agentpassport
Allows forwarding of agent authorization chain verification findings to Elastic for security event logging and analysis.
Allows forwarding of agent authorization chain verification findings to Slack for real-time alerting and notification.
Allows forwarding of agent authorization chain verification findings to Splunk for security monitoring and incident response.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@agentpassportissue a passport for researcher with read and search scopes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
agentpassport
Cryptographically prove which human authorized which AI agent to do what โ even 4 hops deep.
#ai-agents #identity #authorization #agentic-ai #mcp #security #oauth
The unsolved 2026 problem: ~80% of orgs running autonomous agents can't trace an agent's actions back
to a human, and 45% still authenticate agents with shared API keys. OAuth/MCP handle one hop โ but the
delegation chain loses its anchor at hop 3-4. agentpassport fixes exactly that: signed, scope-narrowing
delegation chains you can verify back to a human principal.
pip install cognis-agentpassport
agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.json
agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.json # subset only
agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write
# โ valid:false, violation: required scope 'write' not held at final hop โ
escalation blocked๐ Example output
Real, reproducible output from the tool โ runs offline:
$ agentpassport-emit --version
agentpassport 0.2.0$ agentpassport-emit --help
usage: agentpassport [-h] [--version] {issue,delegate,verify} ...
Verifiable agent identity + multi-hop delegation.
positional arguments:
{issue,delegate,verify}
options:
-h, --help show this help message and exit
--version show program's version number and exitBlocks above are real
agentpassportoutput โ reproduce them from a clone.
Sample result format (illustrative values โ run on your own data for real findings):
{
"findings": [
{
"id": "1234567890",
"title": "Suspicious Network Traffic",
"description": "Potential malicious activity detected on network 192.168.1.100",
"created_by": "cognis-connect",
"created_at": "2023-02-15T14:30:00Z"
}
]
}Related MCP server: evermint-mcp
Usage โ step by step
Install the tool:
pip install cognis-agentpassportIssue a passport for an agent, anchoring it to a human principal with an explicit scope set.
--keysigns it:agentpassport issue researcher --principal chris --scopes read,search,write --key K > p.jsonDelegate to a child agent โ scopes can only narrow (subset), never escalate:
agentpassport delegate p.json summarizer --scopes read,search --key K2 > p2.jsonVerify the chain back to the human.
--keysis a JSON map of issuer-to-key;--requireasserts a scope must be held at the final hop:agentpassport verify p2.json --keys '{"human:chris":"K","agent:researcher":"K2"}' --require write # -> valid:false, violation: required scope 'write' not held at final hop (escalation blocked) echo $? # non-zero when verification failsAutomate in CI / a gateway โ verify the presented passport before honoring an agent action:
- run: pip install cognis-agentpassport - run: agentpassport verify "$AGENT_PASSPORT" --keys "$TRUSTED_KEYS" --require write
Short-lived delegation (TTL / expiry)
Standing agent credentials are a blast-radius problem. Add --ttl <seconds> at issue or
delegate time and the hop carries a signed exp; verify rejects the chain once it lapses.
A child's expiry is clamped to never outlive its parent. Passports issued without a TTL
never expire (fully backward-compatible with 0.1.x credentials).
agentpassport issue deploy-agent --principal release-bot --scopes deploy:staging --key K --ttl 900 > p.json
agentpassport verify p.json --keys '{"human:release-bot":"K"}' # valid now
agentpassport verify p.json --keys '{"human:release-bot":"K"}' --at 9999999999 # valid:false โ expired--at <unix> pins the clock for deterministic checks (CI, tests); omit it in production to use
the wall clock. The verify output now also reports expires_at (earliest expiry in the chain).
Demos โ real, runnable scenarios
Every passport under demos/ is a genuine HMAC-signed artifact produced by the
library (regenerate with python scripts/build_demos.py). Each folder has a SCENARIO.md with
where the data came from, the exact command, and how to act on the result.
Demo | Scenario |
4-hop RAG pipeline anchored to a human; final hop can't | |
Hand-edited scopes โ caught by both bad-signature and escalation checks | |
15-minute CI deploy token; valid in-window, expired after | |
One human, three sibling agents each holding only their slice | |
Wrong/rotated signing key โ bad signature | |
Incomplete trust map fails closed | |
Gate MCP tool calls; | |
Over-broad delegate request auto-narrowed to a subset |
Architecture
flowchart LR
H[๐ค Human principal] -->|issue scopes| A1[Agent: researcher]
A1 -->|delegate โ scopes| A2[Agent: summarizer]
A2 -->|delegate โ scopes| A3[Agent: tool-runner]
A3 --> V{verify chain}
V -->|walks back to| H
V --> R[valid? ยท principal ยท violations]Why it's different
Every hop is HMAC-signed and can only narrow scopes โ escalation is detected. Verification walks the whole chain back to the human anchor, so you get the one thing OAuth/MCP can't give you today: accountable, multi-hop agent authorization.
Use it from any AI stack
MCP server (agentpassport mcp), JSON in/out for any agent runtime, drop-in for
uncensored-fleet / LangChain / CrewAI delegation.
Prior art / standards
Aligned with IETF draft-klrc-aiagent-auth (AIMS), NIST agent-identity concept paper, MCP, and Mastercard Agent Pay tokenization. Production: anchor the HMAC demo in real PKI / SPIFFE.
Related
๐ค uncensored-fleet ยท ๐ก๏ธ guardpost ยท ๐งฐ toolguard ยท ๐๏ธ the suite
โญ Star it โ agent identity is the problem nobody's solved yet.
Interoperability
agentpassport composes with the 300+ tool Cognis suite โ JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Integrations
Forward agentpassport's findings to STIX/MISP/Sigma/Splunk/Elastic/Slack/webhooks via
cognis-connect. See INTEGRATIONS.md.
License
COCL v1.0 โ see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cognis-digital/agentpassport'
If you have feedback or need assistance with the MCP directory API, please join our Discord server