AgIS — Agent Identity System
Open protocol and reference implementation for agent verification and governance.
AgIS turns agent identity evidence into enforceable trust decisions.
- 23
- Deterministic test vectors
- 0.35ms
- Avg per offline verification
- Ed25519
- Signature algorithm
- 4
- RFC profiles
0 failures
No live DNS/HTTP
No symmetric secrets
9421 · 9530 · 8785 · 7638
◉ Note
Status: AgIS has been submitted to the IETF as an individual Internet-Draft
(draft-ayoub-agis-agent-identity-system-00), submitted 29 June 2026.
It has not been adopted by any IETF working group and is not an approved IETF standard.
The TypeScript SDK and CLI are alpha-quality and are intended for protocol development
and testing, not unreviewed production deployment.
agent:// is not yet an IANA-registered URI scheme.
Developer entry points
All public artifacts. No login required to access any of these.
GitHub repository
Publicepicortek/agis
Source, reference implementation, CLI, test vectors, CHANGELOG
npm SDK
Alpha@epicortek/agis-sdk-ts
TypeScript SDK — v0.3.0-alpha.3 — offline agent verification
npm CLI
Alpha@epicortek/agis-cli
Command-line agent identity evaluation and verification
IETF Internet-Draft
Submitteddraft-ayoub-agis-agent-identity-system-00
Canonical specification — submitted 29 June 2026
Test vectors
23 passing23 deterministic — 0 failures
All components and selected negative cases covered
Formatted draft
On this siteepicortek.com/en/agis/draft
Same specification content, styled for readability
30-second install
The SDK is published to npm. No build step, no API key, no external service.
npm install @epicortek/agis-sdk-ts import { signAgentCard, verifyAgentOffline } from "@epicortek/agis-sdk-ts";
// 1. Sign your agent card
const signedCard = await signAgentCard({ agentCard, privateJwk, keyId });
// 2. Verify offline — no API call needed
const result = await verifyAgentOffline({
dnsTxtRecord: "agis=0.2.2; agent=agent://example.com/worker; card=https://...; jkt=...; card_sha256=...",
signedAgentCard: signedCard,
statusDocument: { agent_id, status:
"active", updated_at: new Date().toISOString()}
});
// result.decision: "allow" | "deny" | "review"
// result.trustLevel: 0–5
// result.validIdentity: true | false Verification flow
Each step adds a layer of evidence. The trust level at the final step determines the allow / deny / review decision.
-
Agent request
Agent Identifier + Agent Card URL presented
-
DNS TXT lookup
DNS record binds agent identifier to card URL and JWK thumbprint
-
Agent Card fetch & canonicalization
RFC 8785 canonical JSON — hash verified against DNS TXT card_sha256
-
Signature verification
Ed25519 (RFC 8037) + HTTP Message Signatures (RFC 9421) + Content-Digest (RFC 9530)
-
Lifecycle status check
Status document: active / suspended / revoked / compromised
-
Trust decision
allow · deny · review — deterministic, reproducible, auditable
Trust levels
AgIS reports trust levels 0–5. Higher levels reflect more verification evidence. The current offline identity verification test vectors reach Level 4; high-assurance signed request verification can reach Level 5 when freshness, replay protection, and local policy acceptance are enforced.
No identity evidence
denyNo usable identity evidence present. Request cannot be authenticated.
Syntactically valid
reviewAgent Identifier and Agent Card are syntactically valid. Structure verified, not cryptographically bound.
DNS binding verified
reviewDNS TXT record links the Agent Identifier to the Agent Card URL. Domain control confirmed.
Cryptographically verified
allowCard hash (RFC 9530 + RFC 8785), JWK thumbprint (RFC 7638), and Ed25519 signature verified.
Active status confirmed
allowStatus document checked and agent is active (not revoked, not suspended, not compromised). Offline reference implementation test vectors reach this level.
Freshness, replay protection, and policy enforced
allowFreshness window (max_age) enforced, replay protection (nonce / two-phase commit) verified, and local policy explicitly accepted. Required for high-assurance signed request verification.
What AgIS is
AgIS is EPICORTEK's open protocol specification and reference implementation for agent verification and governance. It defines how AI agents, autonomous systems, and non-deterministic workflows prove who they are, validate the authenticity of their requests, and operate under enforceable policy decisions.
The core mechanism: AgIS evaluates agent identity evidence from multiple verification sources and produces a deterministic operational decision — allow, deny, or review. These decisions are reproducible, auditable, and policy-bound.
AgIS uses infrastructure that already exists — DNS, HTTPS, and cryptographic primitives. No new PKI. No blockchain. No central registry.
