Protocol for Agent Capability and Trust
Status: DRAFT
Spec: 0.1.0
Date: 2026-04-16
License: CC0 (public domain)
AI agents call tools via MCP and delegate via A2A. Neither protocol answers: who is this agent, are they authorized, and where does their memory go when they switch platforms? PACT answers those three questions. Nothing else.
PACT is a minimal protocol for AI agents to establish identity, delegate authority, and share memory — without depending on any central server, registry, or platform.
Three primitives. Three documents. ~300 lines of code to implement.
AI agents in 2026 cannot trust each other, cannot delegate authority safely, and cannot carry memory across platforms. Every major platform has solved these problems privately, creating lock-in disguised as features.
The protocols that exist (MCP, A2A) solve tool connectivity and agent coordination well. None of them answer three questions:
- Who is this agent, really?
- Is this agent actually authorized to do what it's doing?
- Where does an agent's memory go when it moves platforms?
PACT answers those three questions and nothing else.
Agent = Ed25519 keypair
ID = did:key:z6Mk[public-key-base58btc]
Generate a keypair. You have an agent identity. No registration. No server. No issuer. The identity is portable because it is just a key.
Warrant = { issuer, subject, capabilities, expires, signature }
A warrant is a signed statement: "Agent A authorizes Agent B to do X until time T." Warrants chain — B can delegate a subset of its authority to C, but never more than it holds. Every chain traces back to a human-controlled root key. No agent can forge authority it was never given.
Fact = { subject, predicate, object, confidence, source, signature }
A fact is an atomic, typed assertion signed by the agent that observed it. Facts are content-addressed — the same fact always has the same ID. They compose into portable memory: export a signed fact set from one platform, import it on another, context intact.
npm install @lerkolabs/open-pactimport {
generateKeypair, didFromPublicKey,
issueWarrant, signEnvelope, verifyEnvelope,
CAPABILITIES,
} from "@lerkolabs/open-pact";
// Create a user (root) and an agent
const user = await generateKeypair();
const agent = await generateKeypair();
const userDid = didFromPublicKey(user.publicKey);
const agentDid = didFromPublicKey(agent.publicKey);
// User authorizes the agent to call tools for 1 hour
const warrant = await issueWarrant({
issuerDid: userDid, issuerPrivateKey: user.privateKey,
subjectDid: agentDid,
capabilities: [{ action: CAPABILITIES.TOOL_USE, resource: "*" }],
expiresAt: new Date(Date.now() + 3_600_000),
});
// Agent signs an envelope around an MCP tool call
const envelope = await signEnvelope(agentDid, agent.privateKey, userDid, [warrant], {
type: "mcp/tool-call",
body: { method: "tools/call", params: { name: "search", arguments: { q: "PACT" } } },
});
// The tool server verifies: is this agent authorized?
const result = await verifyEnvelope(envelope, userDid, CAPABILITIES.TOOL_USE, "*");
console.log(result.valid); // trueSee examples/ for runnable scripts.
PACT does not replace MCP or A2A. It wraps them.
┌─────────────────────────────────┐
│ Your application │
├─────────────────────────────────┤
│ PACT-03 │ Memory / Facts │ ← portable context
│ PACT-02 │ Warrants │ ← who is authorized
│ PACT-01 │ Identity │ ← who is this agent
├───────────┼─────────────────────┤
│ MCP │ Tool calls │ ← existing standard
│ A2A │ Agent coordination │ ← existing standard
├─────────────────────────────────┤
│ HTTP / WebSocket / gRPC │ ← existing transport
└─────────────────────────────────┘
An MCP tool call arrives inside a PACT envelope. The envelope proves who sent it and whether they were authorized. The tool result gets stored as a PACT fact. None of the existing protocols change.
| PACT | AIP | UCAN | |
|---|---|---|---|
| Auth model | Ed25519 warrant chains | IBCT/Biscuit + Datalog | UCAN delegation |
| Memory layer | Yes (PACT-03 Facts) | No | No |
| Infrastructure | Zero required | Zero required | Zero required |
| Complexity | ~300 lines | Biscuit format + Datalog eval | IPLD + DID resolution |
| License | CC0 | Unknown | MIT/Apache |
| Implementations | TypeScript | Python, Rust | JS, Go, Rust |
See spec/COMPARISON.md for a detailed technical comparison.
Simplicity is the distribution strategy. If a spec requires a platform team to implement, only platforms win. PACT is implementable by one developer in a weekend.
No infrastructure required to participate. No registry to join. No server to run. No permission to ask. Generate a keypair and you're in.
Authority flows from humans, not systems. Every warrant chain terminates at a keypair controlled by a human. Agents are delegates, not principals.
Additive, not competitive. PACT adds identity and memory to the existing ecosystem. It does not replace what works.
Open by default. CC0. No copyright. No contributor agreement. Take it, implement it, ship it.
| Document | What it specifies |
|---|---|
| PACT-01: Identity | Keypair generation, DID format, agent document, signing |
| PACT-02: Warrants | Capability grants, delegation chains, message envelopes, revocation |
| PACT-03: Facts | Memory format, fact sets, portability, merging |
Read time: ~30 minutes for all three.
| Language | Status | Notes |
|---|---|---|
| TypeScript | Reference | npm install @lerkolabs/open-pact |
| Python | Wanted | Open an issue |
| Go | Wanted | Open an issue |
| Rust | Wanted | Open an issue |
Building an implementation? See CONTRIBUTING.md.
The AI agent ecosystem is at an inflection point. MCP and A2A have solved the middle of the stack and just entered neutral governance under the Linux Foundation. The layers they leave open — identity, delegation, memory — will either be solved by open standards or by platform lock-in.
The window for a simple, open answer is now. In 18 months the platforms will have won this layer too.
PACT is a draft specification. The core design is stable. The reference implementation passes its test suite. Feedback welcome — open an issue or submit a pull request.
PACT is CC0. Do whatever you want with it.