Aip
AIP-1 is a trustless, cross-platform protocol for verifying the identity, intent, and authorization boundaries of autonomous AI agents before they act. Think of it as OAuth + TLS, purpose-built for the agentic web.
Install / Use
/learn @theaniketgiri/AipREADME
The Problem
Every AI framework lets agents do things. None of them verify what agents are allowed to do.
A LangChain agent can drain a bank account. An AutoGPT agent can email your customers. A CrewAI agent can delete production data. There is no standard way to verify an agent's identity, enforce its boundaries, or revoke it in real-time.
AIP fixes this.
What is AIP?
AIP-1 is a trustless, cross-platform protocol for verifying the identity, intent, and authorization boundaries of autonomous AI agents before they act.
Think of it as OAuth + TLS, purpose-built for the agentic web.
Agent wants to act → Creates signed Intent Envelope → Verifier checks 8-step pipeline → Allow or Deny
Core Capabilities
| Capability | What it does |
|---|---|
| Cryptographic Identity | Ed25519 keypair per agent, DID-based addressing (did:web:) |
| Boundary Enforcement | Action allowlists, deny lists, monetary limits, geo restrictions |
| Tiered Verification | Sub-millisecond for low-risk, full crypto for high-value intents |
| Kill Switch | Revoke or suspend any agent globally with zero propagation delay |
| Trust Scores | Bayesian reputation model — trust is earned over successful verifications |
| Intent Drift Detection | Semantic classifier flags actions outside an agent's declared scope |
| Structured Error Codes | 22 machine-readable AIP-Exxx codes across 5 categories for audit trails |
Install
pip install aip-protocol
Quick Start
from aip_protocol import AgentPassport, create_envelope, sign_envelope, verify_intent
from aip_protocol.revocation import RevocationStore
# 1 — Create an agent passport (identity + keys + boundaries)
passport = AgentPassport.create(
domain="yourco.com",
agent_name="procurement-bot",
allowed_actions=["read_invoice", "transfer_funds"],
monetary_limit_per_txn=50.0,
)
print(passport.agent_id)
# → "did:web:yourco.com:agents:procurement-bot"
# 2 — Agent wants to act: create and sign an intent envelope
envelope = create_envelope(
passport,
action="transfer_funds",
target="did:web:vendor.com",
parameters={"amount": 45.00, "currency": "USD"},
)
signed = sign_envelope(envelope, passport.private_key)
# 3 — Verifier checks the intent through the 8-step pipeline
store = RevocationStore()
result = verify_intent(signed, passport.public_key, revocation_store=store)
if result.passed:
print(f"✓ Verified — tier: {result.tier_used.value}, trust: {result.trust_score}")
else:
for error in result.errors:
print(f"✗ {error.value}: {error.name}")
# e.g. "✗ AIP-E202: MONETARY_LIMIT"
Verification Pipeline
Every intent passes through an 8-step verification pipeline. The protocol auto-selects the verification tier based on risk:
┌────────────────────────────────────────────────────────┐
│ Intent Envelope │
│ ┌───────────┐ ┌───────────┐ ┌────────────────────┐ │
│ │ Agent ID │ │ Intent │ │ Boundaries │ │
│ │ (DID) │ │ (Action) │ │ (The Cage) │ │
│ └─────┬──────┘ └─────┬─────┘ └──────────┬─────────┘ │
│ └───────────────┼────────────────────┘ │
│ ┌─────▼─────┐ │
│ │ Proof │ ← Ed25519 signature │
│ └───────────┘ │
└────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────┐
│ Verification Pipeline │
│ │
│ ① Version Check ⑤ Attestation Verify │
│ ② Schema Validation ⑥ Revocation Check │
│ ③ Expiry Check ⑦ Trust Score Evaluation │
│ ④ Boundary Check ⑧ Final Verdict │
│ └─ Actions │
│ └─ Monetary limits │
│ └─ Geo restrictions │
│ └─ Intent drift │
└────────────────────────────────────────────────────────┘
Tiered Verification
Not every intent needs full cryptographic verification. AIP auto-selects the tier:
| Tier | Use Case | Latency | What Runs | |---|---|---|---| | Tier 0 | Low-risk, cached, in-session repeats | <1ms | HMAC + boundary proof | | Tier 1 | Normal operations | ~5ms | Ed25519 + boundary + revocation | | Tier 2 | High-value, cross-org, first contact | ~50–100ms | Full 8-step pipeline |
Error Taxonomy
Every failure returns a machine-readable AIP-Exxx code — not a generic 400. Your logs, dashboards, and audit trails show exactly what went wrong.
