Agent Passports
Cryptographic identity for every AI agent
An agent passport is a portable, persistent credential that proves who an agent is, who operates it, and what it's authorized to do. It's not a token or an API key — it's a structured, signed identity document that travels with the agent across systems.
API Keys Are Not Identity
Today, agents authenticate with API keys and OAuth tokens — systems designed for humans and static services. These credentials say who claims to operate the agent, not what the agent actually is.
If someone swaps the underlying model — replacing GPT-4 with a fine-tuned variant — the credential still works. Nobody knows the agent changed. There's no way to verify what model is running, what permissions it should have, or whether the credential should still be valid.
Identity Bound to What the Agent Is
A passport binds to computational identity — the agent's model architecture, version, and optionally a hash of its weights. This is fundamentally different from principal identity (who operates the agent) or workload identity (what infrastructure runs it).
If the model changes, the passport is invalidated. The agent must re-attest before it can operate with trusted credentials. This prevents silent model substitution — the most dangerous gap in current agent identity systems.
| Dimension | API Keys / OAuth | Workload Identity | Modus Passport |
|---|---|---|---|
| Binds to | Human / principal | Infrastructure | Model instance |
| Persistence | Session | Service lifetime | Task-spanning, persistent |
| Permissions | Static roles | Static policies | Dynamic, decaying, budgeted |
| Delegation | Limited | None | Attenuated chains |
| Revocation | Eventually consistent | Eventually consistent | Real-time, mid-execution |
| Trust evidence | None | None | Embedded scores & attestations |
Issue in Seconds
Create a passport with a few lines of code or through the dashboard. Define permissions, spend limits, and expiration. The agent is credentialed and ready.
Delegation with Attenuation
Agents can delegate authority to other agents — but permissions can only shrink through the chain, never expand. An orchestrator with read/write/spend can delegate read-only to a sub-agent. The sub-agent cannot escalate.
Trust Tier Progression
Passports carry trust scores that evolve based on the agent’s track record. New agents start at the lowest tier. Verified behavior history raises the tier — unlocking access to higher-trust resources.
Dynamic Permissions
Permissions decay over time, operate within budgets, and can be requested just-in-time. An agent can ask for a permission it doesn’t have, with a machine-readable justification routed to human approval or auto-approval.
Selective Disclosure
Share only what’s needed. A passport can prove an agent’s trust tier without revealing its full permission set.
Portable Across Systems
Works across any system that trusts the issuing authority. No per-system integration. Signed with standard Ed25519 cryptography. Verifiable anywhere.
Related