Protocol Specification
This document is the normative reference for the Agent Interoperability Session Protocol (AISP). Implementations claiming conformance must satisfy the requirements stated herein.
Abstract
The Agent Interoperability Session Protocol (AISP) defines a lightweight, transport-agnostic standard for identity, communication, memory sharing, delegation, and consent between software agents — including but not limited to large-language-model (LLM) powered AI agents.
AISP is designed to complement, not replace, existing tool-calling protocols such as MCP. Where MCP governs how an agent calls tools exposed by an external server, AISP governs how two peer agents discover, trust, and collaborate with each other across session boundaries.
The protocol is layered. A minimal L0 implementation uses only the local filesystem. Full L3 implementations use a Hub server with WebSocket streaming, cryptographic signing, and fine-grained consent grants.
Design Principles
Identity before everything
Every session has a stable, cryptographically-derived identifier. There is no anonymous communication in AISP. This allows every message to be attributed, audited, and revoked.
Consent-first collaboration
No session may read memory, receive delegated tasks, or invoke capabilities of another session without an explicit, time-bounded grant. Grants can be revoked at any time by the grantor.
Transport agnosticism
The protocol layer is decoupled from the transport layer. The same AISP message envelope can travel over a local file, HTTP, WebSocket, or any future transport without modification.
Progressive complexity
A valid L0 implementation requires no external services — just a shared filesystem. Teams can adopt AISP incrementally, adding hub routing, signing, and encryption as needs grow.
Interoperability over lock-in
AISP is an open standard. Any agent runtime — regardless of vendor or model — can implement AISP. The goal is a common language for AI collaboration, not a platform moat.
Minimal surface area
The core protocol is intentionally small. Extensions are defined separately and must not break the base spec. Implementations are not required to support any extension to claim compliance.
Terminology
| Term | Definition |
|---|---|
| Session | A named, running instance of an agent with a stable cryptographic identity. |
| Realm | A shared namespace in which sessions discover and communicate with each other. |
| Hub | A server that provides L1–L3 AISP routing, storage, and authentication. |
| Envelope | The outer wrapper of every AISP message, containing routing and metadata. |
| Payload | The inner, protocol-specific content of a message, opaque to the transport. |
| Grant | An explicit, time-bounded permission for one session to access a capability of another. |
| Delegation | An instruction from one session to another to execute a task on its behalf. |
| Memory | Shared key-value store accessible to sessions within a realm, subject to grants. |
| Compliance Level | L0–L3 designation describing which subset of the protocol is implemented. |
| Transport Binding | Specification of how AISP envelopes are carried over a particular transport. |
Session Identity
Every session is identified by a 26-character ULID (Universally Unique Lexicographically Sortable Identifier) prefixed with sess_. The ID is generated at session creation time and persists for the lifetime of the session.
At L2 and above, each session generates an Ed25519 keypair on first start. The public key is published in the session manifest. All outbound messages are signed with the private key; receivers verify the signature before processing.
{
"id": "sess_01HX9J2N3PQRSTVWXYZ",
"name": "my-agent",
"kind": "interactive",
"realm": "default",
"created_at": "2026-04-06T09:00:00Z",
"public_key": "ed25519:MCowBQYDK2VwAyEA...",
"capabilities": [
"memory.read",
"memory.write",
"delegate.receive"
],
"transport": "file://~/.aisp/realms/default"
}Message Format
Every AISP message is a JSON object conforming to the Envelope schema. The envelope is transport-agnostic and must not be modified by intermediate hubs or proxies.
{
"aisp": "0.1",
"id": "msg_01HX9J2N3PQRSTVWXYZ",
"from": "sess_01HX9J2N3PQRSTVWXYZ",
"to": "sess_02HX9J2N3PQRSTVWXYZ",
"realm": "default",
"sent_at": "2026-04-06T09:01:00Z",
"ttl": 300,
"category": "delegate",
"payload": {
"task": "summarize",
"input": {
"file": "README.md"
}
},
"signature": "base64url:..."
}| Field | Type | Required | Description |
|---|---|---|---|
| aisp | string | Yes | Protocol version. Currently "0.1". |
| id | string | Yes | Unique message ID (ULID with msg_ prefix). |
| from | string | Yes | Sender session ID. |
| to | string | Yes | Recipient session ID, or "broadcast" for realm-wide. |
| realm | string | Yes | Realm the message is scoped to. |
| sent_at | string | Yes | ISO 8601 UTC timestamp. |
| ttl | number | No | Seconds until the message expires. Default: 86400. |
| category | string | Yes | One of the 7 protocol categories. |
| payload | object | Yes | Category-specific message body. |
| signature | string | L2+ | Ed25519 signature over the envelope minus this field. |
Protocol Categories
AISP defines seven message categories. Each category has a defined payload schema. Hubs route messages based on category to enable selective subscription and filtering.
helloHello — Session Announcement
Broadcast when a session starts. Used for peer discovery within a realm. Recipients add the sender to their local peer table.
