Security

AEP Security Model

> Status: draft. Part of the AEP 0.1 protocol specification.

Purpose

Define the identity, authorization, and audit boundaries for AEP communication. AEP does not prescribe a specific authentication protocol; this document defines the security metadata hooks that transports and implementations must respect.

Design Principle

AEP security is defense in layers:

1. Transport-level security (TLS, mTLS, SSH tunnels) — handled by the transport binding, not AEP. 2. AEP-level identity — who is sending and receiving events. 3. AEP-level authorization — what a given identity is allowed to send, subscribe to, or receive. 4. AEP-level audit — what happened, recorded for inspection.

AEP layer 2-4 are the scope of this specification.

Identity Model

Producer Identity

Every event carries a source field that identifies the producer:

{
  "source": "tool:web_crawler",
  ...
}

The source format uses a dotted prefix convention:

PrefixMeaningExample
agent:An agent instanceagent:researcher
tool:A tool or tool servertool:web_crawler
memory:A memory systemmemory:main
context:A context providercontext:browser
environment:An environment observerenvironment:sensors
harness:Protocol harness or orchestratorharness:aep

Consumer Identity

Every event may carry a target field that identifies the intended consumer:

{
  "target": "agent:researcher",
  ...
}

Missing target means the event is broadcast (subject to subscription matching).

Identity Verification

Identity claims in source and target must be verifiable. The verification mechanism is transport-specific:

A transport that cannot verify identity must reject events with a falsified source field.

Authorization Model

Capability-Scoped Subscriptions

A subscription is scoped to the capabilities of the subscribing identity. An identity may only subscribe to events it is authorized to receive.

Capability negotiation during session.ready may include authorization constraints:

{
  "type": "session.ready",
  "payload": {
    "capabilities": {
      "auth": {
        "required": true,
        "scopes": ["read:memory", "write:tool", "subscribe:task.*"]
      }
    }
  }
}
ScopeMeaning
read:<domain>May receive events from the domain
write:<domain>May send events to the domain
subscribe:<pattern>May subscribe to event type patterns

Subscription Enforcement

When a consumer requests a subscription, the producer must verify that the consumer's scopes cover the requested filter:

1. For each types pattern in the subscription filter, check that the consumer has a matching subscribe: scope. 2. For each source filter, check that the consumer has read: scope for the source domain. 3. If any check fails, reject the subscription with unauthorized.

{
  "type": "subscription.rejected",
  "payload": {
    "error": {
      "code": "unauthorized",
      "message": "agent:researcher is not authorized to subscribe to memory.*"
    }
  }
}

Targeted Delivery Enforcement

When an event has a target field, the producer must verify that the producer is authorized to send to that target. An identity may only target identities within its authorized scope.

Event-Level Authorization

Events may carry an authorization field for transport-agnostic auth tokens:

{
  "authorization": {
    "scheme": "bearer",
    "token": "eyJhbGci..."
  }
}

The authorization field is optional. When present:

A producer that does not support the requested scheme must reject the event with unauthorized.

Payload Redaction

Sensitive data in event payloads may be redacted before delivery to unauthorized consumers. The redaction policy is implementation-defined, but AEP defines metadata for declaring sensitivity:

{
  "payload": {
    "user_query": "what is the capital of France",
    "_redacted": ["financial_data", "pii"]
  }
}

The _redacted key (reserved, prefix _) declares that specific fields in the payload were removed before delivery. Consumers should treat _redacted as informational and not attempt to reconstruct the removed data.

Audit Trail

Productions deployments should maintain an audit trail of all AEP events. The minimum audit record for each event includes:

FieldSource
Event idEnvelope
Event typeEnvelope
source identityEnvelope
target identityEnvelope
created_atEnvelope
Transport identityTransport binding
Auth identity (if different from source)Transport or envelope authorization
Delivery statusDelivery tracker

Audit records are implementation-specific and not defined by the AEP wire protocol. A conformant implementation may expose audit events as AEP events (e.g., audit.event.delivered), but this is not required.

Threat Model Summary

ThreatMitigation
Impersonation (spoofed source)Transport-level identity verification
Unauthorized subscriptionCapability-scoped subscription enforcement
Unauthorized targeted deliveryProducer-to-target authorization check
EavesdroppingTransport-level encryption (TLS)
Payload data leakPayload redaction before delivery
Replay attacksEvent id idempotency + idempotent consumers
Audit tamperingAppend-only audit log, external to AEP

Multi-Tenant Isolation

In shared deployments, the tenant_id envelope field provides namespace isolation:

{
  "tenant_id": "org_acme",
  ...
}

Rules:

Tenant isolation is enforced by the producer/orchestrator, not by the protocol wire format.

Implementation Notes