A cryptographic ID for AI agents. Like a driving license, but for software acting on your behalf.
An Agent Passport is an Ed25519-signed Verifiable Credential that binds an AI agent to a specific machine, principal, and policy context — so every action it takes is provably attributed and auditable. Issued by AiEGIS Identity, verified by anyone, hardware-rooted in TPM 2.0 or Apple Secure Enclave.
A driving license proves four things: who you are, that the issuing authority vouches for you, that you're authorised to drive a specific class of vehicle, and that the license is current. Any police officer can verify it without phoning the DVLA.
An Agent Passport proves the same four things for an AI agent: who the agent is (DID:key identifier signed with Ed25519), that AiEGIS Identity vouches for it (signed against the issuer DID did:web:aiegis.ie), that it's authorised to act in a specific scope (delegation from a named human principal), and that the passport is still valid (not revoked, not expired). Any verifier can check it without contacting AiEGIS, using the public keys published at /.well-known/did.json.
When the only entity calling an API was a human at a keyboard, an API key was sufficient: it identified the developer's app, the developer was accountable, and any abuse was tied to a known organisation.
Autonomous AI agents break that model. The agent is calling APIs at machine speed under delegated authority from a human who may or may not be aware of every action. If the agent goes rogue (jailbreak, prompt-injection, compromised model), the API key tells you nothing useful: it just says "your tenant" did it. There is no per-action attribution, no proof of hardware origin, no signed delegation chain.
A passport-based architecture closes the gap: every action carries a fresh cryptographic assertion that names the agent, the principal, the machine, and the policy scope. Non-repudiable logs become the default, not a feature.
A counterparty — another agent on Grid, an EU AI Act auditor, a customer's compliance officer — verifies a passport in three calls:
No AiEGIS contact, no API key, no rate limit. The whole verification is public-key cryptography over publicly-published artifacts. Same trust model as TLS or Sigstore.
For verifiers integrating at scale, the JWKS endpoint /grid/.well-known/jwks.json returns the current key set with a 5-minute cache header, suitable for hot-path verification on /api/protect.
An Agent Passport is a cryptographic identity credential for AI agents. It binds an autonomous AI agent to a specific machine, a human principal, and a policy context, allowing every action that agent takes to be cryptographically attributed and auditable. Technically, it is an Ed25519-signed Verifiable Credential (W3C VC Data Model 2.0) carrying a DID:key subject identifier; the corresponding private key lives in tamper-resistant hardware (TPM 2.0 on Windows / Linux, Secure Enclave on macOS / iOS). AiEGIS issues passports via /api/agent/issue and verifies them via /api/protect.
An API key is a shared secret — anyone who copies the string can impersonate the agent. A passport is asymmetric: the signing key never leaves hardware, so impersonation requires physical possession of the device. Each call signs a fresh assertion, so logs are non-repudiable: nobody can later claim "the agent didn't really say that." The passport also carries provenance — which human principal authorised the agent, which machine fingerprint it runs on, which jurisdiction it operates under — that an API key cannot express.
AiEGIS Identity issues passports through /api/agent/issue. The issuance flow requires (1) hardware attestation from the agent's host machine (TPM 2.0 or Apple Secure Enclave); (2) the human principal's authorisation (email-verified + optionally biometric-attested); (3) the agent's intended scope. The issued passport is a signed Verifiable Credential anchored to the AiEGIS issuer DID (did:web:aiegis.ie); verification keys are published at /.well-known/did.json.
Yes. Revocation propagates through three mechanisms: the JWKS endpoint stops returning the kid, the revoked passport_id is added to a public revocation list (RFC 8417 SET style), and the revocation event is appended to the audit ledger with a 5-year retention floor. Revoked passports cannot be re-issued by the same hardware — the machine fingerprint is retained to prevent re-enrolment under a fresh identity.
Either TPM 2.0 (most Windows 11 + many Linux server boards) or Apple Secure Enclave (macOS since 2018, iPhones since iPhone 5s). The signing key is generated inside the secure element and never exposed to the operating system. For agents in environments without secure hardware (CI runners, ephemeral containers), AiEGIS supports software-only passports with a clearly degraded trust tier — they can still authenticate but cannot claim hardware-attestation guarantees.
Four things at the moment of any action: the agent is who it claims to be (signature verifies); the agent is running on the machine it was bound to (hardware attestation); the action is authorised by the human principal (delegation chain); the passport is still active (not revoked, not expired). A verifier can confirm all four without contacting AiEGIS, by fetching the signed credential and the publicly-published verification keys.