Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/openagentidentityprotocol/agentidentityprotocol/llms.txt

Use this file to discover all available pages before exploring further.

Complete reference for AIP policy YAML schema with all fields, types, defaults, and validation rules. This page covers both v1alpha1 and v1alpha2.
For a user-friendly guide to writing policies, see the Policy Reference. For formal specifications, see v1alpha1 or v1alpha2.

Document Structure

apiVersion: aip.io/v1alpha2
kind: AgentPolicy
metadata:
  name: <string>
  version: <string>
  owner: <string>
  signature: <string>
spec:
  mode: <string>
  allowed_tools: [<string>]
  allowed_methods: [<string>]
  denied_methods: [<string>]
  tool_rules: [<ToolRule>]
  protected_paths: [<string>]
  strict_args_default: <bool>
  dlp: <DLPConfig>
  identity: <IdentityConfig>
  server: <ServerConfig>

Top-Level Fields

apiVersion

apiVersion
string
required
API version of the policy schema.Valid values:
  • aip.io/v1alpha1 - Original specification
  • aip.io/v1alpha2 - Current specification with identity and server features
Validation: Implementations MUST reject documents with unknown apiVersion.
Example: 
apiVersion: aip.io/v1alpha2

kind

kind
string
required
Resource kind. MUST be AgentPolicy.
Example: 
kind: AgentPolicy

metadata

Policy metadata for identification and integrity verification.

metadata.name

metadata.name
string
required
Unique identifier for this policy.Format: DNS-1123 subdomain (lowercase alphanumeric + hyphens)
  • Must start and end with alphanumeric
  • Max length: 253 characters
  • Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
Examples: 
metadata:
  name: production-agent
  # OR
  name: dev-env-policy
  # OR
  name: team-123-policy

metadata.version

metadata.version
string
Semantic version of the policy.Format: MAJOR.MINOR.PATCH[-PRERELEASE]
  • Pattern: ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$
Use case: Track policy changes, audit compliance.
Examples: 
version: "1.0.0"
# OR
version: "2.1.3-beta"

metadata.owner

metadata.owner
string
Contact email for policy questions.Format: Valid email address
Example: 
owner: security-team@company.com

metadata.signature (v1alpha2)

metadata.signature
string
Cryptographic signature for policy integrity verification.Format: <algorithm>:<base64-encoded-signature>Supported algorithms:
  • ed25519 - Ed25519 signature (RECOMMENDED)
  • ecdsa-p256 - ECDSA with P-256 curve
Validation: When present, implementations MUST verify the signature before applying the policy.
Example: 
signature: "ed25519:YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3ODkwYWJjZGVm"

spec

Policy specification defining authorization rules.

spec.mode

spec.mode
enum
default:"enforce"
Enforcement mode for policy violations.Values:
  • enforce - Block violations, return JSON-RPC error (default)
  • monitor - Log violations but allow through (dry-run)
Use case: Use monitor to test new policies before enforcement.
Example: 
spec:
  mode: enforce

spec.allowed_tools

spec.allowed_tools
array
Allowlist of tool names that the agent MAY invoke.Item type: String (tool name)Validation:
  • Must be unique
  • Minimum length: 1
  • Subject to name normalization (NFKC, lowercase)
Default deny: Tools not in this list AND not in tool_rules with action: allow are blocked.
Example: 
allowed_tools:
  - github_get_repo
  - github_list_pulls
  - read_file
  - list_directory

spec.allowed_methods

spec.allowed_methods
array
Allowlist of JSON-RPC methods that are permitted.Item type: String (method name)Default: If not specified, implementations use a safe default list (see below).Wildcard: * allows all methods.
Default allowed methods: 
allowed_methods:
  - initialize
  - initialized
  - ping
  - tools/call
  - tools/list
  - completion/complete
  - notifications/initialized
  - notifications/progress
  - notifications/message
  - notifications/resources/updated
  - notifications/resources/list_changed
  - notifications/tools/list_changed
  - notifications/prompts/list_changed
  - cancelled

spec.denied_methods

spec.denied_methods
array
Denylist of JSON-RPC methods that are explicitly denied.Item type: String (method name)Precedence: Denied methods take precedence over allowed methods.
Example: 
denied_methods:
  - resources/read
  - resources/write
  - prompts/get

spec.protected_paths

spec.protected_paths
array
File paths that tools MUST NOT access.Item type: String (file path)Behavior:
  • Any tool argument containing a protected path is BLOCKED
  • Paths are expanded (~ → home directory)
  • Policy file itself is automatically protected
Example: 
protected_paths:
  - ~/.ssh
  - ~/.aws/credentials
  - .env
  - /etc/passwd

spec.strict_args_default

spec.strict_args_default
boolean
default:"false"
When true, tool rules reject any arguments not explicitly declared in allow_args.Use case: Enforce strict argument validation for all tools.
Example: 
strict_args_default: true

spec.tool_rules

Fine-grained rules for individual tools.

