ARIAv1.0

AGENT TRUST PROTOCOL

ARIA gives agents identity.
ATP is what happens at the door.

When an AI agent arrives at your API, three things need to happen: identity is verified, intent is declared, and authorization is checked against your policy. That's ATP.

The Agent Trust Protocol is a three-phase handshake that binds an agent's identity and stated intent to your published admission policy. It works like DMARC — you publish a DNS record that defines your requirements, and ATP enforces them.

DNS-published policyIntent requiredThree-phase handshakeDMARC modelHTTP + MCP transport

THREE PHASES. EVERY TIME.

No shortcuts. No exceptions. Every agent goes through all three phases before it touches your infrastructure.

01DECLARE

The agent presents its AID — a cryptographically signed W3C Verifiable Credential — and a signed intent declaration stating its purpose, principal, requested actions, data usage, and retention policy.

02EVALUATE

The receiving system checks the agent's credentials against its own DNS-published policy. Trust level sufficient? Scopes authorized? Delegation depth within limits? Intent declaration complete? Credential revoked?

03ADMIT

Pass or reject. The evaluation result is returned as an ATP response code. Enforcement follows the mode set in your DNS policy — monitor, warn, or strict.

INTENT DECLARATION. NOT OPTIONAL.

Before an agent is admitted, it must state its purpose — what it intends to do, for whom, and within what boundaries. This is a protocol requirement. Not a suggested field. Not an optional header.

No other agent protocol requires intent declaration. DMARC authenticates the sender. OAuth authorizes the token. Neither asks why. ATP does. Because accountability starts with intent.

WHAT AN INTENT DECLARATION CONTAINS

purposeWhat the agent wants to do
principal_refOn whose behalf (DID reference)
actionSpecific operations requested
data_usageHow data will be used
retentionHow long data is kept

The intent declaration is what separates ATP from every other agent authentication mechanism. It's not enough to prove who you are. You must state why you're here.

PUBLISH YOUR POLICY. ONE DNS RECORD.

Receivers publish an Agent Trust Policy as a DNS TXT record at _aria-policy.{your-domain}. This record defines what your infrastructure requires from incoming agents.

EXAMPLE: FINANCIAL SERVICES

_aria-policy.bank.com TXT
v=ATP1; min=L2; enforce=strict;
req=commerce.*,invoice.*;
deny=identity.represent.human;
intent=purpose,principal_ref;
depth=3; rate=100/hr;
qualify=sector:finance>sox;
rua=https://bank.com/atp-reports

DNS RECORD TAGS

vMUSTProtocol version. Always ATP1.
minMUSTL0Minimum trust level: L0, L1, L2, or L3.
enforceMUSTmonitorEnforcement mode: monitor, warn, or strict.
reqMAY(none)Required scopes. Comma-separated. Wildcard: commerce.*
denyMAY(none)Prohibited scopes. Agent carrying any is rejected.
intentMAY(none)Required intent fields.
depthMAY4Maximum delegation chain depth (0-4).
rateMAY(none)Per-agent rate limit. N/hr or N/min.
qualifyMAY(none)Conditional requirements. condition>requirement.
ruaMAY(none)Aggregate report URI (DMARC-style).
ttlMAY3600Policy cache TTL in seconds.

EXAMPLE: HEALTHCARE API

v=ATP1; min=L3; enforce=strict;
req=health:patient:read;
deny=health:patient:export;
intent=purpose,principal_ref,
  data_usage,retention;
qualify=sector:health>hipaa;
rate=50/hr

EXAMPLE: INTERNAL TOOLING

v=ATP1; min=L0; enforce=monitor;
rua=mailto:ops@company.com

START WITH MONITORING. ENFORCE WHEN READY.

ATP is designed for progressive deployment. Start by observing. Move to enforcement when you understand your traffic. Exactly like DMARC.

MONITORStart here

Log everything. Admit all agents regardless of compliance. Non-compliant agents flagged in reports but not blocked.

WARNTransition phase

Admit all agents. Non-compliant agents receive an X-ATP-Warning header. Your API can handle warned agents differently.

STRICTFull enforcement

Reject non-compliant agents. ATP error response returned with a specific response code. Only compliant agents admitted.

RESPONSE CODES

Every ATP evaluation returns a specific code. The agent knows exactly what passed, what failed, and why.

ATP-200AdmittedAll policy checks passed.
ATP-401Credential invalidAID revoked, expired, or signature fails.
ATP-403Trust insufficientAgent trust level below policy minimum.
ATP-406Scope mismatchMissing required or carries prohibited scopes.
ATP-429Rate limitedAgent exceeded per-agent request cap.
ATP-451Intent incompleteIntent declaration missing required fields.
ATP-460Qualifier missingBase requirements met but conditional qualifier fails.
ATP-462Delegation too deepDelegation chain exceeds policy maximum depth.

TRANSPORT BINDINGS

ATP is transport-agnostic. The identity and intent travel alongside the request, not inside it. Two bindings at launch.

HTTP TRANSPORT

POST /api/v2/invoices/4471 HTTP/1.1
X-ARIA-AID: <base64url-encoded signed AID>
X-ARIA-Intent: <base64url-encoded signed intent>

Standard HTTP headers. Works with any REST API.

MCP TRANSPORT

{
  "name": "fetch_invoice",
  "arguments": { "invoice_id": "4471" },
  "aria": {
    "aid": "<signed AID>",
    "intent": "<signed intent>"
  }
}

Native MCP integration. Works with Claude, LangChain, AutoGen, CrewAI.

THE DMARC PARALLEL

If you understand DMARC, you understand ATP. Same pattern. Same progressive deployment. One critical addition: intent.

DMARC
ATP
_dmarc.domain.com TXT
_aria-policy.domain.com TXT
Email authentication policy
Agent trust requirements
p=none > quarantine > reject
enforce=monitor > warn > strict
rua= aggregate reports
rua= aggregate reports
Evaluates DKIM/SPF
Evaluates AID + intent
Authenticates sender
Authenticates agent + evaluates intent

DMARC authenticates who sent an email. ATP authenticates who the agent is AND evaluates what it intends to do. ATP is DMARC + intent declaration.

Start with monitoring. Today.

Publish one DNS record. See every agent hitting your API — their identity, their intent, their trust level. No blocking. No breaking changes. Just visibility.

YOUR FIRST ATP POLICY

_aria-policy.yourdomain.com TXT "v=ATP1; min=L0; enforce=monitor; rua=mailto:you@yourdomain.com"
Read the Full SpecView on GitHub

ATP is defined in §05 of the ARIA specification. For the complete technical reference including scope namespaces, delegation rules, and Trust Ledger integration, see the spec.