OAI-1: Open Agent Identity Specification

1. Introduction

Background

As AI agents become increasingly prevalent in consumer and enterprise applications, the need for a standardized identity and interaction protocol has become critical. Current approaches suffer from fragmentation: each agent platform implements proprietary discovery, authentication, and payment mechanisms, creating silos that limit interoperability.

Goals

OAI addresses these challenges by providing:

Decentralized Identity — Agent identity rooted in DNS, requiring no central authority
Verifiable Trust — Cryptographic verification of agent authenticity
Capability Declaration — Upfront disclosure of agent permissions and pricing
Secure Commerce — Payment flows where agents never access sensitive financial data
User Privacy — Mechanisms to prevent cross-agent tracking
Auditability — Cryptographic receipts for high-risk interactions

Conformance

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Reference Implementation

A fully functional OAI-compliant agent is deployed at acme-agent.com. You can view its manifest, verify its DNS records, and interact with it directly to see the protocol in action.

Examples in This Specification

Throughout this document, examples use a fictional retail company called ShoeСo operating at shoeco.example.com.

2. Terminology

Term	Definition
Agent	An AI-powered service that can receive messages, process requests, and take actions on behalf of users.
Agent Operator	The entity that deploys and maintains an agent, typically identified by domain ownership.
Client	An application or device that connects to agents on behalf of a user.
Manifest	A JSON document describing an agent's identity, capabilities, endpoints, and pricing.
Verification	The process of confirming an agent's identity through DNS record validation.
Pairwise DID	A unique Decentralized Identifier generated for each user-agent relationship to prevent tracking.
High-Risk Action	Any interaction involving payments, data access, or irreversible operations that requires explicit user confirmation.

3. Design Principles

DNS-Rooted Identity

Agent identity is anchored to domain names. An agent claiming to represent shoeco.example.com MUST be verifiable through DNS records controlled by that domain. This leverages existing trust infrastructure without requiring a new certificate authority or registry.

Transport Agnosticism

OAI defines message formats and flows, not transport mechanisms. Implementations MAY use WebSockets, HTTP/2, HTTP/3, WebRTC, or any reliable bidirectional channel.

Client-Enforced Security

Security policies are enforced by the client, not the agent. Agents declare their required capabilities; clients decide whether to grant them.

Privacy by Default

Users are identified to agents via pairwise identifiers that cannot be correlated across agents. Clients SHOULD NOT transmit unnecessary personal data.

Explicit Over Implicit

All agent capabilities, permissions, and costs MUST be declared explicitly in the manifest. Natural language in messages is for display purposes only; it MUST NOT be parsed for control flow.

4. Protocol Compatibility

Overview

OAI serves as the identity and discovery layer for the AI agent ecosystem. Once an agent is discovered and verified through OAI, clients can communicate using any supported protocol. OAI does not replace these protocols—it enables them by providing a universal identity foundation.

Supported Protocol Types

Protocol	Type	Use Case
A2A	Agent-to-Agent	Google's protocol for inter-agent communication, task delegation
MCP	Model Context Protocol	Anthropic's protocol for tools, resources, and prompts
UCP	Universal Commerce Protocol	Google's protocol for full commerce journeys with OAuth identity linking
ACP	Agentic Commerce Protocol	Stripe's protocol for payments via Shared Payment Tokens (SPTs)
Custom API	REST/WebSocket	Proprietary APIs (Sierra, Decagon, etc.)

Manifest Protocol Declaration

Agents declare their supported protocols in the manifest:

{
  "protocols": {
    "oai": {
      "version": "1.0",
      "endpoint": "wss://ai.shoeco.example.com/v1/agent"
    },
    "mcp": {
      "version": "2024-11-05",
      "transport": "sse",
      "endpoint": "https://ai.shoeco.example.com/v1/mcp"
    },
    "a2a": {
      "version": "1.0",
      "endpoint": "https://ai.shoeco.example.com/v1/a2a"
    },
    "ucp": {
      "version": "1.0",
      "merchant_id": "shoeco_merchant_123"
    },
    "acp": {
      "version": "1.0",
      "stripe_account": "acct_1234567890"
    },
    "api": {
      "type": "rest",
      "endpoint": "https://ai.shoeco.example.com/v1/api",
      "documentation": "https://docs.shoeco.example.com/api"
    }
  }
}

