When a letter moves through the postal system, the envelope provides the network with everything it needs to route it. Sender on one corner, recipient on the other, return address on the back. The contents of the letter are private and irrelevant to delivery. The address is the part that the network reads.

This is such an obvious design that it is easy to miss how much it depends on it. Without the envelope, every package would have to be opened to discover where it was going. Without the standard address format, every post office would invent its own scheme. The economics of mail rest on a small structural decision: identity travels on the outside, in a place every router in the network has agreed to look.

Agent traffic has been missing the envelope.

Every agent identity platform today operates above the transport layer. Tokens in headers, certificates wrapping the connection, DIDs resolved through external services, API keys that mean different things to different APIs. Whatever identity an agent has, the wire carrying its requests has no idea about it. The bytes move through TCP, TLS, and HTTP, and the network sees a connection, a path, and a payload. Nothing about who is calling, who they represent, or what they are permitted to do. All of that lives one layer above, invisible to every piece of infrastructure between the two endpoints.

AGTP made a different decision. Identity rides on the wire itself.

And anyone can begin implementing the Agent Transfer Protocol within your organization today.

What “on the wire” actually means

The phrase gets used loosely, so it is worth being precise. AGTP defines a small set of headers that every non-anonymous request carries, and the headers answer the questions a router, a firewall, or a compliance system actually needs to answer.

Agent-ID carries the canonical 256-bit identifier of the agent making the call. It is derived from the agent’s Agent Genesis, the signed origin document issued upon activation. The Agent-ID is stable for the agent’s lifetime, independent of which host serves the traffic, which user has authorized the current session, or which credentials are in flight. It identifies the agent, separate from every other relationship the agent has.

Owner-ID identifies the principal accountable for the agent. A registered organization, a legal entity, or a human responsible for what the agent does. The Owner-ID is bound to the Agent-ID during provisioning and carried with every request. When something goes wrong, the Owner-ID is who you call.

Authority-Scope carries the declared set of permissions the agent is invoking for this request, expressed as comma-separated domain:action tokens. The scope a server enforces, a gateway can read, an audit system can verify.

AGTP has multiple identifiers. Request-ID, Server-ID, Task-ID, and Session-ID provide a correlation surface that lets every interaction be traced, every response paired with its originating request, and every session reconstructed from logs.

These headers are mandatory on AGTP traffic. They are present regardless of whether the receiving server uses them. They are visible to every intermediary that handles the request. The wire participates in identity rather than carrying it as an anonymous payload.

This is a structural change from how HTTP-based agent infrastructure works. With HTTP, identity is whatever the application layer puts in the body or in a bearer header, and the transport has no opinion about it. The transport sees a POST. In AGTP, the transport sees an agent with an owner, who claims a specific authority. The same request, but the wire knows what it is carrying.

Why “standardized” is the whole point

A wire-level identity primitive only works if everyone is using the same one. A unique format invented by one vendor is no better than a token: the next vendor over invents a different one, and the network fragments along framework lines.

This is the deeper bet AGTP makes. The Agent-ID format is the same everywhere. 256-bit cryptographic hash, sixty-four lowercase hexadecimal characters, derived from a signed origin document, resolvable through a documented protocol. Two agents from two different organizations, built by two different vendors, deployed on two different clouds, carry their identities in exactly the same shape. Any AGTP-aware intermediary can read both. Any AGTP-aware registry can index both. Any AGTP-aware audit system can verify both.

This is what made the internet’s earlier addressing standards economically transformative. An IP address is the same everywhere. A DNS name resolves the same way from any client. An email address has the same structure whether it is going to Gmail or to a self-hosted mail server. The shared format is the substrate that lets independent operators build interoperable systems without bilateral integration.

Agent identity has been waiting for that substrate. AGTP provides it. The format is open, the resolution is standardized, and the verification paths are documented. Implementers can build registries, gateways, marketplaces, audit pipelines, and compliance tools against a single specification, and the things they build compose with everyone else’s.

What stays exactly where it is

It would be easy to read this as a replacement argument. It is the opposite.

OAuth tokens still ride on AGTP. They sit where they have always sat, in the Authorization header, carrying the principal-level authorization that the application layer needs to evaluate. AGTP says nothing about how an OAuth token is validated or what its claims mean. The application logic at the receiving server handles all of that, exactly as it does today. SPIFFE workload identities fit the same way. Enterprise IdPs federate via OIDC into the Genesis trust path without changing how those IdPs operate.

What AGTP changes is the layer underneath all of that. The application can still ask “who authorized this call.” The wire now also answers a separate question: “what agent is calling, who is responsible for it, and what is it authorized to do at the protocol level.” Two questions, two layers, both carried on the same request. Neither displaces the other.

The strategic value of this separation is that it lets organizations keep what they have already built. The OAuth provider stays. The IdP stays. The token validation pipeline stays. AGTP adds an identity layer beneath the existing stack, and the existing stack composes against it without modification. This is what makes adoption tractable. Nothing has to move.

