> Status: draft. Part of the AEP 0.1 protocol specification.
Define the identity, authorization, and audit boundaries for AEP communication. AEP does not prescribe a specific authentication protocol; this document defines the security metadata hooks that transports and implementations must respect.
AEP security is defense in layers:
1. Transport-level security (TLS, mTLS, SSH tunnels) — handled by the transport binding, not AEP. 2. AEP-level identity — who is sending and receiving events. 3. AEP-level authorization — what a given identity is allowed to send, subscribe to, or receive. 4. AEP-level audit — what happened, recorded for inspection.
AEP layer 2-4 are the scope of this specification.
Every event carries a source field that identifies the producer:
{
"source": "tool:web_crawler",
...
}
The source format uses a dotted prefix convention:
| Prefix | Meaning | Example |
|---|---|---|
agent: | An agent instance | agent:researcher |
tool: | A tool or tool server | tool:web_crawler |
memory: | A memory system | memory:main |
context: | A context provider | context:browser |
environment: | An environment observer | environment:sensors |
harness: | Protocol harness or orchestrator | harness:aep |
Every event may carry a target field that identifies the intended consumer:
{
"target": "agent:researcher",
...
}
Missing target means the event is broadcast (subject to subscription matching).
Identity claims in source and target must be verifiable. The verification mechanism is transport-specific:
Authorization: Bearer) or mTLS provide identity.A transport that cannot verify identity must reject events with a falsified source field.
A subscription is scoped to the capabilities of the subscribing identity. An identity may only subscribe to events it is authorized to receive.
Capability negotiation during session.ready may include authorization constraints:
{
"type": "session.ready",
"payload": {
"capabilities": {
"auth": {
"required": true,
"scopes": ["read:memory", "write:tool", "subscribe:task.*"]
}
}
}
}
| Scope | Meaning |
|---|---|
read:<domain> | May receive events from the domain |
write:<domain> | May send events to the domain |
subscribe:<pattern> | May subscribe to event type patterns |
When a consumer requests a subscription, the producer must verify that the consumer's scopes cover the requested filter:
1. For each types pattern in the subscription filter, check that the consumer has a matching subscribe: scope. 2. For each source filter, check that the consumer has read: scope for the source domain. 3. If any check fails, reject the subscription with unauthorized.
{
"type": "subscription.rejected",
"payload": {
"error": {
"code": "unauthorized",
"message": "agent:researcher is not authorized to subscribe to memory.*"
}
}
}
When an event has a target field, the producer must verify that the producer is authorized to send to that target. An identity may only target identities within its authorized scope.
Events may carry an authorization field for transport-agnostic auth tokens:
{
"authorization": {
"scheme": "bearer",
"token": "eyJhbGci..."
}
}
The authorization field is optional. When present:
scheme field declares the token type (e.g., bearer, capability).token field carries the credential.A producer that does not support the requested scheme must reject the event with unauthorized.
Sensitive data in event payloads may be redacted before delivery to unauthorized consumers. The redaction policy is implementation-defined, but AEP defines metadata for declaring sensitivity:
{
"payload": {
"user_query": "what is the capital of France",
"_redacted": ["financial_data", "pii"]
}
}
The _redacted key (reserved, prefix _) declares that specific fields in the payload were removed before delivery. Consumers should treat _redacted as informational and not attempt to reconstruct the removed data.
Productions deployments should maintain an audit trail of all AEP events. The minimum audit record for each event includes:
| Field | Source |
|---|---|
Event id | Envelope |
Event type | Envelope |
source identity | Envelope |
target identity | Envelope |
created_at | Envelope |
| Transport identity | Transport binding |
| Auth identity (if different from source) | Transport or envelope authorization |
| Delivery status | Delivery tracker |
Audit records are implementation-specific and not defined by the AEP wire protocol. A conformant implementation may expose audit events as AEP events (e.g., audit.event.delivered), but this is not required.
| Threat | Mitigation |
|---|---|
Impersonation (spoofed source) | Transport-level identity verification |
| Unauthorized subscription | Capability-scoped subscription enforcement |
| Unauthorized targeted delivery | Producer-to-target authorization check |
| Eavesdropping | Transport-level encryption (TLS) |
| Payload data leak | Payload redaction before delivery |
| Replay attacks | Event id idempotency + idempotent consumers |
| Audit tampering | Append-only audit log, external to AEP |
In shared deployments, the tenant_id envelope field provides namespace isolation:
{
"tenant_id": "org_acme",
...
}
Rules:
tenant_id must not be delivered to sessions of a different tenant.tenant_id is single-tenant and isolated by definition.Tenant isolation is enforced by the producer/orchestrator, not by the protocol wire format.
authorization envelope field is defined by this spec but no mandatory scheme is defined in AEP 0.1. Implementations may use bearer tokens, capability URLs, or custom schemes._redacted payload prefix is reserved. Implementations must not use this prefix for application data.wss://).