Protocol Negotiation

When a client connects, it specifies which protocols it supports. The agent and client negotiate the best available protocol:

{
  "type": "session.init",
  "payload": {
    "client_id": "did:key:z6Mk...",
    "supported_protocols": ["oai", "mcp", "a2a"],
    "preferred_protocol": "mcp"
  }
}

What OAI Provides vs. Delegates

Concern	OAI Handles	Delegated To
Agent Identity	✓ DNS-rooted verification	—
Agent Discovery	✓ .well-known manifest	—
Client Authentication	✓ Mutual auth	—
Authorization	✓ Accept/reject clients	—
User Privacy	✓ Pairwise DIDs	—
User Authentication	—	A2A (OAuth), UCP (Identity Linking), MCP
Tool Execution	—	MCP, A2A, Custom API
Commerce	✓ Payment orchestration	UCP, ACP for specialized flows

User Authentication

OAI intentionally delegates user authentication to the underlying protocol. A2A uses OAuth 2.0, UCP uses Identity Linking, and MCP has its own mechanisms. This separation keeps OAI focused on agent and client identity while leveraging existing, proven user auth systems.

5. Client Authentication

Overview

OAI implements mutual authentication between clients and agents. Both parties have verifiable identities, and agents can choose which clients to accept or reject. This gives agents control over their ecosystem while maintaining openness.

Client Identity

Clients (applications that connect to agents on behalf of users) can also have OAI identities. A client's identity is established the same way as an agent's:

GET https://app.example.com/.well-known/agent-identity.json

{
  "oai_version": "1.0",
  "identity": {
    "name": "Example Assistant App",
    "handle": "@example-app",
    "domain": "app.example.com",
    "type": "client",
    "public_key": "MCowBQYDK2VwAyEA..."
  }
}

The type: "client" field distinguishes client applications from agents.

Mutual Authentication Flow

[Client] [Agent] | | |-- 1. Fetch agent manifest --------->| |<---- agent-identity.json -----------| | | |-- 2. Verify agent via DNS --------->| (DNS lookup) | | |-- 3. session.init ----------------->| | (client_id, client_manifest_url, signature) | | | Agent fetches client manifest | | Agent verifies client via DNS | | Agent decides: accept/reject | | | |<-- 4a. session.ready ---------------| (accepted) | OR | |<-- 4b. session.rejected ------------| (rejected)

Session Init with Client Identity

{
  "type": "session.init",
  "id": "msg_001",
  "timestamp": "2026-02-02T15:30:00Z",
  "payload": {
    "client_id": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
    "client_manifest": "https://app.example.com/.well-known/agent-identity.json",
    "client_domain": "app.example.com",
    "oai_version": "1.0",
    "granted_permissions": { ... }
  },
  "signature": "base64_signature_by_client_private_key..."
}

Agent Authorization Decision

Upon receiving a session.init, the agent:

Fetches the client manifest from client_manifest URL
Verifies the client via DNS (_oai-verify.{client_domain})
Verifies the signature using the client's public key
Checks the client against its authorization policy
Responds with session.ready or session.rejected

Authorization Policies

Agents can implement various authorization policies:

Policy	Description
Open	Accept all verified clients
Allowlist	Accept only specific client domains
Verified Only	Accept any client with valid DNS verification
Partnership	Accept clients with mutual partnership agreements

Session Rejection

{
  "type": "session.rejected",
  "id": "msg_001",
  "payload": {
    "reason": "client_not_authorized",
    "message": "This agent only accepts connections from verified partner applications.",
    "contact": "partnerships@shoeco.example.com"
  }
}

Session Key Exchange

After successful authentication, both parties exchange ephemeral session keys. This provides:

Forward Secrecy — Compromise of long-term keys doesn't expose past sessions
Replay Protection — Session-bound keys prevent message replay
Session Isolation — Each session has unique encryption keys

Key Exchange Flow

// In session.init, client includes ephemeral public key
{
  "type": "session.init",
  "payload": {
    "client_id": "did:key:z6Mk...",
    "ephemeral_public_key": "MCowBQYDK2VwAyEA...",
    ...
  }
}

// In session.ready, agent includes its ephemeral public key
{
  "type": "session.ready",
  "payload": {
    "session_id": "sess_8x7k2m9p4n",
    "ephemeral_public_key": "MCowBQYDK2VwAyEA...",
    ...
  }
}

Both parties derive a shared session key using X25519 key agreement. All subsequent messages in the session are encrypted with this key.

