Feat: Add enhancements, Update enforcement mechanisms and Add MPP#2
Open
emg110 wants to merge 3 commits intoalgorandfoundation:masterfrom
Open
Feat: Add enhancements, Update enforcement mechanisms and Add MPP#2emg110 wants to merge 3 commits intoalgorandfoundation:masterfrom
emg110 wants to merge 3 commits intoalgorandfoundation:masterfrom
Conversation
…es to support extension architecture), Add pre-authorized extension
ehanoc
requested changes
May 2, 2026
| The protocol supports both real-time streaming for AI interactions (voice, text, or video from the Controller to the agent; voice, text, or file artifacts back from the agent) and request/response patterns for discrete operations. AC2 uses **DIDComm-compliant message formats** [[didcomm-messaging](https://identity.foundation/didcomm-messaging/spec/)], enabling interoperability with existing decentralized identity infrastructure while extending the protocol for real-time streaming use cases. | ||
|
|
||
| Authentication leverages Decentralized Identifiers (DIDs) with Passkey-based credentials, providing phishing-resistant security without passwords. AC2 is use-case agnostic, supporting web3 workflows (x402 payments), code signing (git commits), document signatures, and any other digital signing operation where the user holds the keys. | ||
| Authentication leverages Decentralized Identifiers (DIDs) with Passkey-based credentials, providing phishing-resistant security without passwords. AC2 is use-case agnostic, supporting web3 workflows (x402 payments, MPP machine payments — both `charge` and `session` intents), code signing (git commits), document signatures, and any other digital signing operation where the signing key is held by the user and the signature is requested per-operation. Operations on keys held by the agent's tooling, including autonomous operation within pre-authorized bounds, are defined by separate AC2 extensions. |
Contributor
There was a problem hiding this comment.
Operations on keys held by the agent's tooling, including autonomous operation within pre-authorized bounds, are defined by separate AC2 extensions. I would remove this section. pre-auth and extensions isn't something we would like to ship for v1
| ## Abstract | ||
|
|
||
| This specification defines the **AC2 (Agentic Communication and Control) Protocol**, a peer-to-peer authenticated messaging system designed for secure communication between users and AI agents. AC2 enables human-in-the-loop digital signing operations, where agents can request signatures from users, who validate and approve through their own wallet or application, with signatures then delegated back to the agent for continued operations. | ||
| This specification defines the **AC2 (Agentic Communication and Control) Protocol**, a peer-to-peer authenticated messaging system designed for secure communication between users and AI agents. The core protocol covers human-in-the-loop signing — agents request signatures from users, who validate and approve through their own wallet or application, with signatures then returned to the agent. The agent itself holds no keys and never sees key material; key custody for the agent's own identity lives in the agent's tooling (e.g., agent-internal tools, MCP tools, or OWS wallet toolings). Additional capabilities such as autonomous operation under pre-authorized bounds are defined as separate extensions to this core (see **Extensions** below). |
Contributor
There was a problem hiding this comment.
Can we keep the paragraph as it was?
| - Agents CANNOT sign transactions autonomously | ||
| - Users maintain control of their keys at all times | ||
| - Agents request operations, users approve via familiar interfaces | ||
| - Agents MUST NOT access the user's private keys and MUST NOT sign on the user's account |
Contributor
There was a problem hiding this comment.
This line feel redundant . They can't access them anyway if they are in a users wallet.
| - Agents request operations, users approve via familiar interfaces | ||
| - Agents MUST NOT access the user's private keys and MUST NOT sign on the user's account | ||
| - For operations requiring the user's key, agents request and the user approves via familiar interfaces | ||
| - The agent itself holds no keys; key custody for the agent's own identity lives in the agent's tooling |
Contributor
There was a problem hiding this comment.
key custody for the agent's own identity lives in the agent's tooling - We don't want to define this. But to the user
Author
There was a problem hiding this comment.
This sentence is there to dissambiguate regarding the fact that protocol asserts of keys being held only by user and using DIDCOMM requires agent to have a DID and autonomous agent payments demand agents to have signing power used for both blockchain and non-blockchaion operations (arbitrary data signing and DID authentication). Since the PR to spec requires Agent having a DID and a signing key. This sentence asserts that Agent keys are not held by AC2 supporting clients.
May I suggest a replacement instead: "AC2 does does not concern with how agents manage their own keys and DIDs as long as standard Keys and DIDs are used"
| - Agents MUST NOT access the user's private keys and MUST NOT sign on the user's account | ||
| - For operations requiring the user's key, agents request and the user approves via familiar interfaces | ||
| - The agent itself holds no keys; key custody for the agent's own identity lives in the agent's tooling | ||
| - Extensions to this core MAY introduce additional flows such as autonomous operation under pre-authorized bounds |
Contributor
There was a problem hiding this comment.
Let's not offer extensions for now
| } | ||
| ``` | ||
|
|
||
| ##### Capability List |
Author
There was a problem hiding this comment.
It has been removed completely in latest update of PR
| "@context": ["https://ac2.io/v1"], | ||
| "type": "ac2/SessionEstablish", | ||
| // ... | ||
| "type": "ac2/CapabilityList", |
Contributor
There was a problem hiding this comment.
no capabilities, this is up to the integrators
Author
There was a problem hiding this comment.
