Explain it like I'm five

Everything Agent Passport does, why it exists, and how it works — without the jargon.

What we'll cover
  1. 01 The problem — why agents need passports
  2. 02 What a passport actually is
  3. 03 Permissions — what can it do?
  4. 04 Budget — how much can it spend?
  5. 05 Expiry — when does it stop working?
  6. 06 Authorization — the checkpoint
  7. 07 Delegation — agents hiring agents
  8. 08 Revocation — the kill switch
  9. 09 Audit trail — receipts for everything
  10. 10 Tamper-proofing — why nobody can fake it
  11. 11 Biscuit tokens — the advanced mode
  12. 12 The authority server
  13. 13 Where it plugs in
  14. 14 Why this is hard to copy
01

The problem

You ask an AI agent to book you a flight. The agent has your full account access — your credit card, your email, your calendar, everything. It could book a $50 flight, or it could wire $10,000 to the Bahamas. Right now, there's nothing stopping it.

Today's agents use static API keys — the same credentials the human has. There's no way to say "you can read my calendar but not delete anything" or "you can spend up to $500 but not a cent more."

Real-world analogy
Think of it like giving your house keys to a babysitter — but the keys also open your safe, start your car, and access your bank. You just wanted them to watch the kids.

Agent Passport is the permission slip. It says exactly what the babysitter can do (watch kids, use the kitchen), what they can't (no car, no safe), and when it expires (when you get home).

02

What a passport actually is

A passport is a signed digital token — a small piece of data that says:

Who authorized it
The human (or parent agent) that created this permission slip
Which agent holds it
The specific bot or agent that's allowed to use it
What it can do
A list of specific actions like "calendar:read" or "email:send"
How much it can spend
A hard dollar cap the agent can never exceed
When it expires
A timestamp after which the passport is dead
A unique ID + signature
Cryptographic proof that nobody tampered with it
const passport = AgentPassport.issue({
  agent: "booking-bot",
  permissions: ["calendar:read", "calendar:write", "email:send"],
  limits: { maxSpend: 500 },
  expiresIn: "24h",
})
03

Permissions

Permissions use a simple namespace:action format. You list exactly what the agent can do.

calendar:read — can read your calendar
calendar:write — can create/edit events
calendar:* — can do anything calendar-related (wildcard)
* — can do literally everything (you almost never want this)

If an agent tries to do something not on its list, it gets denied instantly. No exceptions, no workarounds.

passport.authorize("calendar:write")  // ✓ allowed — it's on the list
passport.authorize("database:drop")  // ✗ denied — not on the list
04

Budget

Every passport can have a spending cap. The server tracks how much the agent has spent cumulatively — the agent can't lie about it because the tracking happens server-side.

Real-world analogy
It's a prepaid debit card, not a credit card. When the balance hits zero, the card stops working. The agent can't call the bank and ask for more.

If the agent tries to spend $200 but only has $150 remaining, the action is denied with a clear reason: "Spend $200 exceeds remaining limit $150 USD."

05

Expiry

Every passport has an expiration timestamp. After that moment, the passport is dead — no amount of retrying will make it work.

Default is 24 hours. You can set it to 5 minutes, 1 hour, 7 days — whatever fits the task. A child passport can never outlive its parent. If dad's passport expires at midnight, the kid's passport can't survive past midnight either.

06

Authorization — the checkpoint

Every time the agent wants to do something, it hits a six-step checkpoint:

1. Signature check
Is the passport real and untampered?
2. Revocation check
Has anyone cancelled this passport?
3. Time check
Is the passport still within its time window?
4. Permission check
Is this action on the allowed list?
5. Spend check
Is there enough budget left?
6. Audit log
Record the attempt (allowed or denied)

If any step fails, the action is denied with a reason. If all pass, the action goes through. Either way, it's logged.

07

Delegation — agents hiring agents

This is the magic. An agent with a passport can create a child passport for a sub-agent — but with equal or fewer permissions. Never more.

You calendar:* · email:* · $500
Travel Bot calendar:write · email:send · $500
Email Drafter email:send · $0

The travel bot can give the email drafter permission to send emails — but it cannot give it calendar access or spending power it doesn't have. Permissions only shrink down the chain, never grow. This is called monotonic narrowing.

