The Agent Account Provisioning Protocol (AAPP) is a new standard that enables AI agents to automatically create and manage accounts on third-party services on behalf of users. This protocol solves a critical gap in AI automation: while agents can work with APIs once they have credentials, the manual process of account creation and API key generation has remained a bottleneck.
Today, when an AI agent needs to interact with a new service (like Jupiter, Stripe, or any API-based platform), the user must:
- Manually visit the service website
- Create an account using traditional signup flows
- Navigate through settings to generate API keys
- Manually provide those credentials to their agent
This manual overhead breaks the seamless automation experience that AI agents promise.
AAPP provides a secure, standardized way for AI agents to automatically provision accounts and obtain credentials while maintaining:
- User consent and control - Users approve all account creation
- Security - Credentials are bound to specific agents and scoped appropriately
- Privacy - Minimal personal information is shared
- Anti-spam protection - Built-in safeguards prevent abuse
- Auditability - Complete transparency of all actions
AAP operates through several key actors:
- User (U) - The human who authorizes agent actions
- Agent (A) - The AI system that needs service access
- Provisioning Broker (PB) - Coordinates the provisioning flow
- Third-Party Service (TPS) - The service where accounts are created
- Identity Provider (IdP) - Verifies user identity
- Link Mode: Connect an agent to an existing user account via standard OAuth flows
- Provision Mode: Create a new account specifically for agent use
Services expose their AAPP capabilities via a well-known endpoint:
GET /.well-known/aapp
This returns metadata about supported provisioning options, policies, and endpoints.
- User Consent: User approves agent access through a clear consent interface
- Identity Verification: User identity is verified via established IdP (OIDC, WebAuthn)
- Provision Request: Broker sends signed request to service with user consent and agent public key
- Account Creation: Service creates account and issues agent-bound credentials
- Credential Binding: Tokens are cryptographically bound to agent's private key
- Audit Trail: All actions are logged and made available to user
Proof of Possession: All API tokens are bound to agent public keys using DPoP (Demonstration of Proof-of-Possession) or similar mechanisms. This prevents token theft and replay attacks.
Minimal Privilege: Agents receive only the minimum scopes necessary for their intended function, with short token lifetimes and refresh requirements.
Revocation: Users maintain full control with ability to revoke agent access at any time through transparent dashboards.
Anti-Spam Controls: Multiple layers including rate limits, reputation scoring, human verification steps, and optional micro-fees prevent automated abuse.
{
"client_request_id": "uuid",
"idp_assertion": "<OIDC id_token or Verifiable Credential>",
"user_consent": {
"consent_id": "uuid",
"timestamp": "2025-09-20T11:00:00Z",
"text": "Allow Agent X to create account with read:orders scope"
},
"agent_pubkey_jwk": { /* Agent's public key in JWK format */ },
"requested_scopes": ["orders:read"],
"provisioning_options": {
"mode": "alias-as-user",
"display_name": "Alice (agent)",
"email_policy": "use-pairwise-alias"
}
}{
"provision_id": "prov-uuid",
"account_id": "acct-uuid",
"account_alias": "alice+agent123@example.com",
"agent_token": {
"access_token": "<bound JWT or reference token>",
"token_type": "DPoP",
"expires_in": 3600,
"cnf": { "jwk": { /* binding to agent key */ } }
},
"audit_receipt": {
"receipt_id": "r-uuid",
"timestamp": "2025-09-20T11:00:05Z",
"signed_by": "https://api.example.com"
}
}AAP is designed with privacy-by-design principles:
- Pairwise Pseudonymous Identifiers: Each service sees only a unique identifier specific to that service
- Data Minimization: Only necessary identity claims are shared
- Ephemeral Aliases: Email addresses can be service-specific aliases
- User Control: Complete transparency and revocation capabilities
AAP builds upon and integrates with established protocols rather than replacing them:
- OAuth 2.0 / OIDC: For identity assertions and existing account linking
- Verifiable Credentials: For portable identity attestations
- WebAuthn: For strong user authentication
- DPoP: For token binding and proof-of-possession
- HTTP Signatures: For request integrity
- Expose
/.well-known/aappmetadata - Implement provision and link endpoints
- Support proof-of-possession tokens
- Provide user dashboard for agent management
- Issue audit receipts for all actions
- Present clear consent interfaces
- Handle strong identity verification
- Sign provisioning requests
- Implement anti-abuse measures
- Provide user management dashboards
- Generate and manage cryptographic key pairs
- Create DPoP proofs for API requests
- Handle token refresh flows
- Respect scope limitations
AAP is designed for gradual adoption:
- Phase 0: Specification publication and reference implementations
- Phase 1: Pilot with developer-friendly APIs and tools
- Phase 2: Broader adoption and potential standardization through IETF or W3C
- Seamless AI agent automation without manual setup overhead
- Complete transparency and control over agent permissions
- Enhanced security through cryptographic binding
- Privacy protection through minimal data sharing
- Reduced support burden from manual account creation issues
- Increased API adoption and usage
- Better security through standardized credential management
- New opportunities for B2B automation workflows
- Standardized integration patterns
- Reduced custom integration work
- Built-in security best practices
- Clear audit trails for compliance
The Agent Account Provisioning Protocol represents a critical infrastructure piece for the AI automation ecosystem. By providing a secure, standardized way for agents to obtain service credentials while preserving user control and privacy, AAPP enables the next generation of seamless AI-powered workflows.
This protocol is designed to be practical, secure, and adoptable, building on proven standards while addressing the unique challenges of AI agent delegation. As AI agents become more capable and prevalent, AAPP provides the foundation for trustworthy, automated service integration.