AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A

TL;DR

This paper introduces AIP, a protocol for verifiable agent identity and delegation across MCP and A2A, addressing security gaps with a novel token system that ensures authentication, provenance, and policy enforcement.

Contribution

We propose Invocation-Bound Capability Tokens (IBCTs), a new primitive combining identity, authorization, and provenance into a single, verifiable token chain for multi-hop delegation.

Findings

IBCTs operate in compact and chained modes with efficient verification.

AIP adds minimal latency overhead in real multi-agent deployments.

100% rejection of attack attempts, including delegation violations and audit evasion.

Abstract

AI agents increasingly call tools via the Model Context Protocol (MCP) and delegate to other agents via Agent-to-Agent (A2A), yet neither protocol verifies agent identity. A scan of approximately 2,000 MCP servers found all lacked authentication. In our survey, we did not identify a prior implemented protocol that jointly combines public-key verifiable delegation, holder-side attenuation, expressive chained policy, transport bindings across MCP/A2A/HTTP, and provenance-oriented completion records. We introduce Invocation-Bound Capability Tokens (IBCTs), a primitive that fuses identity, attenuated authorization, and provenance binding into a single append-only token chain. IBCTs operate in two wire formats: compact mode (a signed JWT for single-hop cases) and chained mode (a Biscuit token with Datalog policies for multi-hop delegation). We provide reference implementations in Python and Rust with full cross-language interoperability. Compact mode verification takes 0.049ms (Rust) and 0.189ms (Python), with 0.22ms overhead over no-auth in real MCP-over-HTTP deployment. In a real multi-agent deployment with Gemini 2.5 Flash, AIP adds 2.35ms of overhead (0.086% of total end-to-end latency). Adversarial evaluation across 600 attack attempts shows 100% rejection rate, with two attack categories (delegation depth violation and audit evasion through empty context) uniquely caught by AIP's chained delegation model that neither unsigned nor plain JWT deployments detect.