NANDA: Decentralized AI Agent Architecture

• NANDA Unified Architecture is a decentralized, federated system that enables secure, scalable interoperability among autonomous AI agents using DID-based registries and verifiable credentials.
• It features a minimalist, horizontally scalable agent registry with adaptive resolution layers that support sub-second global resolution and privacy-preserving discovery.
• The system integrates atomic micropayments and dynamic trust computation, ensuring fine-grained policy compliance, operational governance, and economic coordination.

The Nanda Unified Architecture is a decentralized, federated system for enabling secure, scalable, and economic interoperability among autonomous AI agents across Internet, enterprise, and Web3 environments. By leveraging a quilt-like mesh of DID-based registries, semantic agent metadata and cryptographic verifiable credentials, it delivers foundational discoverability, capability attestation, trust computation, granular policy compliance, and operational governance for large-scale heterogeneous agent deployments. NANDA addresses core limitations of DNS and traditional web infrastructure by supporting sub-second global resolution, schema-validated dynamic capability updates, privacy-preserving discovery, atomic micropayments, and multi-layered active security, thus establishing a trust-anchored substrate for next-generation autonomous intelligent agent systems.

1. Architectural Foundation and Core Components

At the heart of the Nanda Unified Architecture (“NANDA”) is a minimalist, horizontally scalable agent registry called the NANDA Index, designed to overcome the limitations of conventional DNS-centric models for an agent-rich Internet (Raskar et al., 18 Jul 2025). The index acts as a global directory where each AI agent is assigned an immutable Decentralized Identifier (DID) and associated with an AgentAddr record. Each record (≤120 bytes) encodes: agent_id (DID), agent_name (URN), pointers to verifiable AgentFacts metadata, adaptive resolvers for endpoint churn, TTLs for cache management, privacy routing paths, and cryptographic signatures. This structure enables the following:

• Quilt federation: A mesh of semi-autonomous registries (enterprise, Web3, government, SaaS, etc.), cross-validated and globally cacheable.
• Rapid onboarding: Agents become resolvable worldwide in <1s after registration.
• Extensible, backward-compatible integration: The system works natively with current Web transport (HTTPS, CDNs), as well as decentralized storage (IPFS) and privacy overlays (Tor).

The NANDA Index is complemented by two complementary metadata artifacts:

1. AgentFacts: These are JSON-LD, W3C Verifiable Credential (VC) v2 signed documents encoding dynamic, schema-validated capabilities (“skills”), endpoints (static and adaptive), compliance badges, telemetry, provenance, and trust signals.
2. Adaptive Resolution Layer: Programmable endpoints (adaptive_resolver_url) issue ephemeral, signed connection URIs for geo-aware, load balanced, threat-mitigated, or capability-matched routing.

The following table summarizes the primary index record fields (Raskar et al., 18 Jul 2025):

Field	Example Value	Purpose
agent_id	nanda:550e8400-e29b-41d4-a716-4466554400	Globally unique DID
agent_name	agent:Company:TranslationAssistant	Human-readable URN/name
primary_facts_url	https://host/.agent-facts	Capability metadata
private_facts_url	https://privhost/uuid	Privacy-preserving lookup
adaptive_resolver_url	https://resolver/dispatch	Dynamic endpoint selection
ttl	3600	Record expiry
signature	cryptographic hash	Integrity/authenticity

2. Agent Discoverability, Identifiability, and Schema Validation

NANDA enables fine-grained agent discoverability and identifiability independent of network location or service provider. Each agent is referenced by a DID and resolved to a current set of metadata and operational endpoints using the index. The AgentFacts schema comprises:

• Capabilities: Self-describing skillset (e.g., "translation", "summarisation"), each optionally certified (e.g., "HIPAA-verified").
• Endpoints: Static (long-lived) or adaptive (ephemeral/resolver-issued) connection URLs.
• Compliance and trust: Certifications, badges, reputation, and performance telemetry, each cryptographically attested via W3C VC v2 signatures.
• Dynamic fields: Encoded evaluations, historical telemetry, provider attribution; newly attested facts can be integrated asynchronously using CRDT-based conflict-free updates.

All attributes and claims in AgentFacts are schema-validated and cryptographically signed, supporting global auditability, automated trust synthesis, and regulatory policy enforcement. Revocation of credentials or key material propagates in sub-second timeframes via VC Status Lists and TTL expiry mechanisms.

3. Decentralized Interoperability, Cross-Protocol Adaptation, and Discovery Protocols

NANDA supports seamless interoperability across previously incompatible agent ecosystems—Anthropic’s MCP, Google’s A2A (Agent-to-Agent), Microsoft’s NLWeb, and legacy Web APIs (HTTPS)—using a mediation/adaptor layer. Unified discovery is provided by the NANDA Index, which maps agent names/IDs to protocols and metadata, enabling:

• Static and adaptive resolution: Routing and endpoint selection using both long-lived and live-issued (resolver-mediated) connection URIs, with programmable policies for load balancing, geo-fencing, and DDoS protection (Raskar et al., 18 Jul 2025).
• Semantic search and ranking: Queries are processed using semantic embedding and learning-to-rank models, integrating compliance, reputation, and behavioral attestation scores to filter and order candidate agents (Balija et al., 10 Jul 2025).
• Dual-resolution paths: Both direct (primary_facts_url) and privacy-preserving anonymous lookups (private_facts_url) are supported, preventing accessor exposure and enabling organizational split-horizon policies.

The discovery and deduplication process is $O(\log N)$ in agent registry size, utilizing federated/gossip/CRDT synchronization for rapid convergence.

4. Trust, Capability Attestation, and Dynamic Trust Layer

Trust in NANDA is formalized as a composite metric synthesizing cryptographically attested capabilities, compliance verification, behavioral telemetry, and real-time policy conformance (Balija et al., 10 Jul 2025). The architecture employs:

• Verifiable Credentials: Each agent’s capabilities and compliance claims are represented as signed VCs linked to issuer DIDs, supporting fully decentralized trust chains.
• Dynamic trust scores: Computed using weighted fusion and trust-propagation algorithms. For agent $i$, if $w_{ij}$ represents the trust from neighbor $j$,

$$\text{TrustScore}_i = \frac{1}{d_i} \sum_{j\in N(i)} w_{ij}$$

with recursive updates akin to PageRank:

$$\mathbf{T} = \alpha \mathbf{W}\mathbf{T} + (1-\alpha)\mathbf{e}$$

• Policy-as-code: Declarative policies (OPA/Rego, eBPF) are attached to AgentFacts, evaluated in real-time to enforce regulatory and operational constraints.
• Behavioral attestation: Signed interaction, task fulfillment, and anomaly events are appended to agent provenance for audit and reputation management.
• Granular Capability Filtering: Discovery and trust can be conditioned on any cryptographically attested combination of capabilities, certifications, and safety flags.

5. Security: Zero Trust Agentic Access (ZTAA) and MAESTRO Framework

NANDA generalizes Zero Trust from user/device access (ZTNA) to autonomous agent ecosystems (ZTAA), requiring continuous, multi-factor verification of agent identity, capabilities, and trust profile before any interaction (Wang et al., 5 Aug 2025). Key mechanisms include:

• Strict "never trust, always verify": No agent interaction is permitted absent AgentFacts-based, cryptographically provable identity and capability claims.
• Attack mitigations: Resistance to capability spoofing (via VC signatures), impersonation (DID+VC cross-validation), Sybil/supply-chain/traffic diversion attacks (registry/split-horizon policies), and sensitive data leakage (least-privilege sharing, DLP templates).
• Sandboxing and risk stratification: Newly seen/low-trust agents are subject to sandboxing or denied access pending trust establishment.
• Enterprise-grade auditing and control: Real-time access, execution, and data exchange are auditable and enforceable per organizational boundaries, regulatory constraints (e.g., GDPR, OFAC), and jurisdictional tagging.
• MAESTRO Security Framework: Seven-layer defense, including AgentTalk protocol (quantum-resistant encryption, intra-protocol attestation), secure WASM/TEE containerization, homomorphic encryption for data, automated compliance, behavioral analytics, and decentralized verification (Balija et al., 10 Jul 2025).

6. Economic Layer: Micro-Incentives and Operational Results

Economic coordination among agents is enabled via the X42/H42 micropayment protocol, supporting atomic, auditable, and fine-grained economic transactions at protocol level (Balija et al., 10 Jul 2025):

• In-band payments: Embedded in HTTP or native agent protocol headers (e.g., X42-Payment), supporting seamless automated remuneration and marketplace operation.
• Ephemeral keys and audit: Minimized risk, non-repudiable receipts attached to agent transaction logs.
• Alignment of incentive and trust: Agents earn/increment reputation and income through verifiable fulfillment.
• Deployment metrics: In current healthcare validation, the architecture has demonstrated 99.9% policy compliance and >$250k monthly microtransaction throughput while maintaining end-to-end differential privacy and auditability (as observed in Synergetics’ deployments).

7. Operational Governance, Compliance, and Privacy-Preserving Patterns

NANDA supplies enterprise and operational controls for agent visibility, traceability, and jurisdictional compliance (Wang et al., 5 Aug 2025):

• Auditing: Full inspection of agent DIDs, ownership and task traceability.
• Real-time governance: Administrators can activate, pause, terminate operations and define access slices—who interacts with whom, under what policies, and what data is exchangeable.
• Privacy-preserving discovery: Least-disclosure lookup is guaranteed via private_facts_url indirection and CN/PKI split-horizons; accessor identities are not leaked in general.
• Immutable behavioral logs: All attestations, runtime policy checks, and dispute resolution records are maintained on cryptographically signed ledgers (e.g., blockchain-backed).
• Compatibility: The stack is designed for seamless integration with existing infrastructure—agent metadata can be hosted under existing .well-known endpoints, CDNs, or through decentralized storage; current “AgentCard” formats migrate directly into NANDA AgentFacts.

---

In summary, NANDA constitutes a rigorous, cryptographically anchored architecture for a trillion-agent Internet, securing agent discoverability, authentication, and trust, while enabling fine-grained policy compliance, privacy, and economic coordination at web scale (Wang et al., 5 Aug 2025, Raskar et al., 18 Jul 2025, Balija et al., 10 Jul 2025).