AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A

AI agents increasingly call tools via the Model Context Protocol (MCP) and delegate to other agents via Agent-to-Agent (A2A), yet neither protocol verifies agent identity. A scan of approximately 2,000 MCP servers found all lacked authentication. In our survey, we did not identify a prior implemented protocol that jointly combines public-key verifiable delegation, holder-side attenuation, expressive chained policy, transport bindings across MCP/A2A/HTTP, and provenance-oriented completion records. We introduce Invocation-Bound Capability Tokens (IBCTs), a primitive that fuses identity, attenuated authorization, and provenance binding into a single append-only token chain. IBCTs operate in two wire formats: compact mode (a signed JWT for single-hop cases) and chained mode (a Biscuit token with Datalog policies for multi-hop delegation). We provide reference implementations in Python and Rust with full cross-language interoperability. Compact mode verification takes 0.049ms (Rust) and 0.189ms (Python), with 0.22ms overhead over no-auth in real MCP-over-HTTP deployment. In a real multi-agent deployment with Gemini 2.5 Flash, AIP adds 2.35ms of overhead (0.086% of total end-to-end latency). Adversarial evaluation across 600 attack attempts shows 100% rejection rate, with two attack categories (delegation depth violation and audit evasion through empty context) uniquely caught by AIP's chained delegation model that neither unsigned nor plain JWT deployments detect.

翻译：AI智能体日益通过模型上下文协议（MCP）调用工具，并通过智能体间协议（A2A）委托任务给其他智能体，然而这两种协议均未验证智能体身份。对约2000个MCP服务器的扫描发现，所有服务器均缺乏身份认证。在我们的调研中，未发现任何现有已实现的协议能够同时整合公钥可验证委托、持有者端权限衰减、富有表现力的链式策略、跨MCP/A2A/HTTP的传输绑定以及面向溯源的任务完成记录。我们提出了调用绑定能力令牌（IBCTs），这是一种将身份、衰减化授权和溯源绑定融合为单一仅追加令牌链的原始机制。IBCTs采用两种线路格式：紧凑模式（单跳场景下采用签名的JWT）和链式模式（多跳委托场景下使用包含Datalog策略的Biscuit令牌）。我们提供了Python和Rust两种语言的参考实现，实现了完全跨语言互操作。紧凑模式验证耗时在Rust中为0.049毫秒，在Python中为0.189毫秒，在真实MCP-over-HTTP部署中仅比无认证场景增加0.22毫秒开销。在基于Gemini 2.5 Flash的真实多智能体部署中，AIP增加了2.35毫秒开销（占端到端总延迟的0.086%）。针对600次攻击尝试的对抗性评估显示100%的拒绝率，其中两种攻击类别（委托深度违规和通过空上下文的审计规避）能被AIP的链式委托模型唯一捕获，而未经签名的部署或普通JWT部署均无法检测到此类攻击。