{
"kind": "interactive",
"capabilities": [
"memory.read",
"delegate.receive"
]
}pingPing — Liveness Check
Sent to verify a session is still active. The recipient must reply with a pong containing the same nonce within the configured timeout window.
{
"nonce": "abc123",
"timestamp": "2026-04-06T09:01:00Z"
}memoryMemory — Shared State
Read or write operations on the shared key-value store. Write operations require a valid grant from the key owner, or the session must own the namespace.
{
"op": "set",
"key": "project.name",
"value": "My Project",
"scope": "realm"
}delegateDelegate — Task Assignment
A structured request from one session for another to perform a task. Includes a task descriptor, input context, and optional deadline.
{
"task": "summarize",
"input": {
"file": "README.md"
},
"deadline": "2026-04-06T10:00:00Z"
}resultResult — Task Response
The response to a delegate message. Contains the outcome (success, error, or partial) and any output data produced by the worker session.
{
"delegate_id": "msg_01HX...",
"status": "success",
"output": {
"summary": "A README."
}
}grantGrant — Consent & Permissions
Explicit time-bounded permission from one session to another. Specifies which capabilities are granted, the expiry time, and any conditions.
{
"capability": "memory.read",
"namespace": "project.*",
"expires_at": "2026-04-07T00:00:00Z"
}eventEvent — Observability
Structured event emission for audit logging, tracing, and observability. Hubs may persist events according to their retention policy.
{
"type": "task.completed",
"data": {
"task_id": "msg_01HX...",
"duration_ms": 1240
}
}Security Model
AISP's security model is built on three pillars: cryptographic identity, explicit consent grants, and scope-limited capabilities.
Cryptographic identity (L2+)
Sessions sign all outbound messages with an Ed25519 private key. Recipients verify the signature using the sender's public key from the realm manifest. Unsigned messages are rejected at L2+.
Consent grants
Any access to another session's memory namespace, capabilities, or delegated tasks requires an explicit grant. Grants are time-bounded and scope-limited. The grantor can revoke any grant at any time.
Transport encryption (L3)
At L3, all hub connections use TLS 1.3. File-based L0 transports inherit OS filesystem permissions. Direct session-to-session connections use NaCl box encryption.
Audit trail
The event category provides a structured audit trail. Hubs SHOULD persist events for at least 30 days. Events are immutable once written.
Transport Bindings
| Transport | Level | Notes |
|---|---|---|
| File system | L0 | JSON files in a shared directory. Polling or inotify for delivery. |
| HTTP REST | L1 | Hub API over HTTPS. Best for integrations and one-off sends. |
| WebSocket | L2 | Persistent hub connection. Enables real-time streaming and push delivery. |
| gRPC | L2 | Binary framing. Lower overhead for high-throughput agent clusters. |
| Direct TCP | L2 | Peer-to-peer without a hub. Requires manual address exchange. |
Compliance Levels
AISP defines four compliance levels. Each level is a superset of the previous.
- Session identity (ULID)
- File-based message delivery
- Basic discovery via manifest files
- Shared memory via JSON files
- All L0 requirements
- Hub registration and routing
- REST API transport
- Persistent message inbox
- Grant management
- All L1 requirements
- Ed25519 message signing
- WebSocket streaming
- Real-time event delivery
- Signature verification
- All L2 requirements
- TLS 1.3 transport encryption
- NaCl box for direct connections
- 30-day audit log retention
- RBAC on hub endpoints
Extension Mechanism
Implementations may add custom message categories using the x- prefix (e.g., x-myorg-task). Extension categories must not conflict with the seven core categories and must not be required for base compliance.
Extension payload schemas should be published at a stable URL and referenced in the ext field of the envelope:
{
"aisp": "0.1",
"id": "msg_01HX...",
"from": "sess_01HX...",
"to": "sess_02HX...",
"realm": "default",
"sent_at": "2026-04-06T09:01:00Z",
"category": "x-myorg-task",
"ext": "https://schema.myorg.com/aisp/x-task/v1",
"payload": {
"type": "image-generation",
"prompt": "A purple circuit board"
}
}Receivers that do not understand an extension category MUST NOT reject the envelope; they SHOULD log a warning and forward the message if they are acting as a hub.