The AI Agent Passport project has dropped onto GitHub as a Request for Comments proposal, attempting to solve one of the most pressing unsolved problems in agentic AI: identity verification. Created by developer StacyStarchum, the specification outlines a signed, verifiable JSON document that travels with an AI agent and tells any platform who owns it, what it's permitted to do, how much it can spend, and whether its credentials check out against a registry.

The Core Problem

Right now there's no standard way for platforms to know if an AI agent is legitimate. Your airline booking site has no idea if that transaction request came from a human or a rogue autonomous system running up charges. There's no revocation mechanism when things go sideways, no cryptographic proof of ownership, and zero legal clarity on liability. The Agent Passport proposal treats this like physical passport verification at airports—cryptographically verifiable identity documents that platforms can scan before approving any action.

How It Works

The specification uses Ed25519 public-key cryptography to sign each passport. When an issuer (the agent's owner or operator) generates a passport, it includes the agent name, owner's W3C DID identifier, scoped permissions like read/book/purchase, spend limits broken down by transaction/day/month, and expiration timestamps. The signature proves the document hasn't been tampered with, while the registry at registry.agentpassport.dev handles verification status checks. Both Python and Node.js SDKs are available for integration.

Status and Limitations

The project is explicitly marked as RFC—it's an early draft seeking feedback from developers, platform operators, and AI labs before v1 finalization. The roadmap includes a full security audit and potential W3C or industry consortium submission, but none of that has happened yet. The contact email (hello@agentpassport.dev) and Twitter handle (@agentpassport) are both listed as placeholders. No major AI labs have endorsed this standard, and the project disclaims any affiliation with Anthropic, OpenAI, or existing identity frameworks.

Why This Matters for Builders

If you're deploying agents that touch payment systems, booking platforms, or any service where trust matters, you currently have no interoperable way to prove legitimacy. OAuth solved this for human-facing apps—Agent Passport wants to be the equivalent layer for machine-to-machine agentic workflows. The CC BY 4.0 licensing means anyone can implement it without royalty concerns, which is the right call for adoption.

Key Takeaways

  • AI Agent Passport is an open RFC proposal from StacyStarchum on GitHub with Python and Node.js SDKs
  • Uses Ed25519 cryptography to sign verifiable JSON documents containing owner DID, permissions, spend limits, and registry verification status
  • The specification is early-stage—no security audit complete, no major platform adoption, no W3C endorsement yet
  • Released under CC BY 4.0 for the spec and MIT for SDK code; explicitly not affiliated with Anthropic or OpenAI

The Bottom Line

This is a solid first draft addressing a real gap in the agentic web stack, but it's pre-v1 vaporware until the security audit lands and actual platforms start requiring these passports. Worth watching if you're building transaction agents—just don't bet your architecture on it becoming mandatory anytime soon.