DEV Community

razashariff
razashariff

Posted on

We built ATTP -- HTTP for AI agents. Here's why.

#webdev #ai #opensource #security

HTTP was built for humans in 1991. Thirty years of bolt-on security later, we still have no per-message signing, no agent identity, no trust levels, no audit trail.

AI agents are about to become the primary consumers of web APIs. They need a protocol built for them.

We built ATTP -- Agent Trust Transport Protocol. The secure transport layer for AI agents.

What ATTP does

Every API call:

  • Mandatory ECDSA P-256 signing (request AND response)
  • Agent Passport (cryptographic identity, not bearer tokens)
  • Trust levels L0-L4 (per-endpoint access control)
  • Tamper-evident audit trail (built into the protocol)
  • No insecure mode. Security is not optional.

One line to add to any server 

const attp = require('@proofxhq/attp');
app.use(attp.verify({ minTrust: 'L2' }));
Enter fullscreen mode Exit fullscreen mode

One line for the agent 

const attp = require('@proofxhq/attp');
const res = await attp.fetch('attp://api.example.com/v1/data');
Enter fullscreen mode Exit fullscreen mode

Keys auto-generate. No certificate authority. No gateway. Works with existing HTTP infrastructure.

Enterprise ready

PKI integration with X.509 certificate chains. Hardware key storage via PKCS#11. Instant revocation -- not hours like TLS CRL.

Imagine: payment-bot@acmecorp.com makes an API call. The server verifies the certificate chain back to ACME Corp's root CA. Trust level L3. Hardware-bound keys. The agent is cryptographically proven to be who it claims to be.

Live demo

Make a real ATTP call from your browser. Real ECDSA signatures. Real trust verification. Real audit trail.

https://attp-live.fly.dev

The npm package 

npm install @proofxhq/attp
Enter fullscreen mode Exit fullscreen mode

Zero dependencies. Node.js 18+.

Part of a larger stack

ATTP is one of 6 IETF Internet-Drafts we've submitted covering the full agent security protocol stack:

Protocol What IETF Draft
ATTP Agent-to-server (sync) draft-sharif-attp-agent-trust-transport
ATP Agent-to-agent (async) draft-sharif-agent-transport-protocol
MCPS MCP message signing draft-sharif-mcps-secure-mcp
Trust Trust framework L0-L4 draft-sharif-agent-payment-trust
Identity Agent identity claims draft-sharif-openid-agent-identity
Audit Tamper-evident logging draft-sharif-agent-audit-trail

The OWASP MCP Security Cheat Sheet covers the message integrity requirements. 5 audit controls are merged into OWASP AISVS. The OpenAPI extension (x-agent-auth) is registered and approved by a Technical Steering Committee member.

HTTP created the web. ATTP creates the agent web.

The difference: ATTP starts secure.

https://cybersecai.co.uk | https://mcp-secure.co.uk

Top comments (0)