| Range | Category | Examples |
|---|---|---|
| AIP-E1xx | Envelope Errors | E100 Invalid Signature · E101 Expired · E102 Replay Detected |
| AIP-E2xx | Boundary Violations | E200 Action Not Allowed · E202 Monetary Limit · E204 Geo Restricted |
| AIP-E3xx | Attestation Failures | E300 Model Hash Mismatch · E303 Intent Drift |
| AIP-E4xx | Trust Failures | E400 Agent Revoked · E403 Delegation Invalid · E404 Trust Too Low |
| AIP-E5xx | Protocol Errors | E500 Mesh Unavailable · E502 Handshake Timeout |
Full reference → aip.synthexai.tech/docs#errors
CLI
# Create a passport
aip create-passport --domain yourco.com --name my-agent \
-a read_data -a transfer_funds -m 100
# Sign an intent
aip sign-intent --passport ./agent_passport \
--action transfer_funds --amount 45 -o intent.json
# Verify an intent
aip verify --envelope intent.json \
--public-key ./agent_passport/public.pem
# Revoke an agent instantly
aip revoke "did:web:yourco.com:agents:my-agent" --reason "compromised"
Shield — One-Liner Protection
Shield is the helmet.js for AI agents. Wrap any function, class, or object with AIP verification in a single line:
from aip_protocol import shield, shield_class, shield_object
# Wrap a function — every call is verified before execution
@shield(passport, allowed_actions=["transfer_funds"], monetary_limit=100.0)
def send_payment(to: str, amount: float):
bank.transfer(to, amount)
send_payment("vendor@acme.com", 45.00) # ✓ Verified and executed
send_payment("vendor@acme.com", 500.00) # ✗ AIP-E202: MONETARY_LIMIT
# Wrap an entire class — all public methods get AIP protection
@shield_class(passport)
class TradingAgent:
def buy_stock(self, ticker, qty): ...
def sell_stock(self, ticker, qty): ...
# Or patch an existing object at runtime
agent = CrewAIAgent(...)
shield_object(agent, passport) # All methods now AIP-verified
Observe — Agent Visibility
See what your agents are doing before you enforce what they're allowed to do.
@observe gives every agent a cryptographic DID identity and logs all actions — zero enforcement, zero overhead. When you need enforcement, change one decorator.
from aip_protocol import passport, observe
# Give your agent an identity
agent = passport(name="payment-bot", domain="acme.com")
# Observe — logs everything, blocks nothing
@observe(agent)
def process_payment(to: str, amount: float):
return stripe.charge(to, amount)
process_payment("vendor@acme.com", 150.00) # ✓ Executes + logged
process_payment("vendor@acme.com", 9999.00) # ✓ Executes + logged (no enforcement)
What gets logged
Every call captures structured data — no config needed:
| Field | Example |
|---|---|
| agent_id | did:web:acme.com:agents:payment-bot |
| action | process_payment |
| parameters | {"to": "vendor@acme.com", "amount": 150.00} |
| latency_ms | 3.42 |
| success | true |
| timestamp | 2026-03-30T06:00:00Z |
Observe a class — all public methods logged
@observe(agent)
class DataAnalyst:
def read_data(self, source: str): ...
def analyze(self, query: str): ...
def generate_report(self, title: str): ...
The upgrade path — one line changes everything
- @observe(agent)
+ @shield(actions=["process_payment"], limit=500)
def process_payment(to: str, amount: float):
return stripe.charge(to, amount)
Same passport. Same DID. Zero architecture change. Full cryptographic enforcement.
Stats & Export
from aip_protocol import get_observation_store
store = get_observation_store()
print(store.stats("did:web:acme.com:agents:payment-bot"))
# → {"total": 247, "success": 245, "errors": 2}
# Export all events as JSON
store.export_json()
Framework Integrations
AIP works with any AI agent framework. Here are production-
