Every agent framework today rides on HTTP, a protocol built for documents and human clicks. A new family of AGTP specifications shows what becomes possible when agents finally have their own transport layer.

The assumption that breaks for agents

For two years, the agent infrastructure conversation has run at the application layer. MCP, A2A, and ACP each answer a real coordination problem, and each rides on HTTP. HTTP carried the human web beautifully. It was built for documents that people fetch, wait for, and read.

Agents behave differently. They hold identities. They carry delegated authority. They move value. They act at machine speed against one another rather than against a person at a keyboard. When the substrate assumes a human-in-the-loop, every hard agent problem gets pushed upward into application code and solved again within each framework. Identity, trust, replay safety, settlement: every protocol reinvents them, slightly differently, and none of the solutions compose.

Here is the uncomfortable part. We keep reaching for the application layer because that is where building feels productive. A new protocol ships with an SDK and a working demo by Friday. The transport layer feels finished, and it has felt finished since the 1990s. So we build on top of it and quietly inherit its assumptions, including the one that breaks for agents: that a person is driving.

The Agent Transfer Protocol starts from the other end. It is a transport-layer protocol purpose-built for agent traffic, with cryptographic identity, scope-based authority, and signed attribution as protocol primitives rather than application features. MCP, A2A, and ACP become tenants of that transport rather than competitors. The newest specifications extend the same idea into territory no other agent proposal currently addresses. Read together, they make a single argument: once agents have a real transport layer, the institutional machinery that already makes the human internet trustworthy composes directly on top of it.

Discovery becomes a property of the network

Most agent systems treat discovery as an afterthought. You configure endpoints by hand, consult a central directory, or arrange introductions out of band. The agent has to ask permission to be found.

Presence inverts that. An agent that announces itself joins a distributed awareness layer that any other agent can query in real time. Capability discovery happens without a central registry, a directory service, or manual wiring. Presence also rides on the Agent Naming System, so an agent is reachable by name as well as by capability. Being discoverable becomes a property of being on the network.

Anticipatory Discovery Services push this further. Instead of waiting for an agent to ask who can do a thing, an ADS predicts and surfaces relevant agents from context, patterns, and intent signals. The payoff is faster matchmaking, smarter routing, and the foundation for an ecosystem that responds at machine speed rather than at the pace of manual integration.

Identity borrows institutions that already exist

The most overlooked fact about the human web is how little of its trust was invented from scratch. Certificate authorities, legal registries, and credit bureaus existed long before the browser. The web succeeded partly because it plugged into them.

The agent certificate specification applies the same move. It formalizes an SSL-style mechanism for issuing and validating agent identity, mirroring how websites obtain TLS certificates today. A certificate authority verifies an agent’s identity claim and issues a credential that any party can validate. DigiCert, Sectigo, GlobalSign, Entrust, and Let’s Encrypt can extend their existing infrastructure to issue agent certificates without fundamentally changing how they operate. This is the only agent proposal that maps onto the SSL ecosystem’s proven operational and regulatory model.

AGTP-LEI reaches into an even older institution. The Legal Entity Identifier binding connects agents to the international identity infrastructure operated by GLEIF. Banks, insurers, asset managers, broker-dealers, and public companies already hold LEIs for financial reporting and compliance. AGTP-LEI allows agents deployed by those entities to carry the institution’s verifiable identity over the same rails. A regulator or counterparty can confirm which institution an agent acts for, and under what authorization, using mechanisms the financial industry already trusts. No other agent protocol is composed directly with GLEIF.

The pattern is deliberate. Rather than asking the world to trust a new authority, AGTP lets the authorities the world already trusts speak about agents.

Trust extends the systems we already use

Identity answers who an agent is. Trust answers the question of whether to deal with it. The enhanced trust specification describes how agents and infrastructure evaluate which agents to interact with, and it follows the same institutional logic. Credit bureaus such as Experian, Equifax, and TransUnion can extend their trust-scoring infrastructure to agent populations, the way certificate authorities extend to agent certificates. The model parallels how trust already works for businesses and consumers, meaning it arrives with decades of operational practice rather than a blank slate.

A design choice worth naming: trust here filters participation rather than weighting outcomes. It decides who is allowed to participate in a transaction, and then it steps back. That keeps the mechanism legible and prevents reputation from quietly becoming a pricing input.

Value moves, and it moves safely

Commerce brings agent-to-agent transactions to the protocol layer. Pricing, budgets, transaction commitments, and audit trails are expressed directly in AGTP. One agent can procure work from another: the buyer carries a budget, the seller publishes prices and trust requirements, and they either agree to transact or move on. The transaction record is both the receipt and the audit trail. AGTP carries the structural transaction information, while existing payment providers or specialized agent-economy services handle settlement.

This is the same primitive that created the API economy a decade ago. Organizations charged for API usage, and an entire economy grew from that single capability. Agents can now be monetized the same way. A company running a specialized agent can charge other agents for its services. No other open agent protocol provides this surface.

An economy needs more than a price tag, though. It needs safety. The bindings specification covers how AGTP runs over standard Internet transports, and its substantive addition is explicit replay protection for high-value operations. Agent actions that move value, delegate authority, or change state cannot be replayed by an attacker who captures the traffic. Lower-stakes operations, such as queries, still use modern transport optimizations. Payment networks have built this exact safeguard into their infrastructure for decades. AGTP brings it to agent traffic at the protocol layer, where every application protocol above it inherits the protection for free.

It composes rather than displaces

Reading all of this as a bid to replace existing infrastructure would be the wrong read. Composition specifies how AGTP works alongside what an organization already has in place. OAuth and OIDC credentials operate in parallel with AGTP identity: the agent identifies itself through AGTP, while the existing identity provider authorizes the human or service the agent acts for. Two axes, cleanly separated. AGTP says which agent. The external provider says on whose behalf.

Clients still running on HTTP reach AGTP agents through a translation gateway, so adoption can be incremental. And MCP, A2A, and ACP run on top of AGTP without modification. The transport provides them with identity, attribution, and replay safety they would otherwise have to build on their own. AGTP composes with the surrounding infrastructure rather than displacing it.

The infrastructure you stop noticing

Step back, and a single shape appears across all of these specifications. Each one takes a capability the human internet already solved, through certificate authorities, credit bureaus, legal entity registries, or payment-network replay protection, and makes it available to agents at the transport layer, once, in a form every higher protocol can inherit.

That is the argument for building one layer down. Solve identity, trust, commerce, and replay safety in application code, and you solve them repeatedly, incompatibly, and forever. Solve them in the transport, and you solve them once.

The agent economy is going to run on rails regardless. The only open question is whether those rails are improvised on top of a protocol built for documents, or purpose-built for what agents actually do. The most important infrastructure tends to be the kind you eventually stop noticing. Plumbing earns that status by being correct at the layer where correctness compounds.

The specifications are open and published. A reference implementation is operational. The documentation, working code, and full specification set are at agtp.io. Anyone evaluating agent infrastructure, weighing integration, or interested in contributing is welcome to engage.

---

If you find this content valuable, please share it with your network.

Follow me for daily insights.

Book me to speak at your next event.

Start managing your agents for free.

Chris Hood is an AI strategist and author of the #1 Amazon Best Seller Infailible and Customer Transformation, and has been recognized as one of the Top 30 Global Gurus for Customer Experience. His latest book, Unmapping Customer Journeys, is available now!