Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash 97 tok/s
Gemini 2.5 Pro 54 tok/s Pro
GPT-5 Medium 29 tok/s
GPT-5 High 26 tok/s Pro
GPT-4o 86 tok/s
GPT OSS 120B 452 tok/s Pro
Kimi K2 211 tok/s Pro
2000 character limit reached

Agent Network Protocol (ANP) Overview

Updated 25 August 2025
  • Agent Network Protocol (ANP) is a decentralized, AI-native communication protocol that facilitates secure discovery, authentication, and negotiation among autonomous agents.
  • Its three-layer architecture integrates identity verification, meta-protocol negotiation, and scalable application protocols for seamless, plug-and-play agent interactions.
  • ANP addresses challenges such as data siloing and high collaboration costs, enabling interoperable, open-market digital ecosystems for autonomous agents.

The Agent Network Protocol (ANP) is a decentralized, AI-native communication protocol that enables autonomous agents—ranging from LLM-driven systems to specialized AI components and cyber-physical platforms—to discover, authenticate, negotiate, and collaborate with one another over the open internet. ANP is structured to facilitate both secure peer-to-peer interactions and large-scale agentic ecosystems, positioning agents as primary entities in digital communication. Its design addresses data siloing, high agent collaboration cost, and the limitations of human-centric internet infrastructure, aiming to standardize an extensible, interoperable, and efficient foundation for the emergent Agentic Web (Chang et al., 18 Jul 2025).

1. Core Concepts and Motivations

ANP is conceived in response to four transformative trends in digital infrastructure: (1) the replacement of traditional software by autonomous agents, (2) universal interconnection requirements for agents beyond organizational boundaries, (3) the need for protocol-based, machine-native communications (eschewing HTML/GUI-centric paradigms), and (4) the emergence of autonomously organizing and collaborating agent organizations (Chang et al., 18 Jul 2025, Ehtesham et al., 4 May 2025). Human-centric integration methods (e.g., GUI scraping and ad-hoc tool invocation) lack scalability and introduce prohibitive overheads for machine-native, multi-agent systems. ANP provides a protocolized alternative, favoring composability, minimal trust assumptions, and seamless compatibility with existing internet protocols.

The architecture sequence for agent interoperability is generally envisioned as incremental: deployments start with tightly controlled tool invocation (MCP), progress through richer brokered (ACP) and enterprise peer-to-peer (A2A) protocols, and culminate with fully decentralized, open-market agent networks under ANP (Ehtesham et al., 4 May 2025).

2. Protocol Stack and Architecture

ANP is specified as a three-layer modular protocol system:

  • Layer 1: Identity and Encrypted Communication
    • Implements authentication and confidentiality using the W3C Decentralized Identifier (DID) standard (e.g., did:wba). Each agent maintains a DID document, containing its public key(s) and verification metadata, discoverable over HTTPS.
    • Uses authenticated key exchange (e.g., ECDHE) to establish secure channels:

    k=ECDHE(private_keyA,public_keyB)k = \text{ECDHE}(\text{private\_key}_A, \text{public\_key}_B) - Ensures all data exchanges are signed and encrypted.

  • Layer 2: Meta-Protocol Negotiation

    • Supports flexible, dynamic negotiation of communication schemas, interface definitions, and mutual capabilities between agents.
    • Leverages both conventional semantic data (JSON-LD, OpenAPI, etc.) and, where appropriate, natural language to further clarify requirements.
    • Negotiation outcomes—including supported “application protocols” and interface schemas—are cached and reused.
  • Layer 3: Application Protocols (ADP and Discovery)
    • Agent Description Protocol (ADP): Standardizes agent metadata using JSON-LD, including fields for name, DID identifier, capabilities (e.g., “data-query”, “task-execution”), security requirements, and service endpoints.
    • Agent Discovery Protocol: Defines well-known publishing methods (e.g., .well-known/agent-descriptions endpoint) and supports incremental discovery with scalable pagination. Network-level discovery can be augmented by search engines or decentralized directory services (Chang et al., 18 Jul 2025, Ehtesham et al., 4 May 2025).

The modular composition allows deployment either as an integrated stack or with individual components layered over existing infrastructures (such as DNS, HTTPS, or OpenAPI endpoints).

3. Technical Features: Identity, Discovery, and Negotiation

Identity and Authentication

Every agent in ANP is anchored by a DID (e.g., "did:wba:1234abcd"), whose corresponding DID document is web-resolvable. Security is enforced through digital signatures and public-key cryptography. When an agent card is exchanged:

C(A)={IDA,capabilitiesA,timestamp,σA}\text{C}(\mathcal{A}) = \{\text{ID}_{\mathcal{A}}, \text{capabilities}_{\mathcal{A}}, \text{timestamp}, \sigma_{\mathcal{A}}\}

where σA\sigma_{\mathcal{A}} is a cryptographic signature. Authenticated agents validate incoming signatures with the public key defined in the counterpart's DID document:

v=Verify(P,sig,data)v = \text{Verify}(P, \mathrm{sig}, \mathrm{data})

where PP is the public key, sig\mathrm{sig} the signature, and data\mathrm{data} the payload.

