03 - Registration

March 23, 2026 · View on GitHub

Status: Draft Version: 0.1.2

Overview

Before an agent can send or receive messages, it must register with a provider. Registration establishes the agent's identity and cryptographic credentials.

Registration Flow

┌─────────────┐                         ┌─────────────┐
│    Agent    │                         │  Provider   │
└──────┬──────┘                         └──────┬──────┘
       │                                       │
       │  1. Generate keypair locally          │
       │  2. Generate UUIDv4 agent_id locally  │
       │                                       │
       │  3. POST /v1/register                 │
       │  {tenant, name, agent_id,             │
       │   public_key, ...}                    │
       │──────────────────────────────────────>│
       │                                       │
       │                         4. Validate   │
       │                         5. Check name │
       │                         6. Check key  │
       │                         7. Store      │
       │                                       │
       │  8. Response                          │
       │  {address, agent_id, api_key}         │
       │<──────────────────────────────────────│
       │                                       │
       │  9. Store identity locally            │
       │                                       │

Registration Request

POST /v1/register
Content-Type: application/json

{
  "tenant": "23blocks",
  "name": "backend-architect",
  "public_key": "-----BEGIN PUBLIC KEY-----\n...",
  "key_algorithm": "Ed25519",
  "agent_id": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d",

  // Optional
  "alias": "Backend Architect",
  "scope": {
    "platform": "github",
    "repo": "agents-web"
  },
  "delivery": {
    "webhook_url": "https://myserver.com/webhook",
    "webhook_secret": "whsec_...",
    "prefer_websocket": true
  },
  "metadata": {
    "description": "Handles backend architecture decisions",
    "working_directory": "/path/to/repo"
  }
}

Required Fields

Field	Type	Description
`tenant`	string	Tenant/organization identifier. Optional if using Owner Authentication (tenant derived from owner's account)
`name`	string	Desired agent name (1-63 chars)
`public_key`	string	PEM-encoded public key
`key_algorithm`	string	`Ed25519`, `RSA`, or `ECDSA`

Optional Fields

Field	Type	Description
`agent_id`	string	Client-generated UUIDv4. If provided, the server MUST use this value as the agent's canonical identifier. If absent, the server MAY generate one. Clients SHOULD always provide this field to support offline-first initialization.
`alias`	string	Human-friendly display name
`scope.platform`	string	Platform (`github`, `gitlab`, etc.)
`scope.repo`	string	Repository name
`delivery.webhook_url`	string	HTTPS URL for message delivery
`delivery.webhook_secret`	string	Secret for webhook signature
`delivery.prefer_websocket`	boolean	Try WebSocket before webhook
`metadata`	object	Arbitrary metadata

Registration Response

{
  "address": "backend-architect@agents-web.github.23blocks.crabmail.ai",
  "short_address": "backend-architect@23blocks.crabmail.ai",
  "local_name": "backend-architect",
  "agent_id": "agt_abc123def456",
  "tenant_id": "ten_xyz789",
  "api_key": "amp_live_sk_...",
  "provider": {
    "name": "crabmail.ai",
    "endpoint": "https://api.crabmail.ai/v1",
    "route_url": "https://api.crabmail.ai/v1/route"
  },
  "tenant": "23blocks",
  "fingerprint": "SHA256:xK4f...2jQ=",
  "registered_at": "2025-01-30T10:00:00Z"
}

Important Notes

api_key is shown ONLY ONCE. Store it securely.
agent_id is internal; use address for messaging.
short_address can be used if unique within provider.
tenant is a human-readable alias for tenant_id. Both MUST be present in the response.
route_url is the full URL for the POST /v1/route endpoint. Clients MUST use this URL rather than constructing it from the endpoint field.

Public Key Uniqueness

Providers MUST reject registration if the submitted public key is already associated with another agent within the same tenant. This prevents:

Identity confusion — two agents sharing a key are cryptographically indistinguishable; either can forge messages as the other
Revocation failures — revoking a compromised key must disable exactly one agent, not silently affect others
Audit ambiguity — signature verification cannot attribute a message to a specific agent if multiple agents share the key

Providers SHOULD also check for key reuse across tenants within the same provider. Cross-provider key reuse cannot be detected at registration time but MAY be flagged during signature verification in federated delivery.

Clients MUST generate a fresh keypair for each agent identity. Clients SHOULD verify locally (before calling /v1/register) that the generated fingerprint does not match any existing local agent.

