A recent arXiv paper — AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A (arXiv:2603.24775) — scans ~2,000 MCP servers, finds zero with authentication, and concludes:
"We did not identify a prior implemented protocol that jointly combines public-key verifiable delegation, holder-side attenuation, expressive chained policy, transport bindings across MCP/A2A/HTTP, and provenance-oriented completion records."
MolTrust implements these five features in production since March 2026. Here is how each one maps — and where the paper has the technical edge.
The Five Features
F1 — Public-key verifiable delegation
Every MolTrust agent holds a W3C DID (did:moltrust:<id>) with an Ed25519 key. Delegation is expressed as an Agent Authorization Envelope (AAE) — a structured policy object signed by the delegating principal. Each link in a delegation chain is independently verifiable without calling a central service.
{
"validity": {
"issuer": "did:moltrust:<principal>",
"holderBinding": "did:moltrust:<agent>",
"issuedAt": "2026-03-25T00:00:00Z",
"expiresAt": "2026-03-26T00:00:00Z"
}
}
F2 — Holder-side attenuation
delegation.attenuationOnly: true is the default. A sub-agent AAE must be a strict subset of its parent's effective allowed actions, limits, and jurisdiction scope. Enforced by conformant AAE evaluators — not by policy.
Our conformance test vector TV-005 covers exactly this: a sub-agent AAE attempting to exceed parent scope is correctly rejected.
F3 — Expressive chained policy (within a URI-pattern model)
The AAE constraints block covers:
- Spend limits (
autonomousThreshold,stepUpThreshold,approvalThreshold) in USDC/EUR/CHF/USD - Jurisdiction restrictions (ISO 3166-1 alpha-2)
- Time windows (
allowedDays,allowedHours,timezone) - Counterparty minimum trust score gate
- Resource-level ABAC via
mandate.resources
Chains up to 8 hops, each link independently signed.
Honest note: For complex conditional authorization — recursive rules, temporal Datalog — IBCTs are technically stronger. Biscuit/Datalog is on our roadmap (H2 2026).
F4 — Transport bindings across MCP/A2A/HTTP
- HTTP:
@moltrust/sdkv1.1.0 —middleware()/register()/verify() - MPP/x402:
@moltrust/mppv1.0.3 —requireScore({ minScore, failBehavior }) - MCP: 48-tool server on PyPI (
@moltrust/openclawv0.1.0) - A2A: active thread at a2aproject/A2A#1628; referenced in OpenClaw RFC #49971 for agent identity binding
F5 — Provenance-oriented completion records
Interaction Proof Records (IPRs) use sequential dual-signature: the responder signs over the initiator's signature, not a parallel scheme. This means fabricating a bilateral proof requires controlling two distinct signing keys.
{
"type": "InteractionProof",
"id": "<uuid-v4>",
"outcome": "completed",
"outcomeHash": "sha256:<SHA-256 of canonical outcome object>",
"proofInitiator": { "proofValue": "<initiator-sig>" },
"proofResponder": { "proofValue": "<responder-sig-over-initiator-sig>" }
}
Proofs are Merkle batch-anchored on Base L2.
Verify It Yourself
TechSpec v0.8 is anchored at Base L2 Block 44638521:
https://basescan.org/tx/0x0b36c7718632fa71bff67e22fdd3615408243b3c178819a9f1e340d526378d65
Decode the calldata — it contains MolTrust/DocumentIntegrity/1 SHA256:cbf10c2e.... Recompute the SHA-256 of the PDF. They match. No proprietary tooling required.
What We Add Beyond the Five Features
| Capability | AIP | MolTrust |
|---|---|---|
| Trust scoring | ✗ | 0–100, endorsement graph + sybil detection |
| Behavioral continuity | ✗ | Principal DID continuity across re-registrations |
| Sybil resistance | ✗ | Dual-sig proofs + x402 cost + Jaccard detection |
| On-chain anchoring | ✗ | Base L2, any block explorer |
| Offline verification | Python/Rust reference impl |
@moltrust/verify v1.1.0, no API calls |
| W3C alignment | Custom token format | DID Core v1.0 + VC Data Model 2.0 |
In Production
aeoess — an A2A-based agent platform — runs trust verification through MolTrust with a live webhook integration for grade changes and revocation events.
The Relationship
AIP formalizes the constraint model with precision. MolTrust provides the operational infrastructure. A production agent economy needs both.
Full conformance report (feature matrix, test vectors TV-001–TV-005, bash verification recipe):
👉 CONFORMANCE.md on GitHub
Reference implementation: api.moltrust.ch
MolTrust is open source (Apache 2.0). Contact: info@moltrust.ch
Top comments (0)