Open specification for AI agent identity, delegation, and accountability.
By 2026, autonomous AI agents are entering production. They book flights, sign documents, file complaints, manage portfolios, and make customer service calls. Existing identity standards (OAuth 2.1, OIDC, SPIFFE, W3C DID) were designed for humans and fixed service accounts. They do not address:
- Multi-hop delegation from a human subject to an autonomous agent
- Cross-organizational verification of agent authority
- Cryptographic linkage between human intent and agent action
- Real-time revocation across organizational boundaries
- Tamper-evident audit trails verifiable by third parties
When an AI agent acts on behalf of a person, current infrastructure cannot reliably answer: who authorized this, with what limits, and is the authorization still valid?
Bot Protocol is an open specification that defines:
- Agent Identity (AID) — a verifiable cryptographic identifier for AI agents, compatible with W3C DID
- Delegation Token (DT) — explicit semantics for delegating bounded authority from a subject to an agent
- Authority Chain — multi-hop delegation with monotonic scope reduction
- Action Receipt (AR) — tamper-evident records of every action, forming a hash-chain
- Real-time Revocation — synchronous and push-based revocation across domains
The protocol does not invent new cryptographic primitives. It defines a semantic layer over existing standards (Ed25519, JWT, COSE) that captures the missing piece: the verifiable chain of delegation between humans and autonomous agents.
The complete v0.1 whitepaper is available in two formats:
- Markdown version for reading on GitHub
- HTML version for the polished web version
| Folder | Purpose |
|---|---|
spec/ |
Technical specification, broken into 9 chapters |
whitepaper/ |
The whitepaper in HTML and Markdown |
reference/ |
Reference implementations (planned, see ROADMAP.md) |
examples/ |
Code examples (planned) |
docs/ |
FAQ, glossary, comparisons with other standards |
This is a draft v0.1, published for community review. The repository is being actively developed. Some specification chapters are placeholders pointing to the whitepaper. See ROADMAP.md for the development plan.
The protocol is not yet ready for production deployment. It is ready for technical review, threat modeling discussions, and pilot integration design.
There are several ways to participate:
- Read the whitepaper and specification. Open issues for questions, ambiguities, or suggested changes. Use the issue templates in
.github/ISSUE_TEMPLATE/. - Review the threat model. Especially valuable feedback from security researchers and identity experts.
- Propose specification changes via pull requests. See CONTRIBUTING.md.
- Report security issues privately. See SECURITY.md.
| Standard | What it covers | Gap that Bot Protocol addresses |
|---|---|---|
| OAuth 2.1 / OIDC | Client authentication, single-hop delegation | Multi-hop chains, agent-to-agent semantics |
| SPIFFE / WIMSE | Workload identity inside infrastructure | Cross-organizational delegation |
| W3C DID / VC | Decentralized identity, verifiable credentials | Delegation semantics, runtime constraints |
| C2PA | Content provenance | Identity of the agent that produced the content |
| OAuth CIBA | Asynchronous user confirmation | Cryptographic binding to biometrics |
See docs/comparison.md for a detailed analysis.
Apache License 2.0. See LICENSE and NOTICE.
The Apache 2.0 license is chosen specifically for its patent grant clause, which is important for protocol specifications.
- Website: botprotocol.io
- Email: hello@botprotocol.io
- GitHub Issues: for technical questions and specification feedback
If you reference Bot Protocol in research:
@misc{botprotocol2026,
author = {Stepin, Ivan and Bot Protocol contributors},
title = {Bot Protocol: Open Specification for AI Agent Identity and Delegation, v0.1},
year = {2026},
url = {https://botprotocol.io}
}
Bot Protocol is initiated as part of research at DeepVerify. It is published under Apache 2.0 as community infrastructure, not as a vendor-controlled product.