Discovery and Capability Advertisement

Agent discovery is realized through the publication and aggregation of JSON-LD agent descriptions at predictable URLs. These are crawlable by standard search engines or resolvable via peer-to-peer lookup mechanisms. Agents dynamically query the network for candidate collaborators whose declared capabilities, authenticated endpoints, and structural characteristics match the task requirements. The resulting interaction is inherently decentralized; trust is established horizontally, augmented by mechanisms such as whitelisting, reputation scoring, and cryptographically attested credentials (Ehtesham et al., 4 May 2025, Ferrag et al., 29 Jun 2025).

Protocol Negotiation and Dynamic Interoperation

Agents leverage the meta-protocol negotiation layer to agree on compatible interaction schemas, reasoning both over structured capability descriptions and—where required—semantic/natural language negotiation. Negotiation is accelerated by caching and can be extended using AI-powered interface adaptation or translation (Chang et al., 18 Jul 2025).

4. Practical Deployment and Implementation

ANP is implemented for rapid deployment atop standard internet infrastructure components (DNS, HTTPS, cloud services), supporting both fully decentralized and hybrid topologies. Its minimalist schema and modular boundaries lower deployment overhead, making it suitable for gradual migration within enterprises.

The composable design allows for partial adoption: for example, agent description and discovery modules can be incorporated without mandating wholesale protocol migration, enabling interoperability with legacy systems using MCP, ACP, or enterprise A2A models (Ehtesham et al., 4 May 2025).

Agent cards and self-description documents facilitate both vertical and horizontal service composition, with semantic enrichment via JSON-LD to maximize machine parseability, searchability, and cross-domain integration.

5. Security Model and Threats

The decentralized and open nature of ANP makes it susceptible to a range of threats (Ferrag et al., 29 Jun 2025):

  • Agent Discovery Spoofing: Malicious actors may publish counterfeit agent cards to intercept or hijack tasks.
  • Peer Discovery Poisoning: Maliciously injected entries in the discovery process may trigger large-scale coordination failures.
  • Rogue Agent Registration: Absent robust authentication, unauthorized agents may masquerade as trusted entities.
  • Credential Replay: Intercepted tokens or signatures may be replayed by adversaries to impersonate agents.
  • Context Manipulation: Subtle replay or modification of task context may cascade through multi-agent workflows.

Countermeasures include digital signature verification, timestamping and nonces for replay protection, mutual authentication across session lifecycles, whitelisting/reputation-based filtering, secure and auditable discovery channels (potentially using distributed ledgers or anomaly detection), and formal protocol verification.

6. Comparative Protocol Analysis and Limitations

When compared to contemporaneous protocols:

Protocol Discovery Security Target Topology
MCP Manual/Static Token/TLS Client-Server/LLM-Tool
ACP Registry Token/TLS+ DID Brokered/Registry
A2A Agent Card HTTP Enterprise (PSK/OAuth/mTLS) Enterprise Peer-to-Peer
ANP Open Web + JSON-LD DID + Crypto Sig Open Internet, Fully Decentralized

ANP provides maximum openness and decentralization, but lacks certain control and manageability features present in ACPs or A2A, such as hierarchical resource scheduling, fine-grained workflow orchestration, or enterprise-grade access control (Liu et al., 18 May 2025). In security, while cryptographic underpinnings exist, risks remain in discovery poisoning and context manipulation absent additional governance or reputation infrastructure.

Protocols such as ACP and emerging suites (e.g., ACPs for the IoA) address additional requirements: trusted authentication, dynamic tool integration, resource-aware scheduling, and compositional workflow orchestration.

7. Applications and Future Directions

ANP is foundational for constructing decentralized agent marketplaces, research networks, AI-native ecosystems, as well as dynamic, multi-domain applications ranging from autonomous resource management to real-time collaborative workflows. Its semantic, composable identity and discovery design enables new modes of plug-and-play tool, data, and policy integration previously unattainable with human-oriented protocols.

Open research directions highlighted in the literature include:

  • Securing discovery infrastructure against spoofing and replay at internet scale.
  • Extending capability description languages for richer, dynamic, and self-evolving agent service ontologies.
  • Integrating resource-awareness, provenance, and more granular trust management for large-scale, multi-tenant deployments.
  • Enabling dynamic collective intelligence protocols (e.g., for distributed schedule negotiation, consensus, or contention resolution).

A plausible implication is that future iterations of ANP or closely related protocols will incorporate elements of agent collaboration protocols (ACPs), multi-layered security and reputation systems, as well as advanced semantic mediation, reflecting evolving requirements in open, robust, and scalable agentic networks.

Summary:

ANP is a foundational, modular protocol for open, secure, and structured agent-to-agent communication on the web. It underpins the identity, discovery, and dynamic negotiation mechanisms required for massive-scale, AI-native digital ecosystems, offering an extensible alternative to human-centric or brokered architectures, with ongoing research focused on expanding robustness, resource-awareness, and cross-domain composability (Chang et al., 18 Jul 2025, Ehtesham et al., 4 May 2025, Ferrag et al., 29 Jun 2025, Liu et al., 18 May 2025).

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Upgrade)