v0.1.0 Open Source

Principal
Agent
Protocol

AI is moving from answering questions to taking actions. Every agent protocol in production today was designed for the platform, not for you. PAP fixes that — cryptographically. Set the rules. Control the permissions. See everything that happens.

View on GitHub Quick Start →
6
Language SDKs
0
New Primitives
MIT
License
The Problem

AI can take action now.
But you're out of the loop.

AI agents make hundreds of decisions on your behalf — spending money, choosing vendors, sharing your data — with no control, no visibility, and no receipts.

You searched for a stroller once. Now every website thinks you're pregnant. For six months. That's one query, with a human behind a browser.

Now imagine AI agents making hundreds of queries on your behalf — every one leaking context to platforms that build profiles, adjust prices, and sell your behavioral data to brokers you've never heard of.

— PAP design rationale
Why existing protocols fall short
A2A
Agent-to-Agent (Google)
  • Authenticates agents as platform entities
  • Privacy is an "opacity principle" — aspirational, not enforced
  • No context minimization at the protocol level
  • No session ephemerality guarantees
MCP
Model Context Protocol (Anthropic)
  • Tool access for a single agent — not negotiation between agents
  • Spec acknowledges it "cannot enforce security principles at the protocol level"
  • No cryptographic identity
  • No economic primitives
ACP / AGNTCY
REST-Based Agent Interop
  • Thin trust layer — no cryptographic identity
  • Enterprise workflow focus — principal is the org, not the individual
  • No field-level disclosure controls
  • Privacy is an implementation concern

None enforce context minimization. None define session ephemerality as a guarantee.
None have economic primitives. Privacy is always somebody else's problem.

The Design

Five constraints.
Enforced by the protocol.

PAP makes control, visibility, and safety the protocol's job — not the developer's afterthought. You are the root of trust. Every agent carries a cryptographically verifiable mandate from you.

No new cryptography. No token economy. No central registry.
Built entirely on existing, standardized primitives maintained by bodies without platform capture.
Mandate Decay States
Active
Full scope. All operations permitted.
Degraded
Partial scope. Write operations restricted.
ReadOnly
No mutations. Queries only.
Suspended
All operations rejected. Non-renewal = revocation.
// Principal sees degradation.
// Not a surprise cutoff.
01
Deny by Default
An agent can only do what its mandate explicitly permits. No scope means no action. Absence of permission is not an error — it is the correct response.
02
Delegation Cannot Exceed Parent
A child mandate's scope is bounded by its parent's scope. A child's TTL cannot exceed its parent's TTL. This is verified cryptographically, not by policy.
03
Session DIDs Are Ephemeral
Both agents generate single-use keypairs for each session. These are not linked to any persistent identity. When the session closes, the keys are discarded.
04
Receipts: Property References Only
A transaction receipt records what types of data were disclosed — never the values. Both principals can audit the record. No platform stores it.
05
Non-Renewal Is Revocation
A mandate that isn't renewed doesn't need a revocation notice. It degrades progressively — Active → Degraded → ReadOnly → Suspended — and then it stops. The principal sees the degradation, not a surprise cutoff. Revocation is the natural state; continuation requires active consent.
Trust Model

Trust hierarchy
from human to agent

Every chain of delegation starts with you. Trust flows down through cryptographically signed mandates, each more restrictive than its parent. No agent can exceed the permissions you granted.

Trust Hierarchy
Human Principal
Device-bound keypair · Root of trust · WebAuthn
Orchestrator Agent
Root mandate · Full principal context · Signs sub-mandates
Downstream Agents
Scoped task mandates · TTL bounded · Scope ≤ parent
Marketplace Agents
Own principal chains · Federated discovery
// Transactions are handshakes between
// two mandate chains, not two agents.
5 constraints · enforced at protocol level
Protocol Stack

Built on standards
that already exist

PAP uses no novel cryptographic primitives. Every layer is an existing, ratified specification maintained by bodies without platform capture.

Layer Standard Purpose Body
Identity WebAuthn Device-bound keypair generation. Root of trust anchored to hardware. W3C
Identity W3C DIDs Decentralized identifiers — did:key. No central registry. W3C
Credentials W3C VC 2.0 Verifiable Credential envelope wrapping mandate payloads. W3C
Disclosure SD-JWT Selective claim disclosure. Share 2 of 4 claims. Over-disclosure structurally prevented. IETF
Vocabulary Schema.org Capability and action type references. Describes what. Protocol governs under what terms. schema.org
Data JSON-LD Structured linked data for agent advertisements. No vocabulary extensions. W3C
Privacy OHTTP (RFC 9458) Oblivious HTTP. Cloud request unlinkability. The relay cannot correlate requests. IETF
Transport HTTP/JSON 6-phase session handshake: Token → DID Exchange → Disclosure → Execution → Receipt → Close. IETF
Federation HTTP/JSON Cross-registry sync, announce, and peer discovery. Content-hash dedup.
Crate Structure

