Why AI Agents Need Passport Stamps

AI agents are about to move between platforms the way people move between countries. They'll call tools on external services, get cloned across environments, migrate when platforms shut down. Every one of these transitions is invisible today.

No record. No proof. No audit trail.

I built the Passage Protocol to fix that: signed, portable departure and admission records for AI agents. Think passport stamps, but for software.

The Problem

When an AI agent leaves a platform today, nothing happens. There's no certificate of departure, no record of the conditions under which it left, no way for the next platform to verify where it came from.

This creates real problems:

• Insurance can't price agent risk without departure history. If an agent causes damage, who's liable? The platform it came from? The one it's on now? Without records, this is unanswerable.
• GDPR requires erasure proof when agents carry PII across borders. How do you prove data was properly handled during a transition that nobody recorded?
• Incident response depends on conditions nobody tracks. Was the agent banned? Did it leave voluntarily? Was it an emergency evacuation?

This is the same problem global shipping solved decades ago. Point-to-point delivery works with simple rules. But a global supply chain with twelve handoffs needs bills of lading and chain-of-custody documentation. AI agents are at that inflection point now.

The Solution: EXIT + ENTRY

The Passage Protocol has two halves:

• EXIT creates signed departure markers: a compact certificate that an agent left a platform, including why, when, and under what conditions.
• ENTRY handles admission on the other side: verifying the departure record and applying local policy before granting access.

Each EXIT marker is just 7 mandatory fields, roughly 335 bytes. They're content-addressed, cryptographically signed (Ed25519, with a FIPS P-256 path), and verifiable offline years later without the origin platform being online.

Three ceremony types handle different scenarios:

• Cooperative: both agent and platform sign. The standard path.
• Unilateral: agent signs alone. For when the platform won't cooperate.
• Emergency: immediate exit, one step, no waiting.

Show Me the Code

npm install cellar-door-exit

import { quickExit, quickVerify, toJSON } from 'cellar-door-exit';

// Create a signed departure marker
const { marker } = quickExit('did:web:platform.example');

// Verify it: works offline, works years later
const result = quickVerify(toJSON(marker));
console.log(result.valid); // true

That's the core loop. Create a marker, verify it anywhere. No network calls needed for verification.

For the admission side:

npm install cellar-door-entry

import { quickEntry } from 'cellar-door-entry';

// Verify a departure record and create an admission stamp
const entry = quickEntry(exitMarkerJson);
console.log(entry.admitted); // true

Framework Integrations

The protocol ships with integrations for the frameworks people actually use:

LangChain (TypeScript and Python):

import { ExitCallbackHandler } from '@cellar-door/langchain';

const handler = new ExitCallbackHandler({
  origin: 'my-app',
  onMarker: (marker) => console.log('Departed:', marker.id),
});

await chain.invoke(input, { callbacks: [handler] });
// EXIT marker created automatically when the chain finishes

MCP Server: expose EXIT/ENTRY as tools in the Model Context Protocol.

Vercel AI SDK, ElizaOS: drop-in integrations.

On-Chain Anchoring

For situations where you need immutable, publicly auditable records, the protocol supports anchoring markers on-chain via:

• EAS (Ethereum Attestation Service)
• ERC-8004 (identity and reputation)
• Sign Protocol

This is optional. The protocol works perfectly fine off-chain. But when regulatory or compliance requirements demand it, the path is there.

Where This Stands

I'll be honest: this is day one. Zero users. Apache 2.0. The protocol was submitted to the NIST AI Agent Standards Initiative in March 2026.

The codebase has 14 repos, 1,401 tests across 13 packages in TypeScript and Python. It's been through extensive testing but no formal security audit.

I'm building this because I think the agent ecosystem is going to need departure records the same way international travel needs passport stamps. Not because agents are people, but because the complexity of multi-platform agent movement exceeds what informal tracking can handle.

Links

• Website: cellar-door.dev
• GitHub: github.com/CellarDoorExits
• npm: cellar-door-exit
• Paper: cellar-door.dev/paper

If you're building multi-agent systems or thinking about agent portability, I'd love to hear what problems you're running into. The spec is open, the code is open, and I'm looking for early feedback.