The problem AgIS addresses
AI agents and autonomous systems are increasingly capable of taking real actions — making API calls, executing tasks, delegating to sub-agents, accessing data, and triggering workflows. But there is no standardized way for these systems to:
- Prove who they are in a verifiable, machine-readable way
- Demonstrate that a request came from the agent it claims to come from
- Show the scope of their delegation authority
- Signal that they are active (not revoked, not suspended)
- Enable auditors and operators to verify what happened after the fact
Without this layer, trust in agentic systems is informal, unverifiable, and inconsistent. AgIS proposes a structured, DNS-backed approach to this problem.
How AgIS works
A DNS TXT record binds an agent identifier to an Agent Card and signing key. A verifier inspects the DNS binding, canonicalizes the Agent Card (RFC 8785), verifies the Ed25519 signature against the DNS-bound key (RFC 7638 JWK thumbprint), validates the HTTP Message Signature (RFC 9421), checks the Content-Digest (RFC 9530), verifies request freshness, and checks lifecycle status.
Agent Cards
Structured identity claims attached to an agent, evaluated against registered evidence.
DNS TXT bindings
Domain-verified association between an agent identifier and a DNS record.
Key thumbprints
Cryptographic key fingerprints (RFC 7638) used to bind requests to agent identity.
Signed HTTP requests
HTTP Message Signatures (RFC 9421) validated against the agent's registered keys.
Request freshness
Two-phase nonce commit prevents replay of stale or captured requests.
Lifecycle status
Active, suspended, revoked, or compromised — checked after cryptographic verification.
Revocation
Status document endpoint checked; revoked agents receive a deny decision.
Scoped delegation
Single delegation tokens with explicit scope constraints.
Delegation chains
Multi-hop delegation with scope narrowing enforced at every link.
After evaluating the available evidence, AgIS produces one of three decisions:
- Allow — sufficient evidence; proceed with the operation
- Deny — insufficient or contradictory evidence; block the operation
- Review — evidence incomplete; escalate for human or policy review
These decisions are deterministic: given the same evidence and policy configuration, the same decision is always produced. This is validated by 23 deterministic test vectors.
IETF Internet-Draft
draft-ayoub-agis-agent-identity-system-00
AgIS has been submitted to the IETF as an individual Internet-Draft. It defines a DNS-backed identity and verification profile for AI agents using existing web infrastructure. No new PKI. No blockchain. No central registry.
Submitted 29 June 2026. This is an individual submission for community review — it has not been adopted by any IETF working group and is not an approved IETF standard.
What AgIS is not
Understanding the precise scope of AgIS prevents misapplication.
Not a DID system
AgIS does not use or require Decentralized Identifiers. It operates on its own DNS-backed evidence model.
Not decentralized identity
AgIS does not implement DIDs, verifiable credentials, or W3C DID methods.
Not a wallet system
AgIS does not store credentials, keys, or identity material. It evaluates evidence.
Not blockchain-based
AgIS has no dependency on distributed ledgers, blockchains, or consensus protocols.
Not an IANA-registered scheme
agent:// is not yet a registered IANA URI scheme.
Not an approved IETF standard
The Internet-Draft has not been adopted by any IETF working group.
Not production enterprise software
The SDK and CLI are alpha. Not for unreviewed production deployment.
Not a replacement for ANS
AgIS addresses a different problem domain from Autonomous Naming Systems.
Not an agent framework
EPICORTEK does not replace orchestration, workflow, or model tooling. AgIS focuses on identity, policy, evidence, observability, and audit around agentic systems.
Status and maturity
| Artifact | Status | Notes |
|---|---|---|
| Internet-Draft specification | Submitted (29 June 2026) | draft-ayoub-agis-agent-identity-system-00; not adopted by IETF WG |
| TypeScript SDK (@epicortek/agis-sdk-ts) | v0.3.0-alpha.3 | Published to npm |
| CLI (@epicortek/agis-cli) | Alpha | Published to npm |
| Deterministic test vectors | 23 passing | All components + selected negative cases |
| Agent Card evaluation | Implemented (alpha) | Core verification mechanism |
| DNS TXT bindings | Implemented (alpha) | Domain-based identity binding |
| Ed25519 signatures | Implemented (alpha) | RFC 8037; no symmetric secrets |
| HTTP Message Signatures | Implemented (alpha) | RFC 9421 profile |
| Content-Digest | Implemented (alpha) | RFC 9530 |
| Delegation chain validation | Implemented (alpha) | Multi-hop with scope narrowing |
| Live DNS/HTTPS resolver | Planned (beta) | Reference implementation is offline-only |
| IETF standardization | Submitted (29 June 2026) | Individual Internet-Draft; not a WG item |
| Production deployment | Not claimed | Alpha reference implementation only |
Links and artifacts
IETF Datatracker (official)
draft-ayoub-agis-agent-identity-system-00 — the canonical, authoritative version of this draft.
Open ↗Discuss AgIS
Technical discussion, protocol review, standards collaboration, or pilot inquiry — contact EPICORTEK.
Subscribe for AgIS updates
Receive updates on AgIS specification progress, reference implementation releases, and related protocol work.
No spam. No third-party selling. Updates only when there is meaningful progress.