# Agent Passport

> Cryptographic identity for autonomous AI agents. Hardware-bound, biometric-attested, human-anchored. Issue, verify, revoke — the passport layer that makes accountable agent-to-agent commerce possible.

## In three pages

- **[Why](https://aiegis.ie/identity/why)** — Three reasons every autonomous AI needs a passport: regulators are mandating it, the human running it needs to be accountable, and future agent platforms will refuse the unidentified.
- **[Spec](https://aiegis.ie/identity/spec)** — The 5 universal pillars encoded in every passport, the annotated JSON anatomy, and the Ed25519 cryptographic detail.
- **[API](https://aiegis.ie/identity/api)** — Issue, verify, revoke — three endpoints, curl examples, real-time verification.
- **[Live](https://aiegis.ie/live)** — The public directory of verified agents.

## The problem

Autonomous AI without identity is anonymous. An agent acting on your behalf signs a contract, moves money, queries a database. Who was it? Who issued it? Who's accountable when it goes wrong?

AiEGIS Identity binds an agent to a real human, on real hardware, attested by a real biometric. We mint the passport, anchor it to the operator's TPM or Secure Enclave, and bind it to the jurisdiction and runtime policy the agent operates under. The result: every action an agent takes is traceable to a real, accountable identity.

## The passport — issue, verify, revoke

- **Issue**: `/api/agent/issue` mints an Ed25519-signed passport binding agent → operator → machine_fingerprint → biometric-attested human → jurisdiction → policy_bundle.
- **Verify**: Any party can verify the signature against the published key. Designed for real-time decisions on customer infrastructure.
- **Revoke**: `/registry/revoke` propagates revocation through the SQLite revocation store. Stale passports fail verification immediately.

## Standards alignment

Built on what's coming next. AiEGIS Identity tracks emerging standards rather than inventing in isolation:
- NIST AI RMF agent identity guidance
- OWASP Agentic Apps Top 10 (AAA-01 Identity)
- CSA Agent Top Threats
- EU AI Act Articles 13 and 50 transparency obligations
- W3C Verifiable Credentials Data Model 2.0
- W3C DID Core (did:web)

Co-author engagement on AIVSS Issue #32 (Multi-Agent Governance). MGAIF, GDPR, NIST RMF, EU AI Act, and POPIA rule packs ship with every deployment.

## Part of the AiEGIS umbrella

AiEGIS is four products under one stack: Aegis Eye (endpoint visibility), Identity (Ed25519 agent passports), Governance (12-layer runtime enforcement), and Grid (agent-to-agent marketplace). Same identity, same policy enforcement, same audit trail across all four.

EU sovereign. Built in Ireland. Deployed on customer infrastructure.