9 focused crates.
Six language SDKs.

pap-did
Ed25519 keypair generation, did:key derivation, DID documents, ephemeral session keys.
pap-core
Mandate issuance, hierarchical delegation, scope enforcement, session state machine, receipts, decay states.
pap-credential
W3C Verifiable Credential envelope, SD-JWT selective disclosure. Over-disclosure structurally prevented.
pap-marketplace
Signed JSON-LD agent advertisements, marketplace registry, disclosure-based filtering.
pap-proto
Protocol message types and typed envelope serialization for the 6-phase handshake.
pap-transport
Axum HTTP client/server driving the 6-phase session handshake. A thin wrapper — doesn't change the trust model.
pap-federation
Federated registry with cross-registry sync, announce, peer discovery, and content-hash dedup.
pap-webauthn
WebAuthn signer abstraction with software fallback and mock authenticator for testing.
pap-python
Python bindings via PyO3. pip install pap. Full mandate chain, delegation, and verification from Python.
Language SDKs

One protocol.
Six languages.

The Rust core is the reference implementation. Language SDKs bring the full protocol surface — keypairs, mandates, delegation, verification — to your stack.

🦀
Rust
🐍
Python
{ts}
TypeScript
🐹
Go
Java
C#
Python SDK

Full protocol.
From Python.

PyO3 bindings expose the entire Rust core to Python. Generate keypairs, issue mandates, delegate to sub-agents, and verify chains — all with native Python types and exceptions.

$ pip install pap
  • PrincipalKeypair & SessionKeypair with did:key derivation
  • Scope, DisclosureSet, and Mandate with full chain verification
  • Typed exceptions: PapSignatureError, PapScopeError, PapSessionError
  • Mixed keypair types in chain verification (principal + session)
  • Build from source with maturin develop — Rust 1.75+, Python 3.8+
python
from pap import (
    PrincipalKeypair, SessionKeypair,
    Scope, ScopeAction, DisclosureSet,
    Mandate, MandateChain,
)

# 1. Generate the principal's root keypair
principal = PrincipalKeypair.generate()
print(principal.did())  # did:key:z6Mk...

# 2. Define what the agent is allowed to do
scope = Scope([ScopeAction("schema:SearchAction")])
ds = DisclosureSet.empty()

# 3. Issue and sign a root mandate
mandate = Mandate.issue_root(
    principal.did(), "did:key:zagent",
    scope, ds, ttl
)
mandate.sign(principal)

# 4. Delegate to a sub-agent (scope <= parent)
agent_key = SessionKeypair.generate()
child = mandate.delegate(
    agent_key.did(), scope, ds, ttl
)
child.sign_with_session_key(agent_key)

# 5. Verify the full chain
chain = MandateChain(mandate)
chain.push(child)
chain.verify_chain([principal, agent_key])
Comparison

What PAP replaces
and why

Concern A2A MCP ACP PAP ✓
Context minimization SD-JWT per interaction
Session ephemerality Stateful Optional Ephemeral DIDs, keys discarded
Field-level disclosure SD-JWT selective claims
Cryptographic scope enforcement Mandate chain verification
Agent-to-agent negotiation (tool access)
Privacy-preserving payment Ecash / Lightning proofs
Marketplace discovery Agent Cards HTTP Federated, disclosure-filtered
Audit trail Co-signed receipts
Principal control Platform User (stated) Enterprise Cryptographic mandate
Quick Start

Clone, run,
see it work.

1
Clone the repo
Requires Rust stable (1.75+). No external services, no API keys, no accounts.
2
Run the test suite
All protocol constraints are exercised in the test suite. Green across the board.
3
See it in action
Visit Papillon for interactive demos of search, payments, delegation, and disclosure — all powered by PAP.
View on GitHub Contributing →
bash
# Clone the repository
git clone https://github.com/Baur-Software/pap.git
cd pap

# Run the full test suite
cargo test

# See protocol demos at
# https://baur-software.github.io/pap/papillon/
Resources

Go deeper

Guide
Add PAP to Your Existing Agent
18-minute integration tutorial. Wrap your REST API as a PAP provider, add client handshake to your orchestrator, register with a marketplace. Python + Rust examples.
SDK
Python SDK Documentation
PyO3 bindings reference. Keypair generation, mandate issuance, delegation, chain verification, and the full exception hierarchy.
Blog
Your Agent Works for a Platform. It Should Work for You.
Protocol introduction and code walkthrough. The trust model, the five constraints, and the implementation.
Blog
Show Me the Agents: PAP in Practice
Real-world scenarios and docker-compose examples. Shopping, medical queries, B2B data rooms.
Also: The Tollbooth Model Is Over — Economic context for agent-driven internet
Open Source · MIT OR Apache-2.0

The question isn't whether your
agents can talk to each other.

The question is who they answer to. PAP gives you the tools to answer that question in code, not policy.

Star on GitHub Read the Spec →

Not a developer? See what controlled AI feels like →