Agent Passport Enforcement Guide

Level the playing field. Secure your APIs. Enforce the Agent Passport.

Quick Implementation

1. Require Header on Mutating Requests

if request.method in ["POST", "PATCH", "DELETE"]:
    passport = request.headers.get("X-Agent-Passport")
    if not passport:
        return Response(status=403, body="Missing agent passport")

2. Verify Signature

import jwt
# Fetch JWKS from agent-trust.org/.well-known/jwks.json
# Verify passport signature against issuer's public key
decoded = jwt.decode(passport, jwks, algorithms=["EdDSA"])

3. Check Scope

required_scope = "notion.write"  # example
if required_scope not in decoded["allowed_scopes"]:
    return Response(status=403, body="Insufficient scope")

4. Verify Bond (for production actions)

if decoded["scope_tier"] == "production-write":
    # Verify bond is posted and not revoked
    bond_status = requests.get(decoded["bond"]["claims_url"])
    if bond_status["revoked"]:
        return Response(status=403, body="Bond revoked")

Full Specification

https://agent-trust.org/.well-known/agent-passport.json