Skip to main content
Glama
cognis-digital

agentpassport

agentpassport

Cryptographically prove which human authorized which AI agent to do what โ€” even 4 hops deep.

License: COCL 1.0 MCP Standards Suite

#ai-agents #identity #authorization #agentic-ai #mcp #security #oauth

The unsolved 2026 problem: ~80% of orgs running autonomous agents can't trace an agent's actions back to a human, and 45% still authenticate agents with shared API keys. OAuth/MCP handle one hop โ€” but the delegation chain loses its anchor at hop 3-4. agentpassport fixes exactly that: signed, scope-narrowing delegation chains you can verify back to a human principal.

pip install cognis-agentpassport
agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.json
agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.json   # subset only
agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write
# โ†’ valid:false, violation: required scope 'write' not held at final hop  โœ… escalation blocked

๐Ÿ”Ž Example output

Real, reproducible output from the tool โ€” runs offline:

$ agentpassport-emit --version
agentpassport 0.2.0
$ agentpassport-emit --help
usage: agentpassport [-h] [--version] {issue,delegate,verify} ...

Verifiable agent identity + multi-hop delegation.

positional arguments:
  {issue,delegate,verify}

options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit

Blocks above are real agentpassport output โ€” reproduce them from a clone.

Sample result format (illustrative values โ€” run on your own data for real findings):

{
    "findings": [
        {
            "id": "1234567890",
            "title": "Suspicious Network Traffic",
            "description": "Potential malicious activity detected on network 192.168.1.100",
            "created_by": "cognis-connect",
            "created_at": "2023-02-15T14:30:00Z"
        }
    ]
}

Related MCP server: evermint-mcp

Usage โ€” step by step

  1. Install the tool:

    pip install cognis-agentpassport
  2. Issue a passport for an agent, anchoring it to a human principal with an explicit scope set. --key signs it:

    agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.json
  3. Delegate to a child agent โ€” scopes can only narrow (subset), never escalate:

    agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.json
  4. Verify the chain back to the human. --keys is a JSON map of issuer-to-key; --require asserts a scope must be held at the final hop:

    agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write
    # -> valid:false, violation: required scope 'write' not held at final hop  (escalation blocked)
    echo $?   # non-zero when verification fails
  5. Automate in CI / a gateway โ€” verify the presented passport before honoring an agent action:

    - run: pip install cognis-agentpassport
    - run: agentpassport verify "$AGENT_PASSPORT" --keys "$TRUSTED_KEYS" --require write

Short-lived delegation (TTL / expiry)

Standing agent credentials are a blast-radius problem. Add --ttl <seconds> at issue or delegate time and the hop carries a signed exp; verify rejects the chain once it lapses. A child's expiry is clamped to never outlive its parent. Passports issued without a TTL never expire (fully backward-compatible with 0.1.x credentials).

agentpassport issue deploy-agent --principal release-bot --scopes deploy:staging --key K --ttl 900 > p.json
agentpassport verify p.json --keys '{"human:release-bot":"K"}'                 # valid now
agentpassport verify p.json --keys '{"human:release-bot":"K"}' --at 9999999999 # valid:false โ€” expired

--at <unix> pins the clock for deterministic checks (CI, tests); omit it in production to use the wall clock. The verify output now also reports expires_at (earliest expiry in the chain).

Demos โ€” real, runnable scenarios

Every passport under demos/ is a genuine HMAC-signed artifact produced by the library (regenerate with python scripts/build_demos.py). Each folder has a SCENARIO.md with where the data came from, the exact command, and how to act on the result.

Demo

Scenario

02-rag-4-hop-chain

4-hop RAG pipeline anchored to a human; final hop can't write

03-escalation-tamper

Hand-edited scopes โ€” caught by both bad-signature and escalation checks

04-ci-ttl-deploy

15-minute CI deploy token; valid in-window, expired after

05-least-privilege-fanout

One human, three sibling agents each holding only their slice

06-rotated-key-mismatch

Wrong/rotated signing key โ†’ bad signature

07-missing-issuer-key

Incomplete trust map fails closed

08-mcp-tool-gating

Gate MCP tool calls; shell.exec blocked, fs.write allowed

09-auto-narrow-subset

Over-broad delegate request auto-narrowed to a subset

Architecture

flowchart LR
  H[๐Ÿ‘ค Human principal] -->|issue scopes| A1[Agent: researcher]
  A1 -->|delegate โІ scopes| A2[Agent: summarizer]
  A2 -->|delegate โІ scopes| A3[Agent: tool-runner]
  A3 --> V{verify chain}
  V -->|walks back to| H
  V --> R[valid? ยท principal ยท violations]

Why it's different

Every hop is HMAC-signed and can only narrow scopes โ€” escalation is detected. Verification walks the whole chain back to the human anchor, so you get the one thing OAuth/MCP can't give you today: accountable, multi-hop agent authorization.

Use it from any AI stack

MCP server (agentpassport mcp), JSON in/out for any agent runtime, drop-in for uncensored-fleet / LangChain / CrewAI delegation.

Prior art / standards

Aligned with IETF draft-klrc-aiagent-auth (AIMS), NIST agent-identity concept paper, MCP, and Mastercard Agent Pay tokenization. Production: anchor the HMAC demo in real PKI / SPIFFE.

๐Ÿค– uncensored-fleet ยท ๐Ÿ›ก๏ธ guardpost ยท ๐Ÿงฐ toolguard ยท ๐Ÿ—‚๏ธ the suite

โญ Star it โ€” agent identity is the problem nobody's solved yet.

Interoperability

agentpassport composes with the 300+ tool Cognis suite โ€” JSON in/out and a shared OpenAI-compatible /v1 backbone. See INTEROP.md for the suite map, composition patterns, and reference stacks.

Integrations

Forward agentpassport's findings to STIX/MISP/Sigma/Splunk/Elastic/Slack/webhooks via cognis-connect. See INTEGRATIONS.md.

License

COCL v1.0 โ€” see LICENSE.

F
license - not found
-
quality - not tested
B
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cognis-digital/agentpassport'

If you have feedback or need assistance with the MCP directory API, please join our Discord server