Tool Rule Structure

tool_rules:
  - tool: <string>              # REQUIRED - Tool name
    action: <string>            # OPTIONAL - allow|block|ask (default: allow)
    rate_limit: <string>        # OPTIONAL - e.g., "10/minute"
    strict_args: <bool>         # OPTIONAL - Override strict_args_default
    schema_hash: <string>       # OPTIONAL - Tool schema integrity (v1alpha2)
    allow_args:                 # OPTIONAL - Argument validation
      <arg_name>: <regex>

tool_rules[].tool

tool_rules[].tool
string
required
Tool name this rule applies to.Validation: Subject to name normalization (NFKC, lowercase).
Example: 
tool_rules:
  - tool: read_file

tool_rules[].action

tool_rules[].action
enum
default:"allow"
Action to take when this tool is invoked.Values:
  • allow - Permit (subject to allow_args validation)
  • block - Deny unconditionally
  • ask - Require interactive user approval
Examples: 
# Block destructive operations
- tool: delete_file
  action: block

# Require approval for sensitive operations
- tool: run_training
  action: ask

# Allow with argument validation
- tool: exec_command
  action: allow
  allow_args:
    command: "^(ls|cat|echo|pwd)\s.*"

tool_rules[].rate_limit

tool_rules[].rate_limit
string
Rate limiting for this tool.Format: <count>/<period>Periods:
  • second (aliases: sec, s)
  • minute (aliases: min, m)
  • hour (aliases: hr, h)
Algorithm: Implementation-defined (token bucket, sliding window, etc.)
Examples: 
- tool: list_gpus
  rate_limit: "10/minute"

- tool: search_files
  rate_limit: "100/hour"

- tool: api_request
  rate_limit: "5/second"

tool_rules[].strict_args

tool_rules[].strict_args
boolean
Override spec.strict_args_default for this specific tool.When true, reject any arguments not declared in allow_args.
Example: 
- tool: postgres_query
  strict_args: true
  allow_args:
    query: "^SELECT\s+.*"  # Only SELECT queries
    # Any other argument will be rejected

tool_rules[].schema_hash (v1alpha2)

tool_rules[].schema_hash
string
Cryptographic hash of the tool’s MCP schema for integrity verification.Format: <algorithm>:<hex-digest>Algorithms:
  • sha256 (RECOMMENDED)
  • sha384
  • sha512
Use case: Prevent tool poisoning attacks by verifying the tool definition hasn’t changed.
Example: 
- tool: read_file
  schema_hash: "sha256:a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1a8e7d3c2b5f4e9a7c3d8f2b6e1a9c4f7"
Generating schema hashes: 
# Using AIP CLI
aip-proxy schema-hash --server mcp://localhost:8080 --tool read_file

tool_rules[].allow_args

tool_rules[].allow_args
object
Argument validation using regex patterns.Format: Map of argument name → regex patternBehavior:
  • All arguments in this map MUST be present in the request
  • Argument values MUST match their regex pattern
  • Missing or non-matching arguments result in BLOCK
Regex engine: MUST support RE2 semantics (linear-time guarantees)
Examples: 
allow_args:
  # Constrain URLs to GitHub only
  url: "^https://github\.com/.*"
  
  # Allow only SELECT queries
  query: "^SELECT\s+.*"
  
  # Restrict file paths to home directory
  path: "^/home/.*"
  
  # Validate email format
  email: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$"
String conversion: Non-string argument values are converted before matching:
  • String → as-is
  • Number → decimal representation
  • Boolean → “true” or “false”
  • Null → empty string
  • Array/Object → JSON serialization

spec.dlp

Data Loss Prevention configuration for scanning and redacting sensitive data. 
dlp:
  enabled: <bool>             # default: true when dlp block present
  scan_requests: <bool>       # default: false
  scan_responses: <bool>      # default: true
  detect_encoding: <bool>     # default: false
  filter_stderr: <bool>       # default: false
  max_scan_size: <string>     # default: "1MB"
  on_request_match: <string>  # default: "block"
  patterns:
    - name: <string>
      regex: <string>
      scope: <string>         # default: "all"

dlp.enabled

dlp.enabled
boolean
default:"true"
Enable DLP scanning.Default: true when dlp block is present

dlp.scan_requests (v1alpha2)

dlp.scan_requests
boolean
default:"false"
Scan tool arguments for sensitive data before forwarding to MCP server.Use case: Prevent data exfiltration via arguments (e.g., embedding secrets in API queries).