Security Properties

Property	Mechanism
Agent Identity	DNS TXT record + Ed25519 public key
Client Identity	DNS TXT record + Ed25519 public key
Message Integrity	Ed25519 signatures
Session Encryption	X25519 + ChaCha20-Poly1305
Forward Secrecy	Ephemeral session keys
Replay Prevention	Session-bound keys + message IDs + timestamps

6. Agent Discovery

Well-Known Endpoint

Agents are discovered via a standardized path on their host domain:

GET https://{domain}/.well-known/agent-identity.json

The response MUST be a JSON document conforming to the Agent Manifest schema.

Example Request

GET /.well-known/agent-identity.json HTTP/2
Host: support.shoeco.example.com
Accept: application/json
User-Agent: OAI-Client/1.0

Example Response

{
  "oai_version": "1.0",
  "identity": {
    "name": "ShoeCo Customer Support",
    "handle": "@shoeco-support",
    "domain": "shoeco.example.com",
    "description": "Official support agent for order tracking and returns.",

    // Worker Key (Hot) - used for signing in this deployment
    "public_key": "MCowBQYDK2VwAyEA_WORKER_KEY...",

    // Chain of Trust - proves Worker Key is authorized by domain owner
    "delegation": {
      "issuer_key": "MCowBQYDK2VwAyEA_MASTER_DNS_KEY...",  // Must match DNS TXT record
      "expiration": "2026-06-01T00:00:00Z",              // Limits damage if compromised
      "signature": "base64_master_signs_worker..."        // Master key signs worker key
    }
  },
  "endpoints": {
    "connect": "wss://ai.shoeco.example.com/v1/agent",
    "health": "https://ai.shoeco.example.com/v1/health"
  },
  "capabilities": { ... },
  "pricing": { ... }
}

Note: The delegation block is recommended for production. If omitted, public_key must match the DNS record directly. See Key Delegation.

Error Responses

Status Code	Meaning
404	No OAI agent at this domain
503	Agent temporarily unavailable
301/302	Agent has moved; follow redirect

7. Identity Verification

Overview

To prevent impersonation, agents MUST prove control of their claimed domain through DNS TXT records. This verification binds the agent's cryptographic identity to domain ownership.

DNS Record Format

Agent operators MUST publish a TXT record at:

_oai-verify.{domain}

The record value MUST follow this format:

v=oai1; id={agent_id}; key={public_key}; exp={expiration}

Example DNS Record

_oai-verify.shoeco.example.com. IN TXT "v=oai1; id=support_agent; key=MCowBQYDK2VwAyEA...; exp=2027-01-01T00:00:00Z"

Verification Process

Fetch the Agent Manifest from /.well-known/agent-identity.json
Extract the identity.domain and identity.public_key fields
Query DNS for _oai-verify.{domain} TXT records
Parse the TXT record value
If identity.delegation is present, follow the Key Delegation verification flow
Otherwise, compare the DNS key value to identity.public_key
If exp is present, verify it is in the future
Verification succeeds if keys match and expiration is valid

Key Delegation (Optional)

For enhanced security, agents MAY use key delegation to separate their long-term identity key from the operational key used for signing. This allows:

Cold Storage — Master key stored offline in HSM or air-gapped system
Key Rotation — Worker keys can rotate frequently without DNS changes
Compromise Recovery — If worker key is compromised, rotate it; master key stays safe

