Get started
Open Protocol · Draft v0.1 · MIT

The accountability layer
agents need.

MCP connects agents to tools. A2A connects agents to each other. Neither answers: who is this agent, what exactly did it do, and who authorized it?

Read the spec → Reference implementation ↗
MCPagent ↔ tools — Anthropic/Linux Foundationexists
A2Aagent ↔ agent — Google/Linux Foundationexists
AAPidentity · authorization · provenance · audit← this
The spec
Four primitives. Nothing more.

Every AAP-compliant implementation must support all four. The spec is minimal by design.

🔑
Identity
Every agent has an Ed25519 keypair, signed by a human supervisor. The address encodes the organization, type, name and version. Not a username in a config file.
aap://org/type/name@semver
Authorization
Humans explicitly grant agents permission to act at one of five levels. The token is signed and time-bounded. The Physical World Rule limits physical nodes to Level 3 maximum.
Level 0–4 · physical max = 3
🔗
Provenance
Every artifact an agent produces carries its origin: SHA-256 of the input, SHA-256 of the output, the authorization session that permitted it, and the agent's signature.
sha256:input → sha256:output
📋
Audit
A tamper-evident hash chain. Each entry's prev_hash points to the SHA-256 of the previous entry. Modifying any entry breaks all subsequent hashes.
prev_hash = sha256(last_entry)
Authorization
Five levels. One rule.

Human supervisors grant a specific level per session. The Physical World Rule enforces a hard ceiling for physical nodes.

LevelNameMeaningPhysical
0ObserveRead-only. No side effects whatsoever.
1SuggestPropose actions. Human reviews and executes.
2AssistedAgent executes. Human confirms each step.
3SupervisedAgent executes. Human can intervene.✓ max
4AutonomousAgent executes within authorized scope. Full audit required.
Physical World Rule — §3.4

For robots, drones, vehicles, industrial machines, or any node where an action can cause irreversible physical harm — Level 4 (Autonomous) is forbidden by the protocol. A compliant implementation must reject such a request with error code AAP-003. This rule is not configurable and cannot be overridden by any application-level setting.

Error codes
Standard. Cross-language.

All implementations must use these codes to ensure interoperability. Clients can rely on the code regardless of language or platform.

AAP-001ValidationErrorRequired field missing or format invalid
AAP-002SignatureErrorEd25519 signature verification failed
AAP-003PhysicalWorldViolationLevel 4 requested for a physical node — always rejected
AAP-004ScopeErrorAction is outside the agent's authorized scope
AAP-005RevocationErrorIdentity or authorization has been revoked
AAP-006ChainErrorAudit chain integrity broken — tampering detected
Implementations
Ready to use.

Compliant implementations. All spec requirements met. Compliance test suite included.

Full system · Python / Go / Rust / C++ / TypeScript
Halyn
Complete implementation of AAP. Digital and physical. Install and run in 30 seconds.
Physical world · Python
NRP
AAP for physical nodes. 4 methods. Robots, IoT, industrial machines, drones, vehicles.