ATTP – Agent Trust Transport Protocol (HTTP for AI Agents)

attp.cybersecai.co.uk · AskCarX · 12 days ago · view on HN · tool
quality 7/10 · good
0 net
Tags
supply-chain
ATTP -- Agent Trust Transport Protocol CyberSecAI Ltd -- a UK based company · attp:// · the new standard for secure agentic communications and secure payments attp:// ATTP -- Agent Trust Transport Protocol For secure agent communication and the agent economy. Every API call signed. Every response verified. No insecure mode. ATTP is a synchronous request-response protocol for AI agents calling web APIs. It runs over HTTP with mandatory cryptographic signing, agent identity passports, trust-gated access control, and tamper-evident audit trails. No insecure mode exists. HTTP was built for humans (1991). ATTP is built for agents (2026). Secure by default. How ATTP Works 🚨 The Problem HTTP has no built-in agent identity, no message signing, no trust levels, and no audit trail. When AI agents call APIs over HTTP, there is no way to verify who is calling, whether the message was tampered with, or what trust level the caller has. TLS encrypts the transport but does not sign the content. 🔒 The Solution ATTP runs over HTTP and adds five mandatory security headers to every request. The agent signs every request body with ECDSA P-256. The server verifies the signature, checks the agent's trust level, and signs the response. Both sides have cryptographic proof of what happened. Use Cases 🤖 Agent API Calls AI agents calling REST APIs with verified identity 💳 Agent Payments Signed payment requests with trust-gated authorisation 🌐 Multi-Agent Systems Agents communicating across organisational boundaries 📜 Compliance EU AI Act Article 12 tamper-evident audit trails 🛡 Supply Chain Verified tool definitions prevent rug pulls and poisoning Risks Mitigated Message tampering by intermediaries (proxies, CDNs, load balancers) Agent impersonation (stolen tokens, forwarded credentials) Replay attacks (reusing captured requests) Unauthorised access (agents exceeding their trust level) Missing audit trails (no proof of what happened) Tool poisoning (modified tool definitions) Standards Alignment OWASP MCP Security Cheat Sheet · Section 7 OWASP AISVS C10 · 5 requirements merged EU AI Act · Articles 12, 13, 14, 15, 50 IETF Internet-Draft · submitted OpenAPI Extension Registry · x-agent-auth Agent Trust Levels L0 Unverified No identity. Rejected from all endpoints. L1 Basic API key or shared secret. Read-only access. L2 Verified Certificate-based. Read + write operations. L3 Trusted Challenge-response proof. Financial transactions. L4 High Assurance Hardware-bound keys. Full access. Admin operations. Self-Signed Enterprise PKI MAKE ATTP CALL Try L0 Agent → REJECTED Try Replay Attack → BLOCKED Revoke Agent → REJECTED Copy curl command View IETF Spec
← Back to stories