AxioRankDocs

AGS-1 Conformance

How to conform to the Agent Security Gateway Specification, how AxioRank satisfies each of the five gates, how to declare a scoped conformance claim, and how to publish the descriptor and badge.

This guide is for anyone implementing or requiring AGS-1. It maps each of the five gates to a concrete control, shows how AxioRank satisfies them, and explains how to declare and publish a conformance claim that a counterparty can check.

Two levels

AGS-1 Core satisfies identity, policy, inspection, and audit (AGS-1.1 through AGS-1.4). AGS-1 Provable adds offline-verifiable proof (AGS-1.5) and an independently verifiable audit log. AxioRank implements Provable.

Coverage is part of the claim

A conformance statement names the class of actions it covers. A gateway MUST NOT advertise conformance for actions it does not intercept. State the scope every time:

  • Valid: "AGS-1 Provable for outbound MCP and HTTP tool calls."
  • Valid: "AGS-1 Core for inbound agent requests to our public API."
  • Not a claim: "AGS-1 Provable" with no scope.

Implementing the five gates

How AxioRank satisfies each gate. Use it as a reference for your own implementation.

AGS-1.1 Identity

Every tool call is bound to a short-lived agent identity, and AxioRank resolves the full delegation chain (the operators and any human approver behind the agent) before the action proceeds. No long-lived, ambient, or shared credential stands in for per-action identity. See the gateway API.

AGS-1.2 Policy

Policies are explicit and default to deny. A deny overrides any allow, and a policy can route an action to a human as a hold. The decision is always allow, deny, or hold. See policies and the response engine.

AGS-1.3 Inspection

Every action's content is inspected for leaked secrets, sensitive data, destructive operations, and injection or exfiltration, and scored from 0 to 100, on the hot path, before the action reaches its destination. See content inspection and detection intelligence.

AGS-1.4 Audit

Every decision is written to a tamper-evident, append-only log that binds the agent, the action, the decision, the risk score, and the matched policy. The log is a signed RFC 6962 Merkle tree with periodic checkpoints, so a retroactive edit is detectable, even against AxioRank. See audit integrity and verify our log.

AGS-1.5 Proof

AxioRank emits an Agent Action Seal for a governed action: an Ed25519-signed token a third party verifies against a pinned public key with no trust in, and no live call to, AxioRank. Verify one with the zero-dependency @axiorank/audit-verify package. The format is specified in SEAL.md.

Publish a conformance descriptor

Host a JSON file at /.well-known/agent-security-gateway so a counterparty can discover and check your claim programmatically. This is the convention AxioRank serves at its own well-known path:

{
  "spec": "AGS-1",
  "specVersion": "AGS-1",
  "specUrl": "https://axiorank.com/spec",
  "implementation": { "name": "Your Gateway", "url": "https://example.com" },
  "level": "Provable",
  "scope": ["outbound MCP tool calls", "outbound HTTP tool calls"],
  "gates": {
    "AGS-1.1": { "title": "Identity", "satisfied": true },
    "AGS-1.2": { "title": "Policy", "satisfied": true },
    "AGS-1.3": { "title": "Inspection", "satisfied": true },
    "AGS-1.4": { "title": "Audit", "satisfied": true },
    "AGS-1.5": { "title": "Proof", "satisfied": true }
  },
  "proof": {
    "artifact": "Agent Action Seal",
    "format": "https://github.com/AxioRank/agent-security-gateway/blob/main/SEAL.md",
    "verifier": "https://www.npmjs.com/package/@axiorank/audit-verify",
    "publicKey": "https://your-gateway.example.com/.well-known/jwks.json"
  }
}

For Provable, link a proof.verifier and a proof.publicKey so a Seal you emit verifies offline. For Core, omit the proof block.

Show the badge

A neutral conformance badge renders the claim, not the vendor. Embed it once you meet the level for your stated scope:

[![AGS-1 Provable](https://axiorank.com/api/badge/ags-1)](https://axiorank.com/spec)

The left segment reads "AGS-1", so any conforming implementation can use it. It states a conformance claim a reader can check against the spec, not a safety attestation.

Require it

If you buy or depend on an agent gateway, require a scoped AGS-1 claim and verify it: fetch the descriptor, confirm the scope covers the actions you care about, and, for Provable, check a sample Seal with @axiorank/audit-verify. The point of the spec is that you do not have to take the claim on trust.

AGS-1 Specification

The Agent Security Gateway Specification. The five gates every agent action passes through before it reaches an MCP server, an API, or a database. RFC 2119.

Getting started

Route your first agent tool call through the AxioRank gateway.

On this page

Coverage is part of the claimImplementing the five gatesAGS-1.1 IdentityAGS-1.2 PolicyAGS-1.3 InspectionAGS-1.4 AuditAGS-1.5 ProofPublish a conformance descriptorShow the badgeRequire it