MCP, A2A, ANP, AG-UI — every protocol invented its own identity system. Here's how I built a bridge between them.
The problem nobody talks about
In 2026, AI agents talk to each other using four major protocols:
MCP (Anthropic/AAIF) — agent → tool, OAuth tokens
A2A (Google/Linux Foundation) — agent → agent, Agent Cards
ANP (W3C) — peer-to-peer, DID keys
AG-UI — agent → human, no identity at all
Each one invented its own identity system. Each one requires separate credentials. Each one has its own discovery mechanism.
If your agent talks MCP to your database, A2A to a partner's agent, and ANP to a decentralized peer, it has three separate identities with zero link between them.
Try answering these questions:
"Which agent executed this transaction?" → Depends on which protocol you check
"Revoke this compromised agent." → You need to revoke it in 3 different systems
"Show me the complete audit trail." → It doesn't exist. The trace breaks at every protocol boundary
This isn't a theoretical problem. 29% of enterprises already run agents in production, and 44% plan to join within the year. The identity fragmentation is happening right now.
Why existing solutions don't fix it
I spent weeks researching every project in this space:
AGNTCY Identity (Cisco) supports "bring your own ID" with Agent Cards, but it's tied to the Cisco ecosystem. No cross-protocol translation.
AgentPass offers cryptographic passports, but focused on web authentication (email, SMS), not AI protocol bridging.
Dock.io / Truvera provides Verifiable Credentials for agents ("Know Your Agent"), but operates within a single credential framework. No MCP/A2A/ANP translation.
XAA (Okta) extends OAuth for agent-to-app access, but through a centralized IdP. No cross-protocol awareness.
IETF draft-klrc-aiagent-auth is a theoretical framework. No implementation.
The gap is clear: nobody bridges the identity layer between protocols. Everyone builds within one protocol and ignores the others.
What I built: Agent Identity Bridge
AIB is an open-source protocol (Apache 2.0) that gives an AI agent one passport that works across every protocol. Four components:
- Agent Passport
A JWS-signed JSON document that binds one identity to all protocols:
json
{
"passport_id": "urn:aib:agent:mycompany:booking",
"display_name": "mycompany/booking",
"protocol_bindings": {
"mcp": {
"auth_method": "oauth2",
"server_card_url": "https://mycompany.com/.well-known/mcp.json"
},
"a2a": {
"auth_method": "bearer",
"agent_card_url": "https://mycompany.com/.well-known/agent.json"
},
"anp": {
"auth_method": "did-auth",
"did": "did:web:mycompany.com:agents:booking"
}
},
"capabilities": ["booking", "scheduling"],
"expires_at": "2027-03-24T00:00:00Z"
}
Signed with RS256 (asymmetric — private key signs, public key verifies). Key rotation every 90 days. Replay protection via jti nonce.
2. Credential Translator
Automatic conversion between identity formats:
A2A Agent Card ↔ MCP Server Card ↔ W3C DID Document
Round-trip safe. Your agent registered in A2A becomes discoverable in MCP without re-registration.
3. Gateway Proxy
A reverse proxy that detects the target protocol and injects the right credentials:
python
from aib import AIBClient
client = AIBClient(api_key="aib_sk_...")
# Call any protocol — AIB detects and handles it
result = client.send("https://partner.com/agent", {
"task": "Book a slot tomorrow 3pm"
})
print(result.protocol) # "a2a" (auto-detected)
print(result.trace_id) # "7f3a...b2c1" (unified audit)
The developer doesn't need to understand the underlying protocols.
4. Unified Audit Trail
Every cross-protocol interaction generates an OpenTelemetry span. One trace ID follows the request from your agent, through MCP, to A2A, and back — across protocol boundaries. Export to Jaeger, Grafana, Datadog.
The CLI: try it in 60 seconds
bash
git clone https://github.com/tntech-consulting/agent-identity-bridge
cd agent-identity-bridge
pip install -e .
