Skip to main content

Machine Identity & Agent Identity Protocol

The Machine Agent Identity Protocol (MAIP) gives every AI agent, bot, and automated service a cryptographic identity — just like TLS certificates for servers, but purpose-built for autonomous software.

Why Machine Identity?

As AI agents proliferate across enterprise workflows, organizations face a critical challenge: How do you know which agent did what, and whether it was authorized? MAIP solves this with:
  • Cryptographic agent identity — Every agent gets a unique ID (maip-agent:<ulid>) and signing keys
  • Scope-based authorization — Fine-grained permission scopes control what each agent can do
  • Runtime policy enforcementMAIP policies evaluate trust scores, scopes, and delegation depth before every sensitive action
  • Trust scoring — Continuous behavioral evaluation produces a 0-100 trust score
  • Session management — Time-bounded execution contexts with automatic expiry
  • Cross-tenant delegation — Agents can delegate authority across organizational boundaries
  • Kill switch — Instant emergency revocation of any agent’s access

Architecture

┌─────────────────────────────────────────────┐
│              Your Application                │
│  ┌─────────┐  ┌─────────┐  ┌─────────────┐  │
│  │ Agent A │  │ Agent B │  │  Agent C    │  │
│  └────┬────┘  └────┬────┘  └──────┬──────┘  │
│       │            │              │          │
│  ┌────▼────────────▼──────────────▼──────┐  │
│  │         MAIP SDK (JS / Go / Py)       │  │
│  └────────────────┬──────────────────────┘  │
└───────────────────┼─────────────────────────┘
                    │ HTTPS + mTLS
    ┌───────────────▼───────────────┐
    │   Machine Identity Service    │
    │  ┌──────┐ ┌───────┐ ┌──────┐ │
    │  │Agents│ │Scopes │ │Trust │ │
    │  │      │ │       │ │Scores│ │
    │  └──────┘ └───────┘ └──────┘ │
    └───────────────────────────────┘

Try it in the playground

Every MAIP endpoint has an interactive API playground built into the docs. You can build requests, switch between Sandbox and Production environments, and send them directly — no separate tool needed. All MAIP endpoints are covered, spanning ten API groups: Machine Agents, Agent Sessions & Tools, Trust & Witness, MAIP Policies, Truth Claims & Documents, Compliance & Anomalies, Datasets & Models, Orchestrations & Workflows, Guardrails & Delegation, and Observability. The playground supports both X-API-Key and Bearer JWT authentication. Use X-API-Key for quick testing and Bearer JWT when you need to authenticate with a session token from a running agent.
Open any endpoint in the Machine Agents API reference and click Send to try it live against the Sandbox.

Quick start

1. Register an agent

curl -X POST https://api.truthlocks.com/v1/agents \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "order-processor",
    "type": "autonomous",
    "scopes": ["receipts:write", "attestations:read"],
    "metadata": {
      "framework": "langchain",
      "model": "gpt-4o",
      "owner": "platform-team"
    }
  }'

2. Create a Session

curl -X POST https://api.truthlocks.com/v1/sessions \
  -H "X-API-Key: $API_KEY" \
  -d '{
    "agent_id": "maip-agent:01JXXXX",
    "scopes": ["receipts:write"],
    "ttl_seconds": 3600,
    "ip_allowlist": ["10.0.0.0/8"]
  }'

3. Execute with Trust Scoring

Every action the agent takes is logged and scored. The trust score updates continuously: 
# Check current trust score
curl https://api.truthlocks.com/v1/trust-scores/maip-agent:01JXXXX \
  -H "X-API-Key: $API_KEY"
Response: 
{
  "agent_id": "maip-agent:01JXXXX",
  "score": 87,
  "factors": {
    "behavioral_compliance": 92,
    "scope_adherence": 95,
    "anomaly_score": 12,
    "peer_attestations": 78
  },
  "trend": "stable",
  "computed_at": "2026-04-06T12:00:00Z"
}

4. Emergency Kill Switch

Instantly revoke all agent access: 
curl -X POST https://api.truthlocks.com/v1/agents/maip-agent:01JXXXX/kill \
  -H "X-API-Key: $API_KEY" \
  -d '{ "reason": "Anomalous behavior detected", "revoke_sessions": true }'

Core Concepts

Agent Types

TypeDescriptionUse Case
autonomousFully autonomous decision-makingTrading bots, workflow engines
supervisedRequires human approval for critical actionsContent moderation, compliance
delegatedActs on behalf of another agent or userService accounts, proxies
systemInfrastructure-level agentMonitoring, health checks

Scopes

Scopes follow a resource:action pattern:
  • agents:read / agents:write — Agent management
  • receipts:write — Issue action receipts
  • attestations:read — Read attestation data
  • trust-scores:read — Access trust scores
  • delegations:offer / delegations:accept — Cross-tenant delegation
  • compliance:write — Run compliance checks
  • orchestrations:execute — Execute multi-agent workflows

Trust Score Components

FactorWeightDescription
Behavioral compliance35%Actions within declared scope
Scope adherence25%No out-of-scope access attempts
Anomaly score20%Deviation from historical patterns
Peer attestations10%Other agents vouching for behavior
Session hygiene10%Proper session creation/termination

Billing & Quotas

Machine identity features are metered per your plan. Four MAIP usage counters are tracked each billing cycle:
MetricWhat it countsDeveloperBusinessEnterprise
maip.agentsRegistered machine agents250Unlimited
maip.sessionsAgent sessions created per month10010,000Unlimited
maip.trust_computesOn-demand trust score calculations505,000Unlimited
maip.compliance_checksCompliance verification requests10500Unlimited
Monitor your consumption with the usage API or in the console at Settings > Billing > Usage under the MAIP section.
See the billing overview for the full list of 16 metered products. Upgrade your plan at console.truthlocks.com/billing to increase limits.

Editor and pipeline integrations

MAIP integrates with the tools your team already uses. Each integration generates cryptographic receipts automatically.
CategoryIntegrations
Editor pluginsVS Code, JetBrains, Neovim (Telescope, statusline, auto-receipt on save)
AI assistantsMCP Server — 20 tools for AI coding assistants to query agents, receipts, and trust scores
Data pipelinesEvent streaming gateway — Kafka, EventBridge, Kinesis, NATS, Redis Streams with deduplication and retry
CI/CDGitHub Action — receipts for commits, PRs, releases, and build artifacts
AI frameworksLangChain, LlamaIndex, CrewAI, AutoGen, OpenAI, Anthropic, AWS Bedrock
Team toolsSlack, Linear, Notion
See the MAIP integrations guide for setup instructions and code examples.

Next steps

Agent authorization

Deep dive into scope-based authorization and session management.

MAIP policies

Runtime enforcement rules based on trust scores, scopes, and delegation depth.

Trust scores

Understanding and configuring continuous trust evaluation.

Cross-tenant delegation

Enable agents to operate across organizational boundaries.

AI orchestration

Multi-agent workflow execution with safety guardrails.

MAIP integrations

Connect agents to Slack, GitHub, VS Code, Neovim, LangChain, and more.