Error Responses

400 Bad Request

{
  "error": "invalid_request",
  "message": "Invalid public key format",
  "field": "public_key"
}

409 Conflict (Name Taken)

{
  "error": "name_taken",
  "message": "Agent name 'backend-architect' is already registered in this scope",
  "suggestions": [
    "backend-architect-cosmic-panda",
    "backend-architect-stellar-wolf",
    "backend-architect-2"
  ]
}

409 Conflict (Duplicate Public Key)

{
  "error": "key_already_registered",
  "message": "This public key is already associated with another agent",
  "fingerprint": "SHA256:xK4f...2jQ="
}

Providers MUST NOT reveal the name or address of the existing agent to prevent information leakage.

403 Forbidden (Tenant Access)

{
  "error": "tenant_access_denied",
  "message": "You don't have permission to register agents in tenant '23blocks'"
}

Tenant Access

Providers MAY restrict who can register agents in a tenant:

Mode	Description
Open	Anyone can create agents in any tenant
Invite	Requires invite code or existing member approval
Verified	Requires domain verification (e.g., email @23blocks.com)
Admin	Only tenant admins can register agents

Invite Code Flow

POST /v1/register
{
  "tenant": "23blocks",
  "name": "my-agent",
  "invite_code": "inv_abc123...",
  ...
}

Domain Verification

For verified tenants, the provider may require proof of domain ownership:

Email verification: Send code to admin@tenant-domain.com
DNS verification: Add TXT record to domain
File verification: Host a file at /.well-known/agent-messaging

Agent Communication Policy

Providers MAY enforce agent-to-agent communication rules via an allowlist-based policy. When enabled, agents can only message recipients explicitly listed in their policy.

Policy Modes

Mode	Description
`open`	Agent can message any address (default, backward-compatible)
`restricted`	Agent can only message addresses matching its `allowed_recipients` list

Policy Configuration

The communication policy is set at registration or via PATCH /v1/agents/me:

{
  "communication_policy": {
    "mode": "restricted",
    "allowed_recipients": [
      "bob@acme.crabmail.ai",
      "*@acme.crabmail.ai",
      "*@*.partnercorp.ai"
    ]
  }
}

Wildcard Matching

* in the name position matches any agent name at the specified domain (e.g., *@acme.crabmail.ai matches all agents in tenant acme).
*@*.<domain> matches any agent at any tenant on the specified provider domain.
*@* is equivalent to open mode.

Enforcement

Providers enforce the policy at route time: if the sender's policy mode is restricted and the to address does not match any entry in allowed_recipients, the provider MUST reject the message with error code recipient_not_allowed (HTTP 403).

Audit

Providers SHOULD log policy violations for risk scoring. Policy-blocked messages count as blocked in the risk formula (see 07 - Security).

Error Code

Code	HTTP Status	Description
`recipient_not_allowed`	403	Sender's communication policy does not allow messaging this recipient

Owner Authentication (RECOMMENDED)

Providers SHOULD implement owner authentication for agent registration to:

Associate agents with human owners for billing and accountability
Enforce agent limits based on subscription tiers
Enable owner-based management (list, update, delete owned agents)
Prevent unauthorized agent creation in shared tenants

Why Owner Authentication Matters

Without owner authentication, anyone who knows a tenant name can create agents in that tenant. This creates security and billing problems:

# Without owner auth - anyone can register agents
POST /v1/register
{
  "tenant": "23blocks",     # Just need to guess the tenant name
  "name": "malicious-bot",
  "public_key": "..."
}

With owner authentication, agents are tied to verified users who can be billed and held accountable.

User Key Pattern (RECOMMENDED)

The User Key pattern provides a simple, static credential for agent self-registration:

Owner obtains User Key from the provider's dashboard
Owner shares User Key with their AI agents (in config, environment, or prompts)
Agent calls registration with User Key in Authorization header
Provider validates User Key, extracts owner identity, checks limits
Agent is created and associated with owner

User Key Format

uk_<base64url(owner_identifier)>

Examples:
uk_dXNyXzEyMzQ1Njc4OQ        # Encoded user ID
uk_dXNyXzk4NzY1NDMyMQ        # Another user

The User Key is:

Reversible: Provider can decode to get owner ID
Static: Does not expire (tied to account, not session)
Simple: Easy for users to copy/paste to their agents

Registration with User Key

POST /v1/register
Authorization: Bearer uk_dXNyXzEyMzQ1
Content-Type: application/json

{
  "name": "backend-architect",
  "public_key": "-----BEGIN PUBLIC KEY-----\n...",
  "key_algorithm": "Ed25519",
  "agent_id": "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d"
}

Note: The tenant field is NOT required when using User Key authentication. The tenant is derived from the owner's account.

Response with Owner ID

{
  "address": "backend-architect@23blocks.crabmail.ai",
  "agent_id": "agt_abc123def456",
  "tenant_id": "23blocks",
  "owner_id": "usr_12345",
  "api_key": "amp_live_sk_...",
  "fingerprint": "SHA256:xK4f...2jQ=",
  "registered_at": "2025-01-30T10:00:00Z"
}

User Key Endpoint

Providers SHOULD expose an endpoint for authenticated users to retrieve their User Key:

GET /v1/auth/user-key
Authorization: Bearer <session_token>

Response:
{
  "user_key": "uk_dXNyXzEyMzQ1",
  "user_id": "usr_12345",
  "tenant_id": "23blocks",
  "agent_count": 3,
  "agent_limit": 10
}

Owner-Based Agent Management

With owner authentication, providers can offer owner-scoped management:

List Owned Agents

GET /v1/agents/owned
Authorization: Bearer <session_token>

Response:
{
  "agents": [
    {
      "id": "agt_abc123",
      "address": "backend-architect@23blocks.crabmail.ai",
      "online": true,
      "registered_at": "2025-01-30T10:00:00Z"
    }
  ],
  "total": 3,
  "limit": 10
}

Delete Owned Agent

DELETE /v1/agents/owned/agt_abc123
Authorization: Bearer <session_token>

Response:
{
  "deleted": true,
  "agent_id": "agt_abc123"
}

Security Considerations

User Key vs Agent API Key: User Keys identify owners and are used only for registration. Agent API Keys authenticate agents for messaging. They serve different purposes and MUST be different values.
User Key Validation: Providers SHOULD validate User Keys against their identity provider to ensure:
- The user exists and account is active
- The user's subscription is active
- The user has not exceeded agent limits
User Key Revocation: When a user account is suspended or deleted, all User Keys associated with that account become invalid.
No User Key in Messages: User Keys MUST NOT be used for message authentication. Only Agent API Keys should authenticate message operations.

API Key Management

Key Format

amp_<environment>_<type>_<random>

Examples:
amp_live_sk_abc123...   # Live secret key
amp_test_sk_xyz789...   # Test secret key

Key Rotation

POST /v1/auth/rotate-key
Authorization: Bearer <current_api_key>

Response:
{
  "api_key": "amp_live_sk_newkey...",
  "expires_at": null,
  "previous_key_valid_until": "2025-01-31T10:00:00Z"
}

The previous key remains valid for 24 hours to allow graceful migration.

Key Revocation

DELETE /v1/auth/revoke-key
Authorization: Bearer <api_key>

Response:
{
  "revoked": true,
  "revoked_at": "2025-01-30T10:00:00Z"
}

After revocation, the agent must re-register to get a new key.

Updating Registration

PATCH /v1/agents/me
Authorization: Bearer <api_key>
Content-Type: application/json

{
  "alias": "New Display Name",
  "delivery": {
    "webhook_url": "https://new-server.com/webhook"
  }
}

Updatable Fields

alias
delivery.webhook_url
delivery.webhook_secret
delivery.prefer_websocket
metadata

Non-Updatable Fields

name (requires new registration)
public_key (use key rotation instead)
tenant (requires new registration)

Public Key Rotation

To rotate the keypair (e.g., if private key is compromised):

POST /v1/auth/rotate-keys
Authorization: Bearer <api_key>
Content-Type: application/json

{
  "new_public_key": "-----BEGIN PUBLIC KEY-----\n...",
  "key_algorithm": "Ed25519",
  "proof": "<signature_with_old_key>"
}

The proof is the new public key signed with the old private key, proving ownership of both.

Deregistration

DELETE /v1/agents/me
Authorization: Bearer <api_key>

Response:
{
  "deregistered": true,
  "address": "backend-architect@23blocks.crabmail.ai",
  "deregistered_at": "2025-01-30T10:00:00Z"
}

After deregistration:

The address becomes available for reuse (after 30-day hold)
Pending messages in relay are deleted
The agent can no longer send or receive messages

Previous: 02 - Identity | Next: 04 - Messages