Delegation Model

DNS Record (Master Key - Cold):
_oai-verify.shoeco.example.com TXT "v=oai1; key=MCowBQYDK2VwAyEA_MASTER_KEY..."
                                         │
                                         │ signs
                                         ▼
Manifest (Worker Key - Hot):
{
  "identity": {
    "public_key": "MCowBQYDK2VwAyEA_WORKER_KEY...",
    "delegation": {
      "issuer_key": "MCowBQYDK2VwAyEA_MASTER_KEY...",
      "expiration": "2026-02-02T18:00:00Z",
      "signature": "base64_master_signs_worker..."
    }
  }
}

Delegation Fields

Field	Type	Description
`issuer_key`	string	The master public key (MUST match DNS record)
`expiration`	ISO8601	When the worker key delegation expires
`signature`	string	Master key's Ed25519 signature over the worker key + expiration

Delegation Verification Process

When identity.delegation is present, clients MUST:

Verify delegation.issuer_key matches the DNS record's key
Verify delegation.expiration is in the future
Verify delegation.signature is a valid Ed25519 signature by issuer_key over the concatenation of public_key + expiration
If all checks pass, trust identity.public_key (the worker key) for this session

Delegation is Optional

If identity.delegation is absent, clients fall back to direct verification: identity.public_key must match the DNS record. Delegation is recommended for production deployments but not required.

Verification Status

Status	Condition	User Display
Verified	Keys match, not expired	Green indicator, "Verified Agent"
Unverified	No DNS record found	Yellow indicator, "Unverified"
Mismatch	Keys do not match	Red indicator, "Verification Failed"
Expired	DNS record expired	Red indicator, "Verification Expired"

8. Agent Manifest

Identity Object

{
  "identity": {
    "name": "ShoeСo Customer Support",
    "handle": "@shoeco-support",
    "domain": "shoeco.example.com",
    "description": "Official support agent for order tracking, returns, and product information.",
    "public_key": "MCowBQYDK2VwAyEA_WORKER_KEY...",
    "delegation": {
      "issuer_key": "MCowBQYDK2VwAyEA_MASTER_DNS_KEY...",
      "expiration": "2026-02-02T18:00:00Z",
      "signature": "base64_master_signs_worker..."
    },
    "logo_url": "https://shoeco.example.com/assets/agent-logo.png",
    "operator": {
      "name": "ShoeСo, Inc.",
      "contact": "support@shoeco.example.com",
      "privacy_policy": "https://shoeco.example.com/privacy",
      "terms_of_service": "https://shoeco.example.com/terms"
    }
  }
}

The delegation field is optional. When present, the public_key is a worker key signed by the master key in DNS. See Key Delegation for details.

Identity Fields

Field	Type	Required	Description
`name`	string	Yes	Human-readable agent name
`handle`	string	Yes	Unique handle, format: @{identifier}
`domain`	string	Yes	Domain that owns this agent
`public_key`	string	Yes	Base64-encoded Ed25519 public key (worker key if delegation is used)
`delegation`	object	Recommended	Proof that the `public_key` is authorized by the domain owner. See Key Delegation.
`delegation.issuer_key`	string	Yes*	The Master Public Key (MUST match the `key` in DNS TXT record)
`delegation.expiration`	string	Yes*	ISO8601 timestamp when this delegation expires
`delegation.signature`	string	Yes*	Ed25519 signature of the Worker Key by the Issuer Key
`operator.privacy_policy`	string	Yes	URL to privacy policy

* Required if delegation is present.

Endpoints with MCP Support

{
  "endpoints": {
    "connect": "wss://ai.shoeco.example.com/v1/agent",
    "health": "https://ai.shoeco.example.com/v1/health",
    "mcp": {
      "transport": "sse",
      "url": "https://ai.shoeco.example.com/v1/mcp"
    }
  }
}

The optional mcp endpoint enables Model Context Protocol integration for richer tool interactions.

9. Capabilities and Permissions

Overview

Agents MUST declare all capabilities they require. Clients MUST block any action not explicitly listed in the manifest. This creates a sandbox model where agents operate within declared boundaries.

