharkauth provides adapters integrating agent-protocols with SharkAuth, a purpose-built OAuth 2.0 server for agent delegation.
sharkauth/examples/aauth command Package main demonstrates AAuth protocol integration with SharkAuth.	Package main demonstrates AAuth protocol integration with SharkAuth.
zitadel Package zitadel provides production-quality adapters integrating agent-protocols with Zitadel OIDC infrastructure.	Package zitadel provides production-quality adapters integrating agent-protocols with Zitadel OIDC infrastructure.
zitadel/examples/aauth command Package main demonstrates AAuth agent authentication with Zitadel.	Package main demonstrates AAuth agent authentication with Zitadel.
zitadel/examples/aims command Package main demonstrates AIMS Workload Identity Token verification with Zitadel.	Package main demonstrates AIMS Workload Identity Token verification with Zitadel.
zitadel/examples/idjag command Package main demonstrates ID-JAG assertion exchange with Zitadel.	Package main demonstrates ID-JAG assertion exchange with Zitadel.
aims Package aims implements the Agent Identity Management System (AIMS) framework based on draft-klrc-aiagent-auth-00.	Package aims implements the Agent Identity Management System (AIMS) framework based on draft-klrc-aiagent-auth-00.
examples/mtls command Package main demonstrates AIMS agent authentication using mTLS with X.509 SVID.	Package main demonstrates AIMS agent authentication using mTLS with X.509 SVID.
examples/simple command Package main demonstrates basic AIMS agent authentication with SPIFFE ID.	Package main demonstrates basic AIMS agent authentication with SPIFFE ID.
demos
multi-protocol command Package main demonstrates all three agent authentication protocols.	Package main demonstrates all three agent authentication protocols.
idjag Package idjag implements Identity Assertion JWT Authorization Grant (ID-JAG) based on draft-ietf-oauth-identity-assertion-authz-grant.	Package idjag implements Identity Assertion JWT Authorization Grant (ID-JAG) based on draft-ietf-oauth-identity-assertion-authz-grant.
examples/delegation command Package main demonstrates ID-JAG with human-to-agent delegation.	Package main demonstrates ID-JAG with human-to-agent delegation.
examples/simple command Package main demonstrates a simple ID-JAG token exchange flow without delegation.	Package main demonstrates a simple ID-JAG token exchange flow without delegation.