AGS-1 · The standard
The Agent Security Gateway Specification.
An open specification for where security belongs in the agentic web: a gateway between an AI agent and everything it touches. AGS-1 defines the five gates every agent action passes through before it reaches an MCP server, an API, or a database. Implement it, or require it.
Draft · version AGS-1 · direction-agnostic
The position
Between AI agents and everything they touch.
AGS-1 governs what an agent does after it reasons: the tool call, the request, the query, the message to another agent. Not the model, not the prompt, not the reasoning. The position is deliberately narrow. Everything an agent does, nothing it thinks.
The five gates
What a conforming gateway does.
A conforming gateway intercepts every in-scope action and applies these gates before the action reaches its destination. The keywords follow RFC 2119.
Identity
Every action carries a short-lived, attributable identity. The gateway resolves the acting agent and its full delegation chain before the action proceeds. No ambient or shared credentials.
Policy
Every action is evaluated against an explicit policy that defaults to deny. A deny overrides any allow. Policy can route an action to a human. The decision is allow, deny, or hold.
Inspection
Content is inspected for leaked secrets, sensitive data, destructive operations, and injection, and scored for risk from 0 to 100, on the hot path, before the action reaches its destination.
Audit
Every decision is recorded in a tamper-evident, append-only log that binds the agent, the action, the decision, and the policy. It should be independently verifiable, even against the operator.
Proof
The gateway can emit an offline-verifiable proof that an action was governed. A third party checks it against a pinned key with no trust in the operator. The reference artifact is the Agent Action Seal.
Conformance
Core, and Provable.
Coverage is part of the claim. A gateway states the class of actions it intercepts, then the level it meets for them.
AGS-1 Core
Satisfies identity, policy, inspection, and audit (AGS-1.1 through AGS-1.4) for every in-scope action.
AGS-1 Provable
Adds offline-verifiable proof (AGS-1.5) and an independently verifiable audit log. AxioRank implements this level. Verify a proof yourself with @axiorank/audit-verify.
Read the full specification, with the RFC 2119 requirements, in the spec text. The reference proof format is the Agent Action Seal. The source, with issues and history, is on GitHub. To implement or require it, follow the conformance guide.
Declare it
Show the claim. Make it checkable.
A conforming gateway can declare its level and scope so a counterparty checks the claim instead of taking it on trust. The badge is neutral: any implementation that meets the spec can show it.
Badge
[](https://axiorank.com/spec)Conformance descriptor
Publish a machine-readable claim at /.well-known/agent-security-gateway. AxioRank serves its own as the reference example.
Agents can fetch the spec itself as markdown: curl -H "Accept: text/markdown" axiorank.com/spec.
Implement AGS-1, or require it
Put an agent security gateway in front of every production agent. AxioRank is one conforming implementation. The specification is meant to outlive any single one.