Tools

{
  "capabilities": {
    "tools": [
      {
        "name": "order_lookup",
        "description": "Look up order status by order ID or email",
        "parameters": {
          "order_id": "string",
          "email": "string"
        }
      },
      {
        "name": "initiate_return",
        "description": "Start a return process for an order",
        "requires_confirmation": true
      }
    ]
  }
}

Permissions

{
  "capabilities": {
    "permissions": {
      "user_data": {
        "fields": ["email", "shipping_address"],
        "purpose": "Order lookup and delivery updates",
        "retention": "session"
      },
      "location": {
        "precision": "coarse",
        "purpose": "Find nearby stores"
      },
      "payments": {
        "enabled": true,
        "provider": "stripe",
        "max_amount": 100000
      }
    }
  }
}

Permission Types

Permission	Values	Description
`location.precision`	none, coarse, fine	Location accuracy level
`user_data.retention`	session, persistent	How long data is retained
`payments.max_amount`	integer	Maximum single transaction (cents)

MCP Compatibility

Agents MAY declare compatibility with the Model Context Protocol (MCP) to provide richer tool schemas:

{
  "capabilities": {
    "mcp": {
      "compatible": true,
      "version": "2024-11-05",
      "features": ["tools", "resources", "prompts"]
    },
    "tools": [
      {
        "name": "order_lookup",
        "description": "Look up order status",
        "mcp_schema": true,
        "inputSchema": {
          "type": "object",
          "properties": {
            "order_id": { "type": "string" }
          }
        }
      }
    ]
  }
}

When mcp_schema: true, clients use the rich inputSchema for validation and UI generation. See Appendix C for full MCP integration details.

10. Session Management

Session Lifecycle

[Client] [Agent] | | |-- 1. session.init ---------------->| | | |<-- 2. session.ready ---------------| | | |<-- 3. messages... ---------------->| | | |-- 4. session.end ----------------->| | | |<-- 5. session.closed --------------|

Session Initialization

{
  "type": "session.init",
  "id": "msg_001",
  "payload": {
    "client_id": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
    "oai_version": "1.0",
    "granted_permissions": {
      "user_data": ["email"],
      "payments": true
    }
  }
}

Session Ready Response

{
  "type": "session.ready",
  "id": "msg_001",
  "payload": {
    "session_id": "sess_8x7k2m9p4n",
    "expires_at": "2026-02-02T20:30:00Z",
    "agent_greeting": "Hello! I'm the ShoeСo support agent. How can I help you today?"
  }
}

11. Interaction Protocol

Message Format

All messages follow a common envelope structure:

{
  "type": "{category}.{action}",
  "id": "{unique_message_id}",
  "timestamp": "{ISO8601_timestamp}",
  "session_id": "{session_id}",
  "payload": { ... },
  "signature": "{base64_signature}"
}

Message Categories

Category	Description
`session`	Session lifecycle management
`message`	Conversational messages
`tool`	Tool invocation and results
`ui`	User interface rendering
`commerce`	Payment and transaction flows
`data`	Data access requests
`system`	Protocol-level messages

Rich UI Rendering

{
  "type": "ui.render",
  "payload": {
    "template": "product_card",
    "data": {
      "title": "6-Inch Premium Waterproof Boot",
      "price": { "amount": 19800, "currency": "USD" },
      "image_url": "https://shoeco.example.com/imgs/boot.jpg",
      "actions": [
        { "label": "Add to Cart", "action": "commerce.add_to_cart" }
      ]
    }
  }
}

12. Commerce and Payments

Zero-Touch Payment Model

OAI enforces a strict separation between payment requests and payment execution:

Agents request payment by sending a payment intent
Clients execute payment using stored credentials
Agents never access credit card numbers, bank accounts, or other sensitive financial data

Payment Request

{
  "type": "commerce.request_payment",
  "id": "msg_201",
  "payload": {
    "payment_id": "pay_req_88291",
    "provider": "stripe",
    "intent_secret": "pi_3MtwBwLkdIwHu7ix28aL_secret_...",
    "amount": { "value": 19800, "currency": "USD" },
    "description": "ShoeСo Premium Boot (Size 10)"
  },
  "security": {
    "confirmation_type": "standard"
  }
}

Confirmation Types

Type	Description	User Action
`standard`	Default confirmation	Tap "Confirm" in client UI
`hardware_tap`	Hardware-secured	Physical device interaction
`biometric`	Biometric confirmation	Fingerprint or face recognition
`pin`	PIN confirmation	Enter numeric PIN