It has been removed completely in latest update of PR
|
|
||
| 1. **DID Methods**: Implementations MUST support `did:key` per [[did-key](https://w3c-ccg.github.io/did-method-key/)] and SHOULD support `did:web` | ||
| 2. **Key Types**: Ed25519 keys REQUIRED for signatures; secp256k1 OPTIONAL for blockchain operations | ||
| 2. **Key Types**: Ed25519 keys REQUIRED for signatures; secp256k1 OPTIONAL for blockchain operations; post-quantum schemes such as `falcon-512` OPTIONAL |
Contributor
There was a problem hiding this comment.
Quantum is an open question, this is a stretch. If we are crypto agile, it doesn't matter for now
| 4. **Discovery**: Agent DIDs MUST be discoverable via `.well-known/did.json` or equivalent | ||
| 4. **Discovery**: Agent DIDs MUST be discoverable via `.well-known/did.json` (for `did:web` DIDs) or `.well-known/did-configuration.json` per [[well-known-did-configuration](https://identity.foundation/.well-known/resources/did-configuration/)] (for any DID method, including `did:key`) | ||
|
|
||
| ### Agent DID Key Origin |
Contributor
There was a problem hiding this comment.
We don't want to be prescriptive, this is outside the specification and avoid any Algorand specific standards.
| ``` | ||
|
|
||
| ## Streaming Protocol | ||
| ## Extensions |
There was a problem hiding this comment.
Pull request overview
This PR updates the AC2 core specification to clarify core invariants, add an explicit extensions model (including MPP use cases), and introduces a new “Pre-Authorized Operations” extension for bounded autonomous payments/asset transfers.
Changes:
- Refines AC2 core language around key custody, signature request semantics, and adds extension architecture + capability namespacing guidance.
- Adds MPP (
charge/session) use cases and related references. - Introduces
ac2-ext-pre-authorizeddefining a Pre-Authorized pattern and messages for top-ups, grants, and spend receipts.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| ac2.md | Updates core AC2 protocol narrative, data model examples, and adds extension architecture + additional message examples. |
| ac2-ext-pre-authorized.md | New extension spec defining pre-authorized autonomous payment/transfer flows and associated DIDComm messages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Extensions | ||
|
|
||
| AC2 supports real-time streaming using a hybrid DIDComm approach: stream initiation uses standard DIDComm messages, while stream chunks use optimized lightweight framing over the established WebRTC DataChannel. | ||
| AC2 is designed to be extended. Extensions add new communication patterns, message types, and behaviors on top of the core foundation (DID-based identity, Liquid Auth transport, DIDComm message format, the signing trio, plugin model). Discovery, streaming, attachments, and HITL approvals are extensions, not core. |
Comment on lines
+71
to
+74
| "body": { | ||
| "reason": "Balance below threshold for pending x402 payments", | ||
| "chain": "algorand:wGHE2Pwdvd7S12BL5FaOP20EGYesN73ktiC1qzkkit8=", | ||
| "asset": { "id": "31566704", "symbol": "USDC" }, |
Comment on lines
+94
to
+96
| "capabilities": ["mpp.charge", "mpp.session.voucher"], | ||
| "vaultPointer": "algorand:wGHE2Pwdvd7S12BL5FaOP20EGYesN73ktiC1qzkkit8=/app/987654321/vault/NTRZR6HGMMZGYMJKUNVNLKLA427ACAVIPFNC6JHA5XNBQQHW7MWA", | ||
| "note": "LLM inference budget for April" |
| "type": "ac2/SigningRequest", | ||
| "from": "did:example:agent", | ||
| "to": ["did:example:user"], | ||
| "created_time": Date.now(), |
Comment on lines
+301
to
+304
| "signature": "base64-encoded signature", | ||
| "publicKey": "base64-encoded 32-byte ed25519 public key", | ||
| "address": "58-char Algorand address", | ||
| "keyType": "account" |
| ```json | ||
| "keyOrigin": { | ||
| "method": "arc52", | ||
| "derivationPath": "m/44'/283'/0'/0'/agent/0" |
Comment on lines
+571
to
+593
| "key_type": "ed25519" | "secp256k1" | "falcon-512", | ||
| "derivationPath": "m/44'/283'/0'/0'/agent/0", | ||
| "purpose": "<WHY_NEEDED>", | ||
| "for_operation": "<WHAT_OPERATION>" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ### Key Provisioning | ||
|
|
||
| Agents MAY request public keys from the controller for identity purposes: | ||
| **KeyResponse** (Controller → tooling, via the agent over AC2): | ||
|
|
||
| ```json | ||
| { | ||
| "type": "ac2/KeyRequest", | ||
| "key_type": "ed25519" | "secp256k1" | "falcon-512" | ||
| "purpose": "<WHY_NEEDED>", | ||
| "for_operation": "<WHAT_OPERATION>" | ||
| "@context": ["https://ac2.io/v1"], | ||
| "type": "ac2/KeyResponse", | ||
| "from": "did:example:user", | ||
| "to": ["did:example:agent"], | ||
| "body": { | ||
| "status": "approved" | "rejected", | ||
| "derivationPath": "m/44'/283'/0'/0'/agent/0", | ||
| "key_type": "ed25519", | ||
| "material": "<BASE64_OR_ENCRYPTED_KEY_PAYLOAD>", | ||
| "publicKey": "<BASE64_PUBLIC_KEY>", | ||
| "reason": "<OPTIONAL_REJECTION_REASON>" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR provides:
Note: After this PR merger, two upcoming extensions are ready to be pushed: