AgentProof provides Liability Proofs – cryptographic attestations that prove:
- A specific human authorized a specific action
- The authorization was made via a hardware-bound credential (Passkey)
- The authorizer accepts liability for the agent's action
A Liability Proof is a compact, self-verifying token embedded in HTTP headers.
X-AgentProof: v1.<payload>.<signature>
{
"version": "1.0",
"proof_id": "uuid-v4",
"issued_at": "2025-12-24T10:00:00Z",
"expires_at": "2025-12-24T10:05:00Z",
"principal": {
"id": "user-uuid",
"credential_id": "passkey-credential-id",
"device_attestation": "platform-attestation-hash"
},
"agent": {
"id": "agent-uuid",
"name": "cursor-ai-agent",
"version": "1.0.0"
},
"intent": {
"action": "transfer",
"target": {
"service": "api.bank.com",
"endpoint": "/v1/transfers",
"method": "POST"
},
"parameters": {
"amount": 1000,
"currency": "USD",
"to_account": "****1234"
}
},
"constraints": {
"max_amount": 5000,
"allowed_recipients": ["****1234", "****5678"],
"geo_fence": ["US", "CA"],
"valid_hours": {"start": 9, "end": 17},
"require_confirmation_above": 1000
},
"liability": {
"accepted_by": "principal",
"terms_version": "1.0",
"dispute_window_hours": 72
}
}The signature is created using ES256 (ECDSA with P-256 curve) via WebAuthn:
- Serialize payload to canonical JSON
- Hash with SHA-256
- Sign with user's Passkey private key
- Encode signature as Base64URL
┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Agent │────▶│ Target Service │────▶│ Verify Proof │
│ (Request) │ │ (Receives X- │ │ 1. Check expiry│
│ │ │ AgentProof) │ │ 2. Verify sig │
└─────────────┘ └──────────────────┘ │ 3. Check intent│
│ 4. Log audit │
└─────────────────┘
- Parse Header: Extract version, payload, signature
- Decode Payload: Base64URL decode, parse JSON
- Check Expiry:
expires_atmust be in future - Retrieve Public Key: From AgentProof Trust Registry or cached
- Verify Signature: ES256 verification using public key
- Validate Intent: Check action matches request being made
- Check Constraints: Ensure request falls within authorized bounds
- Log Audit: Record verification result for compliance
The liability block is critical for legal clarity:
"liability": {
"accepted_by": "principal", // Who accepts liability
"terms_version": "1.0", // Which terms they agreed to
"dispute_window_hours": 72 // Time to dispute unauthorized action
}| Scenario | Liable Party |
|---|---|
| Valid proof, agent acts within constraints | Principal (user) |
| Valid proof, agent exceeds constraints | Agent operator |
| Invalid/forged proof | Agent operator |
| Expired proof | Agent operator |
| Revoked credential | Agent operator |
For real-time trust lookups without full verification:
agentproof://agent-123.principal-456.verify
Returns DNS TXT record:
"v=agentproof1 trusted=true score=850 expires=2025-12-25"
POST /v1/transfers HTTP/1.1
Host: api.bank.com
Content-Type: application/json
X-AgentProof: v1.eyJ2ZXJzaW9uIjoiMS4wIi....<signature>
{"amount": 1000, "to_account": "****1234"}| Code | Meaning |
|---|---|
| 200 | Request processed, proof valid |
| 401 | Missing or invalid X-AgentProof header |
| 403 | Proof valid but action not authorized by constraints |
| 410 | Proof expired |
- Passkey Binding: Proofs can only be created with hardware-bound keys
- Short Expiry: Default 5 minutes to limit replay window
- Single Use: Proof IDs should be tracked to prevent replay
- Constraint Enforcement: Target services MUST check constraints
- Audit Trail: All verifications must be logged
Protocol versions follow semver. The version field in payload ensures forward compatibility.
| Version | Status |
|---|---|
| 1.0 | Current specification |
AgentProof Protocol Specification v1.0 December 2025