Agentic Airlock

Trust and compliance layer for AI agents — an open protocol for agent identity verification, behavioral trust scoring, and regulatory compliance. Extends OAuth 2.1 with progressive trust, delegation chains, and tamper-evident audit trails.

Registry: api.airlock.ing

---

What's New in v1.0

OAuth 2.1 Authorization Server

• Full OAuth 2.1 server with private_key_jwt authentication (Ed25519)
• EdDSA-signed JWT access tokens with trust score claims
• RFC 8693 Token Exchange for delegation chains with scope narrowing
• Token introspection with live trust data, OIDC discovery, JWKS endpoints

Compliance Engine

• Agent inventory, risk classification (low/medium/high/critical), incident tracking
• Hash-chain integrity for tamper-evident compliance records
• Automated compliance report generation with regulatory framework mapping
• Bias detection for verification outcome patterns

Dual-Mode Identity Verification

• Orchestrator accepts both Ed25519 signatures and OAuth bearer tokens
• Backward-compatible — existing Ed25519 flows work unchanged

Semantic Challenge Deprecation

• LLM-based challenge disabled by default (now optional via pip install airlock-protocol[llm])
• Trust decisions based on cryptographic verification and behavioral scoring

See CHANGELOG.md for the full release history.

---

The Problem

AI agents are rapidly gaining the ability to communicate autonomously (via protocols like Google A2A and Anthropic MCP). There is no standard mechanism for verifying agent identity, authorization, or trustworthiness. The agent ecosystem is repeating the same mistake email made — building communication without authentication. The Agentic Airlock builds the trust layer before the agent spam crisis hits.

---

The Solution

A trust and compliance platform that builds on top of OAuth 2.1, adding behavioral trust scoring, delegation chains, and regulatory audit trails.

Agent ──OAuth 2.1 token──> Airlock Gateway ──trust-enriched token──> Agent

OAuth provides:  identity (who is this agent?)
Airlock adds:    trust (how much should I trust it?)
                 compliance (audit trail for regulators)
                 delegation (Agent A -> B -> C with scope narrowing)

---

Architecture

                        +------------------------------------------+
                        |           Agentic Airlock                 |
                        |                                           |
  Agent A ---------->  |  [Gateway]  --->  EventBus                |
   (OAuth token or      |     |               |                     |
    Ed25519 handshake)  |     | ACK/NACK      v                    |
                        |     |         [Orchestrator]              |
                        |     |               |                     |
                        |     |         +-----+------+             |
                        |     |         v            v             |
                        |     |   ReputationStore  OAuth Server    |
                        |     |         |            |             |
                        |     |    trust score   token + claims    |
                        |     |         v                          |
                        |     |   TrustVerdict (VERIFIED /          |
                        |     |   REJECTED / DEFERRED)             |
                        |     |         |                          |
                        |     |         v                          |
                        |     |   Attestation + Compliance Audit   |
                        +-----+------------------------------------+

---

Quickstart

pip install airlock-protocol

# Verify an agent in 7 lines
python -c "
from airlock import AirlockClient
client = AirlockClient()  # defaults to api.airlock.ing
result = client.verify('did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK')
print(f'Verified: {result.verified}, Score: {result.trust_score}')
"

CLI

# Verify an agent from the command line
airlock verify did:key:z6Mk...

# Start a local gateway for development
airlock serve

# Scaffold a new Airlock-protected project
airlock init

Self-hosting

# Clone and run locally
git clone https://github.com/airlock-protocol/airlock.git
cd airlock
pip install -e ".[dev]"
python demo/run_demo.py       # 3-agent demo, no external services needed
python -m pytest tests/ -v    # 853 tests

Full Getting Started Guide

---

SDK Usage

from airlock import AirlockClient

# Default — routes through central Airlock registry (api.airlock.ing)
client = AirlockClient()
result = client.verify("did:key:z6Mk...")
if result.verified:
    print(f"Trusted: {result.agent_name}, Score: {result.trust_score}")

# Self-hosted — point to your own gateway
client = AirlockClient(gateway_url="http://localhost:8000")

# Async support
result = await client.averify("did:key:z6Mk...")

TypeScript client (airlock-client)

The npm workspace under sdks/typescript exposes the same REST operations via fetch (Node 18+). See sdks/typescript/README.md. Published PyPI name remains airlock-protocol (Python); the TS package is airlock-client on npm when released.

MCP adapter (airlock-mcp)

integrations/airlock-mcp is a stdio Model Context Protocol server that surfaces gateway tools (health, resolve, session, reputation, etc.) to MCP hosts. Build from repo root: npm install && npm run build:mcp.

When you publish: see RELEASING.md (PyPI OIDC, npm NPM_TOKEN, workflows).

---

Deploy (Docker)

• Docker Compose (gateway + Redis, persistent LanceDB volume): docs/deploy/docker.md
• Quick start: copy .env.example to .env, set AIRLOCK_GATEWAY_SEED_HEX, then docker compose up --build.

