Open source CLI and SDK. Self-hostable. Built for the A2A Protocol.
The Identity and Trust Layer for AI Agents
Give every agent a cryptographic identity. Verify it in <1ms. Block impostors at the boundary.
Think Let's Encrypt, but for agents.
Built for the Google A2A Protocol. Works with MCP, REST, GraphQL, and any HTTP-based agent.
2026: Agent Security Is Not Model Security
The OWASP Top 10 for Agentic Applications (2026) identifies the critical security risks for autonomous AI systems. CapiscIO directly addresses the identity and trust risks at the top of the list.
๐ OWASP Top 10 for Agentic Applications (2026)
= CapiscIO addresses | Source: genai.owasp.org, developed with 100+ industry experts
Your agents are calling APIs that move money, access customer data, and modify production infrastructure.
Most AI security focuses on the model: prompt injection, jailbreaks, data poisoning. But agentic systems have a different attack surface: identity spoofing, unauthorized tool access, malicious agent injection. These aren't model problems. They're infrastructure problems.
| OWASP Risk | What It Means | How CapiscIO Helps |
|---|---|---|
| AG01: Agent Identity Spoofing | Attacker claims to be a trusted agent | Ed25519 signatures verify agent identity cryptographically |
| AG03: Privilege Compromise | Agent gains access beyond its intended scope | Trust levels (0-4) encode verified privilege boundaries |
| AG05: Multi-Agent Orchestration | Delegation chains without accountability | DID-based identity persists through agent handoffs |
| AG09: Malicious Agent Injection | Rogue agent enters trusted environment | Guard blocks unsigned/unverified requests at boundary |
| AG10: Audit & Observability Gaps | Can't answer "which agent did this?" | Structured logs with verified agent identity on every request |
Common Failure Modes We Help Prevent
These are real incidents from teams running agents in production
Third-party agent changed their schema
No validation gate. 4 hours of errors before engineering noticed.
โ CLI validates agent cards in CI before they hit production
Validate before deploy โValid request captured, replayed 100+ times overnight
No timestamp validation. Compute budget drained.
โ Guard enforces 60-second replay windows. Same request twice? Blocked.
Block replay attacks โLogs showed an API call. But which agent?
Impersonation? Delegation? Unknown. Incident review stalled.
โ Guard logs verified agent identity on every request
View security guarantees โWhat You Get Today vs. What's Next
Cryptographic enforcement at the boundary today. Chain-of-custody and policy as your swarm scales.
GA Today
RFC001โ003 โข View security guarantees
- โVerify caller identity: Ed25519 signatures
- โIssue trust badges: IAL-0 (self-asserted), IAL-1 (proof of key possession)
- โDetect tampering: SHA-256 body hash bound to signature
- โBlock replays: 60s window, 5s clock skew tolerance
- โDrop-in integration: Python SDK & Go sidecar
In Development
RFC004 โข Q1 2026
- โTrace delegation chains: Who delegated to whom?
- โDetect missing hops: Shadow agents become visible
- โReconstruct incidents: Full call chain for any action
Roadmap
RFC005 โข Q2 2026
- โEnforce policies: Which agents can call which tools?
- โSet obligations: Budget limits, data access rules
- โExport to SIEM/OTel: Decisions in your stack
How It Works
Verification flow, example logs, and deployment topology
Verification Flow
X-Capiscio-Badge headerkidiat/exp within 60s windowbh claimStructured Log Output
{
"event": "agent_call_allowed",
"iss": "did:web:payments.example.com",
"kid": "key-2024-q4",
"decision_ms": 2.3
}{
"event": "agent_call_denied",
"reason": "signature_invalid",
"iss": "did:web:unknown.attacker.com",
"kid": "spoofed-key"
}Export to Datadog, Splunk, or OpenTelemetry. Body content is never logged.
Drop-in Deployment
pip install capiscio-sdkdocker pull capiscio/guardnpm install -g capiscioFive Trust Levels: Like SSL Certificates, But for Agents
Not all identity verification is equal. Choose the level that matches your risk tolerance.
| Level | Name | What It Proves | Use Case |
|---|---|---|---|
| 0 | Self-Signed (SS) | "I generated a keypair" | Development, testing |
| 1 | Domain Validated (DV) | "I control this domain" | Production APIs |
| 2 | Organization Validated (OV) | "I am this legal entity" | Enterprise integrations |
| 3 | Extended Validation (EV) | "I've been audited" | Financial, healthcare |
| 4 | Community Vouched (CV) | "Peers vouch for me" | Decentralized networks |
All five levels are implemented today in our registry (RFC-002). Verification requirements increase with each level.
Sound familiar? It's the same model that made HTTPS ubiquitous. SSL certificates prove a server is who it claims to be. Trust Badges prove an agent is who it claims to be.
Open Source Tools. Hosted Registry When You're Ready.
Pricing is per service identity, not per request, not per instance.
A service identity is a logical role like "billing-agent" or "support-triage-agent".
Open Source
- capiscio CLI: unlimited
- capiscio-sdk middleware
- Self-hosted trust store
- Offline verification mode
Hosted Registry
- Managed badge issuance
- DID resolution
- Key rotation & revocation
- 14-day free trial
Agent Trust Sprint
- Agent flow inventory
- Threat model & policy baseline
- Guard deployment & SIEM
- 50% credited to subscription
Building with AI Agents? Shape the Trust Layer.
We're looking for early design partners: teams running agents in production who want to co-develop the identity and governance features that matter most. No sales pitch. Just problem-solving together.
Protocol-Agnostic Enforcement
A2A is the first standard. Your stack will be multi-standard.
CapiscIO started by enforcing the A2A Protocol (Google/Linux Foundation) and applies the same guard pattern to any agent traffic.
Same verification semantics work for A2A, MCP, custom protocols, and whatever emerges next.
Developer Experience First
Drop-in guard for your agent endpoints. No external SaaS, no config files, no SDK lock-in.
One command to validate and test:
capiscio validate ./agent-card.json --test-liveOne guard to protect:
from fastapi import FastAPI
from capiscio_sdk import SimpleGuard
app = FastAPI()
# Add a protocol aware guard in two lines.
guard = SimpleGuard(app)
@app.post("/transfer")
async def transfer():
return {"status": "ok"}Latest Insights
Learn about A2A Protocol, agent validation, and trust infrastructure
Your Agents Are Already in Production.
Give Them an Identity They Can Prove.
Start with the CLI. Validate your agent cards. Add Guard when you're ready for runtime enforcement. Use the hosted registry when you need managed infrastructure.
pip install capiscio (CLI) ยท pip install capiscio-sdk (SDK)