Supported Payment Providers

Provider	Identifier	Regions
Stripe	`stripe`	Global
PayPal	`paypal`	Global
Apple Pay	`apple_pay`	iOS/macOS
Google Pay	`google_pay`	Android/Web

13. Pricing and Metering

Pricing Models

Free

{ "pricing": { "model": "free" } }

Flat Rate (Per Session)

{
  "pricing": {
    "model": "flat",
    "amount": 100,
    "currency": "USD"
  }
}

Metered (Per Turn)

{
  "pricing": {
    "model": "metered",
    "unit": "turn",
    "rate": 5,
    "currency": "USD",
    "description": "$0.05 per message"
  }
}

14. User Privacy

Pairwise Decentralized Identifiers

To prevent cross-agent tracking, clients MUST generate a unique Decentralized Identifier (DID) for each agent relationship:

User → ShoeСo Agent: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
User → Delta Agent:      did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH

ShoeСo and Delta receive different identifiers; they cannot correlate to build a unified user profile.

Data Minimization

Clients MUST implement data minimization:

Only transmit data fields explicitly granted in permissions
Strip unnecessary metadata from messages
Do not transmit device identifiers, IP addresses, or hardware info unless required and permitted

Context Passports (State Management)

OAI replaces traditional "Login/Password" credentials with Client-Managed State. The user's relationship with an agent is defined by the Pairwise DID presented during the handshake.

Guest Mode (Ephemeral): To interact anonymously, the Client generates a fresh, random DID. The Agent perceives this as a new user with no history.
Return Mode (Persistent): To resume a relationship (e.g., accessing order history), the Client persists the DID associated with the Agent's domain. Upon reconnection, the Client re-presents the same DID, allowing the Agent to restore context.

User Sovereignty

The choice to persist or delete this identity lies entirely with the User (via the Client UI), effectively granting a "Right to be Forgotten" at the protocol level. No coordination with the Agent is required — deleting the DID from the local device severs the cryptographic link permanently.

Implementation Requirements

Requirement	Client	Agent
Mode selection	MUST provide user control over Guest vs Return mode	MUST honor whichever DID is presented
DID storage	MUST store persistent DIDs securely (encrypted at rest)	MAY associate state with DIDs
DID deletion	MUST allow users to delete any stored DID	No action required
Backup/export	SHOULD provide encrypted backup mechanism	N/A

Device loss in Return mode means loss of Agent relationships. Clients SHOULD warn users and provide backup/export options.

15. Audit and Receipts

Overview

Every high-risk interaction MUST generate a cryptographic receipt signed by both the agent and client. This creates a non-repudiable audit trail stored on the user's device.

Receipt Format

{
  "receipt_id": "rcpt_xyz789",
  "timestamp": "2026-02-02T15:35:30Z",
  "session_id": "sess_8x7k2m9p4n",
  "action": {
    "type": "commerce.payment_confirmed",
    "message_id": "msg_201"
  },
  "payload_hash": "sha256:a3b8c9d2e4f5...",
  "signatures": {
    "agent": "base64_agent_signature...",
    "client": "base64_client_signature..."
  }
}

16. Error Handling

Error Codes

Code	HTTP Equiv	Description
`INVALID_MESSAGE`	400	Message format is invalid
`UNAUTHORIZED`	401	Session not authenticated
`CAPABILITY_NOT_GRANTED`	403	Requested capability not permitted
`RESOURCE_NOT_FOUND`	404	Requested resource does not exist
`RATE_LIMITED`	429	Too many requests
`AGENT_ERROR`	500	Internal agent error
`AGENT_UNAVAILABLE`	503	Agent temporarily unavailable
`SESSION_EXPIRED`	440	Session has expired
`VERIFICATION_FAILED`	495	Agent verification failed
`PAYMENT_FAILED`	402	Payment processing failed

17. Security Considerations

Transport Security

All connections MUST use TLS 1.3 or later
Clients MUST validate server certificates
Certificate pinning is RECOMMENDED for known agents

Message Authentication

All messages from agents SHOULD be signed
High-risk messages MUST be signed
Clients MUST verify signatures before acting on high-risk messages

Replay Prevention

Messages MUST include unique message ID, timestamp within acceptable skew (5 minutes), and session ID. Clients MUST reject duplicate message IDs and messages with timestamps outside acceptable skew.