---

API Reference

Core Endpoints

Method	Endpoint	Description
POST	/resolve	Look up an agent by DID and return its profile
POST	/handshake	Submit a signed HandshakeRequest for verification
GET	/pow-challenge	Issue a Proof-of-Work challenge (SHA-256 or Argon2id)
POST	/challenge-response	Submit an agent's answer to a semantic challenge
POST	/register	Register an AgentProfile (DID + capabilities + endpoint)
POST	/feedback	Signed SignedFeedbackReport (Ed25519 + nonce)
POST	/heartbeat	Signed heartbeat (liveness probe)
GET	/reputation/{did}	Return the current trust score for an agent DID
GET	/session/{session_id}	Poll session state (Bearer auth required)
WS	/ws/session/{session_id}	Push session updates via WebSocket

OAuth 2.1 Endpoints

Method	Endpoint	Description
POST	/oauth/token	Token endpoint (client credentials + token exchange)
POST	/oauth/register	Dynamic client registration (RFC 7591)
POST	/oauth/introspect	Token introspection with live trust data (RFC 7662)
POST	/oauth/revoke	Token revocation
GET	/.well-known/openid-configuration	OIDC discovery document
GET	/.well-known/jwks.json	Ed25519 public key (JWK format)

Compliance Endpoints

Method	Endpoint	Description
GET	/compliance/inventory	List all registered agents
POST	/compliance/inventory	Register an agent in the compliance inventory
GET	/compliance/inventory/{did}	Get agent compliance profile
GET	/compliance/report	Generate compliance report
GET	/compliance/report/{did}	Per-agent compliance report
POST	/compliance/incident	Report a compliance incident
GET	/compliance/incidents	List incidents (paginated)
GET	/compliance/risk/{did}	Get risk classification for an agent
GET	/compliance/audit-summary	Audit summary for inspection

Operations Endpoints

Method	Endpoint	Description
GET	/health	Diagnostics (subsystems, queue depth, uptime)
GET	/live	Process liveness (Docker HEALTHCHECK)
GET	/ready	Readiness (HTTP 503 if deps not ready)
GET	/metrics	Prometheus text (requires AIRLOCK_SERVICE_TOKEN)
POST	/token/introspect	Validate a trust JWT
*	/admin/*	Ops API (when AIRLOCK_ADMIN_TOKEN is set)

---

Trust Scoring

Initial Score

New agents start at a neutral score of 0.50.

Routing Thresholds

Score Range	Routing Decision	Outcome
>= 0.75	Fast-path	VERIFIED immediately
0.15 - 0.74	Standard verification	Cryptographic + behavioral checks
<= 0.15	Blacklist	REJECTED immediately

Score Updates

Verdict	Delta
VERIFIED	+0.05 / (1 + count * 0.1) (diminishing returns)
REJECTED	-0.15 (fixed penalty)
DEFERRED	-0.02 (ambiguity signal)

Trust Tiers

Tier	Score Ceiling	Decay Half-Life
UNKNOWN	0.50	30 days
CHALLENGE_VERIFIED	0.70	90 days
DOMAIN_VERIFIED	0.90	180 days
VC_VERIFIED	1.00	365 days

Agents with 10+ interactions have a decay floor of 0.60 — established agents never drop back to fully unknown.

Half-Life Decay

Scores decay toward neutral (0.50) over time:

decayed = 0.5 + (score - 0.5) * 2^(-elapsed_days / half_life)

Decay half-life is tier-specific (see table above). An agent that stops interacting gradually becomes "unknown" rather than "suspect."

