Agent Passport.
A verifiable, business-issued identity and authority document for AI agents that talk to other AI agents across organisational boundaries. One signed JSON file at /.well-known/agent-passport.json. Ed25519 over DNS. Authored by Cubitrek on April 28, 2026, published MIT for industry use.
A signed JSON file with seven required fields.
An organisation publishes one document at the well-known URL on its own domain. The document declares who issued the agent, what the agent is allowed to do, what it can spend, who picks up when it crashes, and where the audit log lives. Counterparty agents verify it with one schema check plus one Ed25519 verify.
- version
Spec version. v0.1 today.
- issuer
Legal name, display name, logo, signing-key DNS hostname, contact.
- agent
Stable id, display name, purpose, model, machine-callable endpoints (MCP, A2A, REST).
- authority
Scope list, hard spend ceiling, human-in-loop threshold, escalation SLA, decisionAudit URL.
- issuedAt + expiresAt
Validity window. 90-day expiry recommended.
- signature
Ed25519 over canonical JSON. keyId binds to a DNS TXT record at _agent-passport.{domain}.
Spec, schema, verifier, and worked examples.
Everything you need to issue your own passport this week.
- Spec (v0.1)
Canonical JSON form, DNS trust anchor, verification flow, threat model.
spec/agent-passport-v0.1.md - JSON Schema (2020-12)
Strict validation. Plug into Ajv or any 2020-12 validator.
schemas/agent-passport.schema.json - Reference verifier
TypeScript, ESM, runs on Node 20+, Bun, Deno, Cloudflare Workers, the browser. WebCrypto Ed25519, DNS-over-HTTPS.
@cubitrek/agent-passport-verifier - Threat model
Issuer impersonation, key compromise, authority escalation, stale credentials, replay. Out of scope, on purpose.
spec/threat-model.md - Cubitrek's own passport
Worked example. Production agent for the hire-router, signed with the kid=cubitrek-2026-q2 key.
https://cubitrek.com/.well-known/agent-passport.json - Adopters list
Businesses publishing a valid passport. Send a PR to add yours, the maintainers fetch and verify before listing.
https://cubitrek.com/agent-passport/adopters
Five steps. One engineer afternoon.
- 01
Generate an Ed25519 keypair.
Use Node crypto.generateKeyPairSync, OpenSSL, or any standard library. Store the private key offline. Export the raw 32-byte public key as base64url.
- 02
Publish a DNS TXT record.
At _agent-passport.{your-domain}, add: v=ap1; kid=<id>; alg=ed25519; pk=<base64url public key>. Same operational pattern as DKIM.
- 03
Author your passport JSON.
Copy one of the example files in the repo, fill in your issuer, agent, authority, and compliance fields, set issuedAt + a 90-day expiresAt.
- 04
Sign and serve.
Canonicalize with signature.value set to the empty string, Ed25519-sign the bytes, write the base64url signature back into signature.value, serve the file at /.well-known/agent-passport.json.
- 05
Verify and list.
Run the reference verifier against your own URL to confirm. Send a PR to adopters.md and we will add a row.