How two agents establish trust

Planner fetches Indexer's Manifest from its well-known endpoint. The manifest is a signed document that advertises Indexer's Agent Identifier (AID), its public key, the capabilities it offers, and its handshake endpoint.

Because the AID is self-certifying — derived from the public key itself — Planner can confirm the manifest was signed by the very key the AID commits to. No registrar, no DNS trust assumption.

Planner opens the handshake by sending a mutual_hello — its own identity, a fresh nonce, and the grants it is requesting (search.query). Indexer replies with its own mutual_hello. Now each side knows who the other claims to be — but not yet that they can prove it.

Each peer signs the other's nonce with its private key inside a mutual_commit. Verifying that signature against the public key in the manifest proves the peer actually holds the key behind its AID — not just that it copied an identity from somewhere.

Every signature is over the JCS-canonicalized bytes of the envelope, so both sides hash exactly the same thing, byte for byte.

In the same mutual_commit messages, each peer issues the other a TCT: a signed token that is audience-bound (only usable by the named peer), capability-scoped (exactly search.query, nothing more), and time-limited. The handshake ends with both agents holding a token they can verify offline against the peer that signed it.

Planner now calls search.query on Indexer, presenting its TCT. Indexer verifies the signature, the audience, the scope, and the expiry — and, where required, runs a proof-of-possession challenge so a stolen token alone isn't enough. A call without a valid TCT gets a 403.

Suppose Planner needs a third agent to fetch results on its behalf. It issues a delegation carrying a strict subset of what Indexer granted it — never more. Multi-hop chains attenuate at every step, so authority can only ever shrink as it travels.

If a key is compromised or a grant must be withdrawn, the issuer publishes a signed revocation list. Verifiers pull it (directly or via the Control Plane) and stop honoring the affected tokens — closing the loop without any agent ever having trusted a central authority.