Skip to main content
Internet-Draft · draft-ayoub-agis-agent-identity-system-00 · submitted to IETF 29 June 2026

AgIS — Agent Identity System

Open protocol and reference implementation for agent verification and governance.

AgIS turns agent identity evidence into enforceable trust decisions.

23
Deterministic test vectors

0 failures

0.35ms
Avg per offline verification

No live DNS/HTTP

Ed25519
Signature algorithm

No symmetric secrets

4
RFC profiles

9421 · 9530 · 8785 · 7638

◉ Note

Status: AgIS has been submitted to the IETF as an individual Internet-Draft (draft-ayoub-agis-agent-identity-system-00), submitted 29 June 2026. It has not been adopted by any IETF working group and is not an approved IETF standard. The TypeScript SDK and CLI are alpha-quality and are intended for protocol development and testing, not unreviewed production deployment. agent:// is not yet an IANA-registered URI scheme.

30-second install

The SDK is published to npm. No build step, no API key, no external service.

terminal
npm install @epicortek/agis-sdk-ts
TypeScript
import { signAgentCard, verifyAgentOffline } from "@epicortek/agis-sdk-ts";

// 1. Sign your agent card
const signedCard = await signAgentCard({ agentCard, privateJwk, keyId });

// 2. Verify offline — no API call needed
const result = await verifyAgentOffline({
  dnsTxtRecord: "agis=0.2.2; agent=agent://example.com/worker; card=https://...; jkt=...; card_sha256=...",
  signedAgentCard: signedCard,
  statusDocument: { agent_id, status: 
    "active", updated_at: new Date().toISOString()}
});

// result.decision:   "allow" | "deny" | "review"
// result.trustLevel:  0–5
// result.validIdentity: true | false

Verification flow

Each step adds a layer of evidence. The trust level at the final step determines the allow / deny / review decision.

  1. Agent request

    Agent Identifier + Agent Card URL presented

  2. DNS TXT lookup

    DNS record binds agent identifier to card URL and JWK thumbprint

  3. Agent Card fetch & canonicalization

    RFC 8785 canonical JSON — hash verified against DNS TXT card_sha256

  4. Signature verification

    Ed25519 (RFC 8037) + HTTP Message Signatures (RFC 9421) + Content-Digest (RFC 9530)

  5. Lifecycle status check

    Status document: active / suspended / revoked / compromised

  6. Trust decision

    allow · deny · review — deterministic, reproducible, auditable

Trust levels

AgIS reports trust levels 0–5. Higher levels reflect more verification evidence. The current offline identity verification test vectors reach Level 4; high-assurance signed request verification can reach Level 5 when freshness, replay protection, and local policy acceptance are enforced.

0

No identity evidence

deny

No usable identity evidence present. Request cannot be authenticated.

1

Syntactically valid

review

Agent Identifier and Agent Card are syntactically valid. Structure verified, not cryptographically bound.

2

DNS binding verified

review

DNS TXT record links the Agent Identifier to the Agent Card URL. Domain control confirmed.

3

Cryptographically verified

allow

Card hash (RFC 9530 + RFC 8785), JWK thumbprint (RFC 7638), and Ed25519 signature verified.

4

Active status confirmed

allow

Status document checked and agent is active (not revoked, not suspended, not compromised). Offline reference implementation test vectors reach this level.

5

Freshness, replay protection, and policy enforced

allow

Freshness window (max_age) enforced, replay protection (nonce / two-phase commit) verified, and local policy explicitly accepted. Required for high-assurance signed request verification.

What AgIS is

AgIS is EPICORTEK's open protocol specification and reference implementation for agent verification and governance. It defines how AI agents, autonomous systems, and non-deterministic workflows prove who they are, validate the authenticity of their requests, and operate under enforceable policy decisions.

The core mechanism: AgIS evaluates agent identity evidence from multiple verification sources and produces a deterministic operational decision — allow, deny, or review. These decisions are reproducible, auditable, and policy-bound.

AgIS uses infrastructure that already exists — DNS, HTTPS, and cryptographic primitives. No new PKI. No blockchain. No central registry.

The problem AgIS addresses

AI agents and autonomous systems are increasingly capable of taking real actions — making API calls, executing tasks, delegating to sub-agents, accessing data, and triggering workflows. But there is no standardized way for these systems to:

  • Prove who they are in a verifiable, machine-readable way
  • Demonstrate that a request came from the agent it claims to come from
  • Show the scope of their delegation authority
  • Signal that they are active (not revoked, not suspended)
  • Enable auditors and operators to verify what happened after the fact

Without this layer, trust in agentic systems is informal, unverifiable, and inconsistent. AgIS proposes a structured, DNS-backed approach to this problem.

How AgIS works

A DNS TXT record binds an agent identifier to an Agent Card and signing key. A verifier inspects the DNS binding, canonicalizes the Agent Card (RFC 8785), verifies the Ed25519 signature against the DNS-bound key (RFC 7638 JWK thumbprint), validates the HTTP Message Signature (RFC 9421), checks the Content-Digest (RFC 9530), verifies request freshness, and checks lifecycle status.