Injection Prevention

The protocol explicitly separates control and display. Natural language content is for display only; clients MUST NOT parse natural language for commands. All control flow uses structured type fields.

DNSSEC Enforcement

To prevent DNS spoofing attacks (e.g., "Coffee Shop" Man-in-the-Middle), OAI Clients MUST enforce DNSSEC validation when resolving the _oai-verify TXT record.

The Client MUST NOT trust the DNS response unless the chain of trust can be cryptographically verified back to the Root Trust Anchor. Clients MAY achieve this via:

Local Validation: Requesting DNSSEC resource records (RRSIG, DNSKEY) and verifying them on the device
Trusted Transport: Using a secure transport (DoH/DoT) to a recursive resolver that explicitly sets the Authenticated Data (AD) flag

Failure Modes

Scenario	Meaning	Required Response
DNSSEC present, validation succeeds	Verified chain of trust	Proceed normally, Agent is Verified
DNSSEC present, validation fails	Likely active attack	MUST reject — do not connect
DNSSEC not configured on domain	Domain owner hasn't adopted DNSSEC	MAY proceed as Unverified

Capability Restrictions for Unverified Agents

When DNSSEC validation cannot be performed (domain lacks DNSSEC), the Client MUST treat the Agent as Unverified and block high-risk capabilities:

payments — All payment requests MUST be rejected
personal_data — Personal data transmission MUST be blocked
tool_execution — Tools with risk_level: "high" MUST require additional user confirmation

Clients SHOULD display a visual indicator when interacting with Unverified agents to inform users of the reduced trust level.

Appendix A: JSON Schemas

Full JSON Schema definitions are available at:

Appendix B: Example Flows

Complete Session Flow

1. Client discovers agent GET https://support.shoeco.example.com/.well-known/agent-identity.json 2. Client verifies agent DNS lookup: _oai-verify.shoeco.example.com Compare public keys 3. Client establishes session → session.init (with pairwise DID, granted permissions) ← session.ready (with session_id, greeting) 4. User sends message → message.user ("Where is my order #TL-98234?") 5. Agent invokes tool ← tool.invoke (order_lookup) → tool.result (order data) 6. Agent responds ← message.agent (order status) ← ui.render (shipping_tracker card) 7. User requests action → message.user ("I want to return it") 8. Agent requests confirmation ← tool.invoke (initiate_return, requires_confirmation: true) User confirms in client UI → tool.result (confirmed) 9. Session ends → session.end ← session.closed

Payment Flow

1. User indicates purchase intent → message.user ("I'll buy the boots") 2. Agent requests payment ← commerce.request_payment (Stripe intent, $198.00) 3. Client displays payment confirmation UI User reviews amount, merchant, items User confirms (tap/biometric/PIN) 4. Client processes payment via Stripe SDK Payment succeeds 5. Client confirms to agent → commerce.payment_confirmed (provider confirmation) Receipt generated and stored locally 6. Agent confirms order ← message.agent ("Your order is confirmed!") ← ui.render (order_summary card)

Appendix C: MCP Integration

Overview

The Model Context Protocol (MCP) is an open protocol for connecting AI models to external data sources and tools. OAI and MCP are complementary:

Layer	OAI Provides	MCP Provides
Identity	DNS-rooted verification	None
Discovery	.well-known/agent-identity.json	Local config
Trust	Verified status	Implicit trust
Tool Schema	Basic declaration	Rich JSON Schema
Resources	Not addressed	URIs, subscriptions
Commerce	Payments, pricing	None
Privacy	Pairwise DIDs	None

OAI provides the identity, commerce, and privacy layer. MCP provides the tool interaction layer. Together, they offer a complete solution.

