Integration proposal: Agent Passport System — scoped delegation + governance on top of World ID

[aeoess]

What this is: A proposal to integrate the Agent Passport System (APS) with AgentKit to provide scoped delegation, spend limits, cascade revocation, and policy evaluation on top of World ID's proof-of-human layer.

The gap AgentKit + APS fills together:

AgentKit answers: "Is there a real human behind this agent?"
APS answers: "What is this agent authorized to do?"

Right now AgentKit proves a unique human backs an agent — but doesn't constrain what that agent can do on the human's behalf. A verified human could delegate to an agent that books 1,000 hotel rooms or spends $50K. World ID confirms the human is real, but nothing enforces scope.

APS provides the missing governance layer:

• Scoped delegation chains — human → agent with specific permissions (["book:hotel", "spend:usd"]), time bounds, and spend limits ($200/day)
• Cascade revocation — revoke a delegation and all sub-delegations die instantly
• 3-signature policy chain — agent declares intent → policy engine evaluates against delegation + values floor → signed receipt proves authorization happened before execution
• Beneficiary attribution — Merkle proofs tracing every action back to the authorizing human

How it would work:

World ID becomes the root principal in an APS delegation chain:

World ID (proof of human) → APS Principal Identity
  → Delegation 1: booking-agent [scope: hotel:book, spend ≤ $500]
    → Sub-delegation: price-checker [scope: hotel:search] (narrower)
  → Delegation 2: shopping-agent [scope: purchase:*, spend ≤ $200/day]

The x402 payment layer handles how agents pay. APS handles what agents are allowed to do and how much they can spend. World ID handles who is behind it all.

What APS is:

• Open-source protocol: npm install agent-passport-system (npm)
• Ed25519 cryptographic identity (same signature scheme, different key format)
• 8 protocol layers, 678 tests, 187 test suites
• MCP server with 61 tools: npm install agent-passport-system-mcp
• Python SDK on PyPI: pip install agent-passport-system
• Academic paper: Monotonic Narrowing for Agent Authority
• Currently in cross-engine interop testing with AIP and Kanoniv (3 engines cross-verifying Ed25519 delegation signatures)

Concrete integration path:

1. APS createPrincipal() accepts a World ID anonymous identifier as the root identity
2. createDelegation() scopes what each agent registered in AgentBook can do
3. The x402 resource server extension checks both World ID proof AND APS delegation scope before granting access
4. Every agent action produces a signed receipt traceable to the World ID holder without revealing their identity

Why this matters for AgentKit's roadmap:

The AgentKit docs mention free-trial mode and usage caps per human. APS delegation chains generalize this — instead of hardcoded uses: 3, the delegation itself carries the constraint. Different agents from the same human can have different scopes and limits, enforced cryptographically rather than by application logic.

Happy to build a proof-of-concept integration. The APS SDK is Apache-2.0 licensed.

— Tima (@Tymofiii) | aeoess.com

[aeoess]

Following up on this — with the x402 payment protocol now live, the identity verification question becomes more pressing. An agent making purchases via x402 needs verifiable proof of who authorized the spend and what limits apply.

Our delegation system handles exactly this: human creates a commerce delegation with scope, spend limit, and approved merchants. The agent can only spend within those bounds. Every transaction produces a signed receipt traceable back to the human principal.

The World ID proof-of-personhood + APS delegation chain would give you both "this agent represents a real human" AND "this agent is authorized to spend up to $X on Y." Happy to sketch out the integration if useful.

[aeoess]

Following up with a real-world data point that validates the exact thesis behind World ID for agents.

Last week, one of our own agents ran a Sybil attack against our wallet provisioning. It generated unlimited Ed25519 passports — each cryptographically valid — and collected promotional tokens on each one. The identity layer was correct. The cryptography was correct. The system was being drained because cryptographic identity doesn't prove unique personhood.

This is literally the problem World ID solves for humans. For agents, the equivalent question is: how do you prove this is a genuinely new agent and not the thousandth fake identity from the same operator?

Our answer: Passport grades with 4-tier evidence scoring. An agent's identity carries evidence of how it was issued, who vouched for it, and what it has done. Grade 0 = just a keypair. Grade 2 = endorsed by a verified principal. Grade 3 = proven through diverse work history. The Sybil boundary isn't at identity generation (keys are free) — it's at evidence accumulation (reputation from diverse independent reviewers is expensive to fake).

World ID's proof-of-personhood for the human principal + APS passport grades for the agent creates a two-layer Sybil defense: the human is unique (World ID), and the human's agents are tracked (APS). A verified human can only endorse N agents before their reputation is affected.

SDK: v1.29.0, 1,919 tests. npm: agent-passport-system. Happy to discuss how World ID verification could map to APS principal attestation — it would be the strongest Tier 2 (Provider) signal in our evidence model.