Status: Work In Progress — This is an early draft. Everything is subject to change. Feedback welcome via Issues.
HIT is a cryptographic protocol that ensures every tool action performed by an AI agent can be traced back to an authenticated human decision. It adds three missing layers to agentic AI systems: signed human intent, independent multi-agent validation, and tamper-proof audit trails.
When an AI agent calls a tool (edit a file, run a command, make a payment), nothing cryptographically proves a human requested that action. The agent could be hallucinating, prompt-injected, or acting on stale instructions. As agents gain access to cloud infrastructure, databases, and financial systems, this becomes an existential risk.
Human ──sign──> HIT (JWT) ──> Agent ──> HIT Gateway ──> Tool
│
1. Verify signature
2. Check scope & TTL
3. Compute risk score
4. Route:
low risk → auto-approve
mid risk → AI quorum vote
high risk → human confirm
5. Execute → receipt chain
A HIT is a signed JWT that says: "this agent can use THESE tools, on THESE files, for X hours, with a $Y budget". Every action goes through a gateway that verifies the signature, assesses risk, and records a hash-chained receipt.
| Document | Audience | Description |
|---|---|---|
| HIT-explained.md | Everyone | 5-minute explainer with analogies and examples |
| RFC-0001 | Implementers | Full technical specification (~900 lines) |
| examples/ | Implementers | Policy profile templates (grocery, trading, infra, DeFi) |
| docs/ | Implementers | Tutorials, reference, how-to guides |
- Human attestation — Every action starts with a cryptographically signed human intent
- Graduated trust — Low-risk auto-approves, high-risk escalates to human
- Multi-agent quorum — Independent AIs from different providers vote on medium-risk actions
- Domain scopes — Financial, trading, infrastructure, and DeFi constraints with field-level controls
- Multi-human co-signing — M-of-N humans with role-based authorization for high-value operations
- Tamper-proof receipts — Hash-chained execution records for forensic audit
- Credential injection — Agent never sees API keys or secrets
- Circuit breakers — Automatic scope revocation when velocity limits are breached
- MCP-native — Designed as middleware for the Model Context Protocol
- Self-sovereign — Local keys, no cloud IdP required
HIT is positioned alongside existing work in AI agent authorization:
- Agentic JWT (IETF) — Closest prior art. HIT adopts
agent_checksum, adds tool-level scoping and quorum - Google AP2 — Payment-specific agent mandates (60+ companies)
- Visa TAP — HTTP signatures for agent commerce
- NIST AI Agent Standards — Federal initiative validating the problem space
- IETF OAuth WG — 5+ active drafts on agent delegation. HIT operates below OAuth (tool-call level)
This is an early-stage RFC. If you have feedback, questions, or want to discuss the approach, please open an issue.
TBD — Considering Apache 2.0 or CC BY 4.0 for maximum adoption.