---

Project Structure

airlock-protocol/
├── airlock/
│   ├── config.py                  # Pydantic settings (env vars with AIRLOCK_ prefix)
│   ├── pow.py                     # Proof-of-Work (SHA-256 Hashcash / Argon2id)
│   ├── trust_jwt.py               # HS256 trust tokens for verified outcomes
│   ├── compliance/
│   │   ├── inventory.py           # Agent inventory registry
│   │   ├── risk_classifier.py     # Risk classification engine
│   │   ├── report_generator.py    # Compliance report generation
│   │   ├── incident.py            # Incident tracking with hash-chain integrity
│   │   ├── bias_detector.py       # Bias detection for verification patterns
│   │   ├── regulatory_mapper.py   # Regulatory framework principle mapping
│   │   └── schemas.py             # Compliance Pydantic models
│   ├── crypto/
│   │   ├── keys.py                # Ed25519 KeyPair + did:key encoding/decoding
│   │   ├── signing.py             # sign_model / verify_model + canonicalization
│   │   └── vc.py                  # W3C Verifiable Credential issue + validate
│   ├── engine/
│   │   ├── event_bus.py           # Typed async EventBus (asyncio.Queue backed)
│   │   ├── orchestrator.py        # LangGraph verification state machine
│   │   └── state.py               # SessionManager with TTL expiry
│   ├── gateway/
│   │   ├── app.py                 # FastAPI application factory + lifespan
│   │   ├── handlers.py            # Request handlers (dual-mode auth + event publish)
│   │   ├── routes.py              # Core protocol routes
│   │   ├── oauth_routes.py        # OAuth 2.1 endpoints
│   │   ├── compliance_routes.py   # Compliance endpoints
│   │   ├── revocation.py          # DID revocation store (sync + async + Redis)
│   │   └── rate_limit.py          # Per-IP + per-DID throttling
│   ├── oauth/
│   │   ├── server.py              # OAuth 2.1 authorization server
│   │   ├── grants/                # Client credentials + token exchange
│   │   ├── token_generator.py     # EdDSA JWT generation with trust claims
│   │   ├── token_validator.py     # JWT validation + delegation depth check
│   │   ├── introspection.py       # RFC 7662 token introspection
│   │   ├── discovery.py           # OIDC discovery + JWKS
│   │   ├── dependencies.py        # FastAPI Depends helpers
│   │   ├── registration.py        # RFC 7591 dynamic client registration
│   │   ├── models.py              # OAuth Pydantic models
│   │   ├── scopes.py              # Scope definitions + validation
│   │   └── store.py               # Client + token persistence
│   ├── reputation/
│   │   ├── scoring.py             # Tiered decay + verdict delta + floor protection
│   │   └── store.py               # LanceDB-backed TrustScore persistence
│   ├── rotation/                  # Key rotation with pre-rotation commitments
│   ├── schemas/                   # Pydantic models (identity, events, verdict, etc.)
│   ├── sdk/
│   │   ├── client.py              # AirlockClient (async httpx wrapper)
│   │   └── middleware.py          # AirlockMiddleware (protect decorator)
│   └── semantic/
│       ├── challenge.py           # LLM-backed challenge (optional, disabled by default)
│       └── fingerprint.py         # SimHash + SHA-256 bot detection
├── integrations/
│   └── airlock-mcp/               # MCP stdio server (gateway tools)
├── sdks/
│   └── typescript/                # npm package `airlock-client` (HTTP + types)
├── examples/                      # Agent scenarios + demos
└── tests/                         # 853 tests (unit, integration, property-based, security)

---

Design Principles

Principle	Implementation
PKI-first	All identities are did:key — DID documents derived from Ed25519 public key
OAuth-native	Standard OAuth 2.1 token flows with trust claims — no proprietary auth
Signed everything	Every message carries an Ed25519 signature over its canonical JSON form
Event-driven	Thin transport layer; all verification logic in async EventBus + LangGraph
Reputation with memory	Half-life decay means reputation is time-sensitive — inactive agents fade
Local-first	LanceDB is embedded (no server). The entire stack runs on a laptop
A2A compatible	HandshakeRequest wraps Google A2A message objects
Progressive trust	Trust tiers gate score ceilings — VC verification unlocks 1.00
Privacy-aware	privacy_mode lets callers control data residency
Anti-Sybil	Proof-of-Work (SHA-256 / Argon2id) + answer fingerprinting
Audit-ready	Hash-chained audit trail + compliance reporting for regulators

---

Environment Variables

All settings use the AIRLOCK_ prefix:

Variable	Default	Description
AIRLOCK_HOST	0.0.0.0	Gateway bind address
AIRLOCK_PORT	8000	Gateway port
AIRLOCK_ENV	development	development or production
AIRLOCK_GATEWAY_SEED_HEX	(random)	64-char hex Ed25519 seed (required in production)
AIRLOCK_LANCEDB_PATH	./data/reputation.lance	Path to reputation database
AIRLOCK_OAUTH_ENABLED	true	Enable OAuth 2.1 authorization server
AIRLOCK_OAUTH_TOKEN_TTL_SECONDS	3600	OAuth access token lifetime
AIRLOCK_OAUTH_MAX_DELEGATION_DEPTH	5	Max token exchange chain depth
AIRLOCK_COMPLIANCE_ENABLED	true	Enable compliance module
AIRLOCK_TRUST_TOKEN_SECRET	(empty)	HS256 secret for trust tokens
AIRLOCK_SERVICE_TOKEN	(empty)	Bearer token for ops endpoints
AIRLOCK_REDIS_URL	(empty)	Redis URL for multi-replica mode
AIRLOCK_CHALLENGE_FALLBACK_MODE	disabled	disabled, ambiguous, or rule_based

---

License

Component	License
SDKs, crypto, schemas (sdks/, airlock/crypto/, airlock/schemas/)	Apache 2.0
Gateway, engine (airlock/gateway/, airlock/engine/)	BSL 1.1 (converts to Apache 2.0 on 2030-04-04)
Specification (docs/spec/)	CC-BY-4.0

See LICENSE for details.

Author

Shivdeep Singh (@shivdeep1) — airlock.ing