Real-world analogy
A manager can give an intern access to the filing cabinet — but not the CEO's office. You can only share what you already have, and you can share less, never more.
const child = passport.delegate({
  agent: "email-drafter",
  permissions: ["email:send"],  // must be ⊆ parent
})

// trying to escalate → throws PassportDelegationError
passport.delegate({ permissions: ["admin:delete"] }) // ✗ error
08

Revocation — the kill switch

You can cancel any passport at any time. The moment you do, that passport and every child passport it ever created dies instantly.

Root passport REVOKED
Travel Bot dead
Email Drafter dead

This is cascade revocation. You don't need to hunt down every sub-agent and cancel them one by one. Kill the root, and the entire tree falls.

passport.revoke()
// → ["pp_root", "pp_travel", "pp_email"] all revoked
09

Audit trail — receipts for everything

Every single authorize() call is logged — whether it was allowed or denied. The audit trail records:

When it happened · Which passport was used · What action was attempted · Whether it was allowed or denied · Why it was denied

Real-world analogy
A security camera that records every door someone tries to open — including the locked ones they couldn't get through.

When you're using the authority server, audit logs are persisted in SQLite so they survive restarts. You can query them by passport ID to see everything that agent ever tried to do.

10

Tamper-proofing

Every passport is signed with Ed25519 — the same cryptographic algorithm used to secure SSH connections and cryptocurrency wallets. If anyone changes even a single character in the passport, the signature breaks and it's rejected.

Can't forge permissions
An agent can't edit its own passport to add "admin:delete"
Can't extend expiry
Changing the expiration breaks the signature
Can't inflate budget
Spend tracking is server-side anyway, but the limit is signed too
Can't replay old passports
Each passport has a unique 128-bit nonce
11

Biscuit tokens — the advanced mode

For simple single-agent setups, passports use JWT (JSON Web Tokens) — the same standard used by most web apps. Simple, well-understood, battle-tested.

For multi-agent delegation chains, passports use Biscuit tokens. Biscuits are a newer token format with a superpower: Datalog policies.

What's Datalog?
A tiny logic language embedded inside the token itself. Instead of just listing permissions, you can write rules like "allow calendar:write only if spend is under $100 and it's a weekday." The rules travel with the token and are enforced at every checkpoint.

When an agent delegates to a sub-agent using Biscuit mode, the child's restrictions are appended to the token cryptographically — the parent's rules can never be removed, only added to. This is how monotonic narrowing is enforced at the protocol level, not just the application level.

12

The authority server

The SDK works locally for development, but for production you want a central authority — a server that issues passports, tracks spending, persists revocations, and stores audit logs.

REST API
Issue, verify, authorize, revoke, introspect — all over HTTP
SQLite storage
Passports, revocations, audit logs, spend tracking persisted to disk
Token introspection
RFC 7662-compliant endpoint: is this token active? What's left on the budget?
One command
npx @passport-agent/server starts a local authority server
13

Where it plugs in

Agent Passport isn't a standalone tool — it's a layer that drops into frameworks you already use. One import, a few lines of config, and every action is passport-checked.

MCP — guards every tool call in your MCP server
Express — middleware that maps routes to permissions
Fastify — plugin with automatic action extraction
Next.js — API route middleware for server actions
LangChain — wrap any tool with passport checks
CrewAI — decorator that guards all task execution
A2A — Agent Card extensions for cross-agent auth
Authority — self-hosted REST server with SQLite

For HTTP middleware (Express, Fastify, Next.js), the passport is extracted from the x-agent-passport header. The action is auto-derived from the HTTP method + path: POST /api/users becomes api:users:post.

14

Why this is hard to copy

Open source doesn't mean no moat. Here's what compounds over time:

Protocol standard
First-mover on the authorization gap between agent identity and action. Defining the spec others build against.
Network effects
Every agent using passports makes every service want to accept them. Two-sided, winner-take-most.
Integration surface
8 packages across MCP, LangChain, CrewAI, Express, etc. Once teams wire it in, they don't rip it out.
Audit trail gravity
The authority server accumulates action history. Compliance teams won't let you migrate away from it.

Ready to try it?

Ten lines to production. No vendor lock-in.

View on GitHub Back to home