Agent Cards

Structured identity claims attached to an agent, evaluated against registered evidence.

DNS TXT bindings

Domain-verified association between an agent identifier and a DNS record.

Key thumbprints

Cryptographic key fingerprints (RFC 7638) used to bind requests to agent identity.

Signed HTTP requests

HTTP Message Signatures (RFC 9421) validated against the agent's registered keys.

Request freshness

Two-phase nonce commit prevents replay of stale or captured requests.

Lifecycle status

Active, suspended, revoked, or compromised — checked after cryptographic verification.

Revocation

Status document endpoint checked; revoked agents receive a deny decision.

Scoped delegation

Single delegation tokens with explicit scope constraints.

Delegation chains

Multi-hop delegation with scope narrowing enforced at every link.

After evaluating the available evidence, AgIS produces one of three decisions:

  • Allow — sufficient evidence; proceed with the operation
  • Deny — insufficient or contradictory evidence; block the operation
  • Review — evidence incomplete; escalate for human or policy review

These decisions are deterministic: given the same evidence and policy configuration, the same decision is always produced. This is validated by 23 deterministic test vectors.

IETF Internet-Draft

draft-ayoub-agis-agent-identity-system-00

AgIS has been submitted to the IETF as an individual Internet-Draft. It defines a DNS-backed identity and verification profile for AI agents using existing web infrastructure. No new PKI. No blockchain. No central registry.

Submitted 29 June 2026. This is an individual submission for community review — it has not been adopted by any IETF working group and is not an approved IETF standard.

What exists today

Internet-Draft

Submitted

draft-ayoub-agis-agent-identity-system-00 — submitted 29 June 2026. Individual submission to IETF.

View

TypeScript SDK

Alpha · npm

@epicortek/agis-sdk-ts — v0.3.0-alpha.3 published to npm.

View

CLI

Alpha · npm

@epicortek/agis-cli — alpha companion for evaluation and verification.

View

Deterministic test vectors

23 passing

23 test vectors covering all components and selected negative cases. All passing.

View

What AgIS is not

Understanding the precise scope of AgIS prevents misapplication.

Not a DID system

AgIS does not use or require Decentralized Identifiers. It operates on its own DNS-backed evidence model.

Not decentralized identity

AgIS does not implement DIDs, verifiable credentials, or W3C DID methods.

Not a wallet system

AgIS does not store credentials, keys, or identity material. It evaluates evidence.

Not blockchain-based

AgIS has no dependency on distributed ledgers, blockchains, or consensus protocols.

Not an IANA-registered scheme

agent:// is not yet a registered IANA URI scheme.

Not an approved IETF standard

The Internet-Draft has not been adopted by any IETF working group.

Not production enterprise software

The SDK and CLI are alpha. Not for unreviewed production deployment.

Not a replacement for ANS

AgIS addresses a different problem domain from Autonomous Naming Systems.

Not an agent framework

EPICORTEK does not replace orchestration, workflow, or model tooling. AgIS focuses on identity, policy, evidence, observability, and audit around agentic systems.

Status and maturity

Artifact Status Notes
Internet-Draft specification Submitted (29 June 2026) draft-ayoub-agis-agent-identity-system-00; not adopted by IETF WG
TypeScript SDK (@epicortek/agis-sdk-ts) v0.3.0-alpha.3 Published to npm
CLI (@epicortek/agis-cli) Alpha Published to npm
Deterministic test vectors 23 passing All components + selected negative cases
Agent Card evaluation Implemented (alpha) Core verification mechanism
DNS TXT bindings Implemented (alpha) Domain-based identity binding
Ed25519 signatures Implemented (alpha) RFC 8037; no symmetric secrets
HTTP Message Signatures Implemented (alpha) RFC 9421 profile
Content-Digest Implemented (alpha) RFC 9530
Delegation chain validation Implemented (alpha) Multi-hop with scope narrowing
Live DNS/HTTPS resolver Planned (beta) Reference implementation is offline-only
IETF standardization Submitted (29 June 2026) Individual Internet-Draft; not a WG item
Production deployment Not claimed Alpha reference implementation only

Links and artifacts

IETF Datatracker (official)

draft-ayoub-agis-agent-identity-system-00 — the canonical, authoritative version of this draft.

Open ↗

Formatted reading version

Same content, styled for readability on this site.

View →

GitHub repository

Source code, reference implementation, CLI, test vectors

Open ↗

npm SDK

@epicortek/agis-sdk-ts — v0.3.0-alpha.3

Open ↗

npm CLI

@epicortek/agis-cli — agent identity evaluation from the command line

Open ↗

Evidence register

EPICORTEK evidence register for AgIS artifacts and verified claims

View →

Work overview

AgIS status in the context of all EPICORTEK work

View →

Discuss AgIS

Technical discussion, protocol review, standards collaboration, or pilot inquiry — contact EPICORTEK.

Topic

Subscribe for AgIS updates

Receive updates on AgIS specification progress, reference implementation releases, and related protocol work.

No spam. No third-party selling. Updates only when there is meaningful progress.