Go implementation of agent-to-agent communication protocols for AI agent authentication and authorization.
EXPERIMENTAL: This library implements draft specifications that are subject to change.
This repository provides Go libraries for emerging agent-to-agent protocols:
-
aauth - Agent Authentication using HTTP message signatures (RFC 9421) based on draft-hardt-oauth-aauth-protocol
- Examples - Working demos (simple, delegation, token exchange)
- PIDL Definitions - Protocol diagrams
-
idjag - Identity Assertion JWT Authorization Grant based on draft-ietf-oauth-identity-assertion-authz-grant
- Examples - Working demos
- PIDL Definitions - Protocol diagrams
-
aims - Agent Identity Management System (AIMS) based on draft-klrc-aiagent-auth-00
- Examples - Working demos (simple WIT/WPT, mTLS)
- PIDL Definitions - Protocol diagrams
Production-ready integrations with identity infrastructure:
- adapters/zitadel - Integration with Zitadel OIDC for all three protocols
- adapters/sharkauth - Integration with SharkAuth for agent delegation with DPoP
- adapters/ory - Integration with Ory Fosite and Hydra
go get github.com/aistandardsio/agent-protocolsimport "github.com/aistandardsio/agent-protocols/aauth"
// Create agent with cryptographic identity
agentID, _ := aauth.NewAAuthID("calendar-bot", "example.com")
agent, _ := aauth.NewAgent(agentID, privateKey,
aauth.WithAgentProviderURL("https://agents.example.com"))
// Create signed HTTP request
req, _ := agent.SignedRequest(ctx, "GET", "https://api.example.com/events", nil)
// Or use automatic signing transport
client := &http.Client{Transport: agent.Transport(nil)}
resp, _ := client.Get("https://api.example.com/events")import "github.com/aistandardsio/agent-protocols/idjag"
// Create assertion for token exchange
assertion := idjag.NewAssertion(
"https://issuer.example.com",
"agent:calendar-bot",
[]string{"https://auth.example.com"},
5 * time.Minute,
)
// Exchange for access token
client := idjag.NewTokenExchangeClient("https://auth.example.com/token")
resp, _ := client.ExchangeAssertion(ctx, signedAssertion, "read:data")import "github.com/aistandardsio/agent-protocols/aims"
// Create SPIFFE ID for agent
spiffeID, _ := aims.NewSPIFFEID("example.com", "/agent/calendar-bot")
// Create Workload Identity Token
wit := aims.NewWIT(spiffeID, []string{"https://api.example.com"}, 1*time.Hour)
signedWIT, _ := wit.Sign(privateKey, "key-1")Each protocol includes working demos:
AAuth:
go run ./aauth/examples/simple # Agent authentication
go run ./aauth/examples/delegation # Human-to-agent delegationID-JAG:
go run ./idjag/examples/simple # Agent-only flow
go run ./idjag/examples/delegation # Human-to-agent delegationAIMS:
go run ./aims/examples/simple # WIT/WPT authentication
go run ./aims/examples/mtls # mTLS with X.509 SVIDZitadel Adapter:
go run ./adapters/zitadel/examples/idjag # ID-JAG token exchange
go run ./adapters/zitadel/examples/aims # AIMS WIT verification
go run ./adapters/zitadel/examples/aauth # AAuth agent authenticationSharkAuth Adapter:
go run ./adapters/sharkauth/examples/aauth # AAuth with delegation grantsOry Adapter:
go run ./adapters/ory/examples/idjag # ID-JAG with Hydra- AAuth: Overview | Getting Started | Examples
- ID-JAG: Protocol Overview | Getting Started
- AIMS: Overview | Getting Started
- Zitadel Adapter: Overview | Getting Started
- SharkAuth Adapter: Overview | Getting Started
- Ory Adapter: Overview | Getting Started
- API Reference
- Changelog
- Full Documentation
- draft-hardt-oauth-aauth-protocol - AAuth Protocol specification
- draft-ietf-oauth-identity-assertion-authz-grant - ID-JAG specification
- draft-klrc-aiagent-auth-00 - AIMS specification
- draft-ietf-wimse-s2s-protocol - WIMSE S2S Protocol (WIT/WPT)
- RFC 9421 - HTTP Message Signatures
- RFC 8693 - OAuth 2.0 Token Exchange
- SPIFFE - Secure Production Identity Framework For Everyone
MIT License - see LICENSE for details.