Paper

arXiv:2603.24775 — AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A

Key Finding

Invocation-Bound Capability Tokens (IBCTs) bind identity, attenuated authorization, and provenance into a single append-only chain — JWT for single-hop, Biscuit/Datalog for multi-hop. Blocked all 600 adversarial delegation attempts with under 2.4ms overhead per hop.

Applicability to Zeph

• A2A: Zeph's A2A server (zeph-a2a) currently accepts requests with no bearer auth by default (see WARN A2A server running without bearer auth). AIP provides a structured way to add verifiable identity to message/send calls.
• MCP: Multi-server MCP topology could use IBCTs to scope tool permissions per calling agent. An MCP tool invoked by a sub-agent via orchestration has different trust than one invoked by the user directly.
• Implementation sketch: Add optional IBCT validation middleware to zeph-a2a router. On message/send, verify the delegation chain before routing to agent loop. Store provenance token as ClaimSource metadata (ties in with PR feat(tools): ClaimSource provenance, ErrorDomain recovery, MCP tool pruning #2293 ClaimSource field).
• Priority: Medium — A2A bearer auth is already flagged as P2 (bug(a2a): daemon PID file not cleaned on abnormal exit — restart requires manual cleanup #2295 adjacent). IBCT is a more principled solution than a static bearer token.