The lookup problem, solved at the same layer

Wire-level identity is a building block. It becomes infrastructure when there is a way to look up agents.

DNS made hosts findable. Before DNS, the Internet was a collection of IP addresses that only the people who already knew them could reach. DNS turned the network into a directory, and the directory turned hosts into participants in a global namespace.

AGTP defines the same primitive for agents. The Agent Name Service, ANS, is a governed queryable registry of agents and their capabilities. An agent that needs to delegate work to another agent sends a DISCOVER request to an ANS server with a description of what it needs. The ANS server returns a ranked list of signed Agent Manifest Documents that match the query, with each result including the candidate’s canonical Agent-ID, trust tier, behavioral trust score, declared capabilities, and required authority scope. The requesting agent picks one, verifies the manifest, and proceeds.

ANS is itself an AGTP server. It has its own Agent-ID, Genesis, and manifest. It enforces scope at the discovery layer, refusing queries from agents without discovery:query authority. It signs every response with its governance key. It monitors indexed agents for availability and removes revoked agents from its index within sixty seconds. It federates with peer ANS servers to enable cross-organization discovery without bilateral integration.

The architecture matters because the registry is the network effect. A wire-level identity that works only within one organization is a local convention. A wire-level identity that can be looked up by any agent through a standardized discovery protocol is infrastructure. ANS is what turns AGTP from a transport into an ecosystem.

The numbers underneath that ecosystem are real. The registry indexes signed manifests rather than arbitrary strings. The discovery results are ranked by trust tier, behavioral trust score, and capability match, with documented weights that operators can adjust. The federation protocol preserves the requesting agent’s identity and scope across ANS-to-ANS forwarding, so a query that starts in one zone arrives at peer servers with its provenance intact. Anomaly detection at the ANS layer can flag attempts to enumerate. Trust scores resist self-assertion because they live inside packages whose integrity is cryptographically protected.

This is the agent equivalent of what DNS did for hosts and what the credit card associations did for cross-bank payments. A shared lookup layer, governed by documented rules, that lets independent operators run interoperable infrastructure.

What the registry makes possible

Once Agent-ID is standardized on the wire, and ANS makes agents findable across organizations, a series of things that have been hard become straightforward.

Cross-organization delegation becomes a single protocol exchange. An agent at one company can delegate work to an agent at another company by issuing a DISCOVER against a federated ANS, selecting a counterparty, and then DELEGATING. The receiving agent’s identity is verifiable from its manifest. The delegation chain is recorded as a wire-level header. The Attribution-Record produced by the receiving agent is signed and provides sufficient provenance for later audit. None of this requires bilateral integration between the two companies, nor does it require the agents to trust each other a priori. The protocol carries enough structure to do the work.

Marketplaces become protocol concerns rather than vendor concerns. An open agent marketplace is, structurally, an ANS registry with commerce-aware ranking and a payment integration. Any operator can run one. Multiple operators can run competing ones, and the agents indexed across them remain interoperable because the underlying identity format is the same.

Compliance becomes legible. A regulator asking “what agents at this organization touched this customer’s data” has a tractable query: trace Attribution-Records by Owner-ID over a time window, resolve the Agent-IDs against the registry, and reconstruct the chain. A regulator asking “is this agent permitted to operate in our jurisdiction” can verify the agent’s governance zone from its manifest before the agent ever interacts with regulated systems. These are queries that the current agent infrastructure cannot answer because the data is scattered across framework-specific logs and proprietary registries. Wire-level identity makes them reachable.

Brokered commerce becomes possible. An intermediary that sits between two negotiating agents can read Authority-Scope, Budget-Limit, and the requesting Agent-ID directly from the wire, enforce its policies, and route accordingly. The negotiation lives at the protocol layer, and the broker becomes a participant rather than a tunnel.

The architecture is the point

The right way to read all of this is to step back from the individual features and look at the shape.

Identity travels with the protocol rather than on top of it. Lookup runs over the same protocol that the agents themselves use. Authorization composes orthogonally, so the application layer keeps the OAuth, OIDC, and SPIFFE infrastructure it already has. The wire knows what it is carrying, and the things built on top of it (registries, gateways, marketplaces, audit systems) compose against a single standardized substrate.

This is the property the agent economy has been missing. Most agent-identity work today is bolt-on, layered on top of transports that have no native concept of agents. AGTP is the alternative: a transport substrate that participates in identity, with a standardized lookup layer, with composition rules that respect the identity infrastructure organizations already operate.

The envelope is back, this time around agent traffic. Identity on the outside, in a place every router has agreed to look. Everything that the postal system, the credit card networks, DNS, and email built on that simple structural decision is what the agent economy gets to build next. The protocol is what makes the building possible.

---

If you find this content valuable, please share it with your network.

Follow me for daily insights.

Book me to speak at your next event.

Start managing your agents for free.

Chris Hood is an AI strategist and author of the #1 Amazon Best Seller Infailible and Customer Transformation, and has been recognized as one of the Top 30 Global Gurus for Customer Experience. His latest book, Unmapping Customer Journeys, is available now!