dlp.scan_responses

dlp.scan_responses
boolean
default:"true"
Scan tool responses for sensitive data.Use case: Standard DLP to prevent PII/secrets from reaching the agent.

dlp.max_scan_size (v1alpha2)

dlp.max_scan_size
string
default:"1MB"
Maximum size of content to scan per request/response.Format: Size string (e.g., "1MB", "512KB", "10MB")Purpose: Prevents ReDoS and memory exhaustion on large payloads.Behavior: Content exceeding this limit is truncated for scanning, and a warning is logged.

dlp.on_request_match (v1alpha2)

dlp.on_request_match
enum
default:"block"
Action when DLP pattern matches in a request (requires scan_requests: true).Values:
  • block - Reject the request with error -32001 (default)
  • redact - Replace matched content and forward
  • warn - Log warning and forward unchanged

dlp.patterns

dlp.patterns
array
required
List of DLP detection patterns.Item type: Pattern object with name and regex

dlp.patterns[].name

dlp.patterns[].name
string
required
Human-readable identifier for this pattern.Use case: Appears in audit logs and redaction markers.

dlp.patterns[].regex

dlp.patterns[].regex
string
required
Regular expression to detect sensitive data.Regex engine: MUST support RE2 semantics (linear-time guarantees)

dlp.patterns[].scope (v1alpha2)

dlp.patterns[].scope
enum
default:"all"
Where to apply this pattern.Values:
  • all - Scan both requests and responses (default)
  • request - Only scan requests (detect exfiltration attempts)
  • response - Only scan responses (PII protection)
Example patterns: 
dlp:
  scan_requests: true
  patterns:
    # API Keys
    - name: "AWS Key"
      regex: "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
      scope: "all"
    
    - name: "GitHub Token"
      regex: "ghp_[a-zA-Z0-9]{36}"
      scope: "all"
    
    # PII (response-only)
    - name: "Email"
      regex: "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"
      scope: "response"
    
    - name: "SSN"
      regex: "\b\d{3}-\d{2}-\d{4}\b"
      scope: "response"
    
    # Injection detection (request-only)
    - name: "SQL Injection"
      regex: "(?i)(DROP|DELETE|TRUNCATE)\s+TABLE"
      scope: "request"
Redaction format: Matched content is replaced with: 
[REDACTED:<name>]
Example: 
Before: "Connect with: AKIAIOSFODNN7EXAMPLE"
After:  "Connect with: [REDACTED:AWS Key]"

spec.identity (v1alpha2)

Agent identity and session management configuration. 
identity:
  enabled: <bool>           # default: false
  token_ttl: <duration>     # default: "5m"
  rotation_interval: <duration>  # default: "4m"
  require_token: <bool>     # default: false
  session_binding: <string> # default: "process"
  nonce_window: <duration>  # default: equals token_ttl
  policy_transition_grace: <duration>  # default: "0s"
  audience: <string>        # default: metadata.name
  nonce_storage:            # optional
    type: <string>          # default: "memory"
    address: <string>
    key_prefix: <string>    # default: "aip:nonce:"
    clock_skew_tolerance: <duration>  # default: "30s"
  keys:                     # optional
    signing_algorithm: <string>  # default: "ES256"
    key_source: <string>    # default: "generate"
    key_path: <string>
    rotation_period: <duration>  # default: "7d"

identity.enabled

identity.enabled
boolean
default:"false"
Enable identity token generation and management.

identity.token_ttl

identity.token_ttl
duration
default:"5m"
Token time-to-live.Format: Go duration string (e.g., "5m", "1h", "300s")Recommendation: Use short TTLs (5-15 minutes) to limit token theft window.

identity.rotation_interval

identity.rotation_interval
duration
default:"4m"
How often to rotate tokens before expiry.Constraint: MUST be less than token_ttlRecommendation: Leave 1-2 minute grace period for in-flight requests.

identity.require_token

identity.require_token
boolean
default:"false"
Require valid identity token for all tool calls.Error code: Requests without tokens are rejected with -32008.Use case: Gradual rollout - start with false to generate tokens without enforcement.