# Create your first passport
aib create --org mycompany --agent booking --protocols mcp,a2a
# Output:
# ✓ ID: urn:aib:agent:mycompany:booking
# → Protocols: mcp, a2a
# → Expires: 2027-03-24
# List all passports
aib list
# Translate an A2A Agent Card to MCP Server Card
echo '{"name":"My Agent","url":"https://example.com","skills":[{"id":"search","name":"Search"}]}' > card.json
aib translate --from a2a --to mcp --file card.json
# Revoke a compromised agent (one command, all protocols)
aib revoke --id urn:aib:agent:mycompany:booking
# Start the gateway
aib serve --port 8420
8 commands. All working. 72 tests passing.
The security part: a novel attack vector
Building a cross-protocol translator means building a new attack surface. I documented 7 threats in a public STRIDE threat model.
The most interesting one is translation injection: a malicious Agent Card containing crafted fields (redirect URLs, excessive scopes, oversized payloads) that propagate through translation to grant unintended access in the target protocol.
Think of it like SQL injection, but for identity documents. The source protocol trusts the field content, the translator passes it through, and the target protocol interprets it as a valid permission grant.
Nobody has documented this attack vector before because nobody has built a cross-protocol identity translator before.
Mitigations implemented:
Strict input validation on every translated field (URL scheme, length, charset)
JSON Schema validation on translator outputs
Capability allowlisting (only passport-declared capabilities translate)
SSRF protection (blocks private IPs, cloud metadata, loopback)
Rate limiting per passport_id
Why this is inevitable, not optional
The protocol count only grows. MCP (2024), A2A (2025), ANP (2025), AG-UI (2025), UCP, LMOS, XAA... Each new protocol without a unified identity layer multiplies the management complexity.
Regulators are coming. NIST is actively working on AI agent identity standards (I submitted a public comment). The W3C AI Agent Protocol Community Group is preparing specs for 2027. Cross-protocol traceability will become a compliance requirement.
The cost of inaction is irreversible. Every agent deployed today without unified identity creates tech debt. Scattered credentials, uncorrelated logs, ghost agents you can't trace. Cleanup costs 10x prevention.
It takes 50 lines to add a new protocol. The passport is an open dictionary. The translator needs a new mapping function. The gateway needs a new routing rule. The core never changes. It's like HTTP — you add Content-Types without modifying the protocol.
The extensibility model
When a new protocol appears (roughly once every 6-12 months), here's what you write:
python
# aib/bindings/binding_newprotocol.py — ~50 lines
class NewProtocolBinding:
protocol_name = "new_protocol"
def to_passport_binding(self, native_card: dict) -> dict:
return {
"endpoint_url": native_card["service_url"],
"auth_method": native_card["auth"]["type"],
"credential_ref": f"vault://aib/new_protocol/{native_card['id']}",
}
def from_passport_binding(self, binding: dict) -> dict:
return {
"service_url": binding["endpoint_url"],
"auth": {"type": binding["auth_method"]},
}
def detect_protocol(self, url: str) -> bool:
return "/new-protocol/" in url
Register it. Zero changes to the core. The passport, signature, audit trail, all unchanged.
Where this is going
AIB is the open-source protocol. AIB Cloud is the managed SaaS on top — a cloud gateway where you get an API key and a dashboard instead of running your own server. Community tier (free, self-hosted), Pro tier (99€/month, managed), Enterprise (custom).
The protocol stays free forever. The convenience is what you pay for. Same model as Supabase, Grafana Cloud, or Sentry.
Get involved
GitHub: github.com/tntech-consulting/agent-identity-bridge
Protocol site: agent-identity-bridge.netlify.app
SaaS site: aib-cloud.netlify.app
Threat model: THREAT_MODEL.md
Star the repo if this resonates. Open an issue if you see a gap. And if you're running multi-protocol agents in production and want to beta test the gateway — reach out.
The identity layer between AI protocols is missing. Let's build it together.
Founder, TNTECH CONSULTING SAS. Building AIB because I got tired of managing 4 sets of credentials for agents that should have one identity.
Top comments (0)