Integration Architecture

┌─────────────────────────────────────────────────────────────┐ │ CLIENT │ ├─────────────────────────────────────────────────────────────┤ │ ┌─────────────────────────────────────────────────────┐ │ │ │ OAI LAYER │ │ │ │ • Discovery (.well-known/agent-identity.json) │ │ │ │ • Identity verification (DNS TXT) │ │ │ │ • Session management │ │ │ │ • Pricing & payment orchestration │ │ │ │ • Privacy (pairwise DIDs) │ │ │ │ • Audit receipts │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ MCP LAYER │ │ │ │ • Tool discovery (tools/list) │ │ │ │ • Tool invocation (tools/call) │ │ │ │ • Resource access (resources/read) │ │ │ │ • Prompts (prompts/get) │ │ │ └─────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ AGENT (OAI Manifest + MCP Server) │ └─────────────────────────────────────────────────────────────┘

Complete OAI+MCP Flow

1. OAI Discovery Client: GET https://agent.example.com/.well-known/agent-identity.json Agent: Returns OAI manifest with mcp.compatible: true 2. OAI Verification Client: DNS lookup _oai-verify.example.com Client: Compare public keys → Verified ✓ 3. OAI Session Initialization Client → Agent: session.init (pairwise DID, permissions) Agent → Client: session.ready (session_id) 4. MCP Initialization (within OAI session) Client → Agent: mcp.initialize Agent → Client: mcp.initialize_result (server capabilities) 5. MCP Tool Discovery Client → Agent: mcp.tools_list Agent → Client: mcp.tools_list_result (rich tool schemas) 6. Interaction Loop User → Client: "Where is my order?" Client → Agent: message.user Agent → Client: mcp.tools_call (order_lookup) Client: Verify tool is in manifest ✓ Client → Agent: mcp.tools_call_result Agent → Client: message.agent (response) 7. Commerce (OAI handles payments) Agent → Client: commerce.request_payment Client → Agent: commerce.payment_confirmed Client: Generate OAI receipt 8. Session End Client → Agent: session.end Agent → Client: session.closed

MCP Tool Invocation Example

{
  "type": "mcp.tools_call",
  "id": "msg_mcp_003",
  "session_id": "sess_8x7k2m9p4n",
  "payload": {
    "name": "order_lookup",
    "arguments": {
      "order_id": "TL-98234"
    }
  }
}

Security Rules for MCP Integration

Capability Enforcement: MCP tools MUST be declared in OAI manifest. Clients block undeclared tools.
Permission Checks: MCP tools accessing user data require OAI permission grants.
Payment Handling: MCP tools cannot process payments directly—use OAI commerce flows.
Audit Trail: High-risk MCP operations generate OAI receipts.
Prompt Injection: MCP prompts are for display only—clients MUST NOT execute embedded instructions.

Authors & Acknowledgments

Original Authors

The Open Agent Identity specification was created by:

Basil Varghese, Autonomy Next, Inc.
Sona Mathew, Autonomy Next, Inc.

Contributing Organizations

We welcome contributions from the community. Organizations and individuals who contribute to the specification will be acknowledged here.

Contact

For questions, feedback, or to contribute to the specification:

Email: spec@openagentidentity.org
GitHub: github.com/openagentidentity/spec

Version History

Version	Date	Changes
`1.0.5`	February 2026	Added DNSSEC Enforcement (Section 17) for DNS spoofing protection; added Context Passports (Section 14) for client-controlled identity persistence
`1.0.4`	February 2026	Added optional Key Delegation for separating master (DNS) and worker (manifest) keys with expiration-based signatures
`1.0.3`	February 2026	Added Protocol Compatibility (A2A, MCP, UCP, ACP, custom API support), Client Authentication with mutual auth and session keys
`1.0.2`	February 2026	Added MCP integration (Appendix C), updated discovery path to `/.well-known/agent-identity.json`
`1.0.1`	February 2026	Added multi-verifier support for organization verification
`1.0.0`	February 2026	Initial release — core protocol for discovery, verification, sessions, and commerce

License

This specification is released under the Creative Commons Attribution 4.0 International License (CC BY 4.0). You are free to share and adapt this specification, provided you give appropriate credit to Autonomy Next, Inc. as the original creator.

Open Agent Identity is an open standard. Contributions and feedback are welcome.