identity.session_binding

identity.session_binding
enum
default:"process"
Context bound to session identity.Values:
  • process - Bind to OS process ID (default)
  • policy - Bind to policy hash
  • strict - Bind to process + policy + hostname
Use case:
  • process: Single-machine, local agents
  • policy: Distributed agents sharing policy
  • strict: High security, non-ephemeral environments

identity.audience

identity.audience
string
Intended audience for identity tokens (JWT aud claim).Default: Value of metadata.nameFormat: URI string identifying the MCP server or servicePurpose: Prevents tokens issued for one MCP server from being accepted by another.
Example: 
identity:
  enabled: true
  audience: "https://mcp.example.com/api"

identity.nonce_storage

Distributed nonce storage configuration for multi-instance deployments.
identity.nonce_storage.type
enum
default:"memory"
Storage backend for nonces.Values:
  • memory - In-memory sync.Map (single-instance only)
  • redis - Redis cluster (RECOMMENDED for production)
  • postgres - PostgreSQL database
identity.nonce_storage.address
string
Connection string for external storage.Required: When type is redis or postgres
Examples: 
# Redis cluster
identity:
  nonce_storage:
    type: "redis"
    address: "redis://redis-cluster:6379"
    key_prefix: "prod:aip:nonce:"

# PostgreSQL
identity:
  nonce_storage:
    type: "postgres"
    address: "postgres://user:pass@db:5432/aip?sslmode=require"
Using type: "memory" with multiple AIP instances is a security vulnerability that allows cross-instance replay attacks.

spec.server (v1alpha2)

HTTP server for remote validation endpoints. 
server:
  enabled: <bool>           # default: false
  listen: <string>          # default: "127.0.0.1:9443"
  failover_mode: <string>   # default: "fail_closed"
  timeout: <duration>       # default: "5s"
  tls:
    cert: <string>
    key: <string>
  endpoints:
    validate: <string>      # default: "/v1/validate"
    revoke: <string>        # default: "/v1/revoke"
    jwks: <string>          # default: "/v1/jwks"
    health: <string>        # default: "/health"
    metrics: <string>       # default: "/metrics"

server.enabled

server.enabled
boolean
default:"false"
Enable HTTP server for remote validation.

server.listen

server.listen
string
default:"127.0.0.1:9443"
Address and port to bind the HTTP server.Format: <host>:<port> or :<port>
Binding to 0.0.0.0 exposes the validation endpoint to the network. Implementations MUST require TLS when listen address is not localhost.

server.failover_mode

server.failover_mode
enum
default:"fail_closed"
Behavior when validation server is unreachable.Values:
  • fail_closed - Deny all requests (RECOMMENDED for production)
  • fail_open - Allow all requests (NOT RECOMMENDED)
  • local_policy - Fall back to local policy evaluation (RECOMMENDED for hybrid)

server.timeout

server.timeout
duration
default:"5s"
Maximum time to wait for validation server response.After timeout, failover_mode behavior is triggered.

server.tls

TLS configuration for HTTPS.
server.tls.cert
string
Path to TLS certificate (PEM format).Required: When listen is not localhost
server.tls.key
string
Path to TLS private key (PEM format).Required: When listen is not localhost
Example: 
server:
  enabled: true
  listen: "0.0.0.0:9443"
  tls:
    cert: "/etc/aip/tls/cert.pem"
    key: "/etc/aip/tls/key.pem"

JSON Schema Validation

Validate your policy file against the JSON Schema: 
# Using ajv-cli
npm install -g ajv-cli
ajv validate -s spec/schema/agent-policy-v1alpha2.schema.json -d policy.yaml

# Using Python jsonschema
pip install jsonschema pyyaml
python -c "
import yaml, jsonschema, json
schema = json.load(open('spec/schema/agent-policy-v1alpha2.schema.json'))
policy = yaml.safe_load(open('policy.yaml'))
jsonschema.validate(policy, schema)
print('Valid!')
"

Common Validation Errors

ErrorCauseFix
invalid apiVersionWrong API versionUse aip.io/v1alpha1 or aip.io/v1alpha2
empty allowed_toolsNo tools specifiedAdd tools or tool_rules
invalid regex in allow_argsBad regex patternValidate regex syntax (RE2)
invalid rate_limit formatWrong rate limit formatUse <N>/<period>
rotation_interval >= token_ttlRotation must happen before expiryReduce rotation_interval
missing metadata.nameRequired field missingAdd unique policy name

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us