The problem
A W3C DID tells you that this is agent X. A Verifiable Credential tells you that agent X was issued a credential by organization Y. But neither answers the questions that matter at transaction time:
- What actions is this agent permitted to perform?
- What financial threshold can it operate within?
- Which jurisdictions is it authorized to transact in?
- Can it delegate to sub-agents, and under what conditions?
- Is this authorization still valid right now?
Today, these questions are either unanswered or answered through self-assertion. An agent claims it has permission. The counterparty has no way to verify that claim independently.
Three blocks, one credential
The Agent Authorization Envelope (AAE) is a machine-readable authorization object embedded in every MolTrust Verifiable Credential. It is organized in three blocks:
{
"@context": "https://moltrust.ch/aae/v1",
"type": "AgentAuthorizationEnvelope",
// Block 1 — MANDATE
"mandate": {
"purpose": "Execute verified commodity purchases",
"actions": ["purchase", "verify_seller", "sign_receipt"],
"resources": ["commodity:*", "payment:USDC"],
"delegation": {
"allowed": true,
"maxDepth": 1,
"requireApproval": true
}
},
// Block 2 — CONSTRAINTS
"constraints": {
"maxTransactionValue": 10000,
"currency": "USDC",
"jurisdictions": ["CH", "EU", "SG"],
"timeWindow": {
"from": "2026-03-25T00:00:00Z",
"to": "2026-06-25T00:00:00Z"
},
"obligations": ["log_all_transactions", "report_anomalies"]
},
// Block 3 — VALIDITY
"validity": {
"issuer": "did:moltrust:issuer:cryptokri",
"issuedAt": "2026-03-25T12:00:00Z",
"expiresAt": "2026-06-25T12:00:00Z",
"revocationEndpoint": "https://api.moltrust.ch/guard/revoke",
"auditAnchor": "base:0x...txhash"
}
}Why this matters
It travels with the agent. The AAE is not stored in a separate registry or policy server. It is embedded directly in the Verifiable Credential. Wherever the credential goes, the authorization boundaries go with it. No second lookup, no external dependency.
It is verifiable by anyone. Any counterparty can read the AAE, check the issuer signature, and confirm the authorization boundaries — without calling back to the issuing organization. Verifier independence is a core design principle.
It is pre-transaction. Reputation systems tell you what an agent did in the past. The AAE tells you what an agent is allowed to do right now. Authorization is checked before the transaction, not after. This is the difference between reputation and authorization.
It aligns with Singapore IMDA MGF. The Infocomm Media Development Authority Model Governance Framework for Generative AI (Dimension 1: Risk Bounding) calls for clearly defined operational boundaries. The AAE implements this requirement as a machine-readable, cryptographically signed object.
Available now
The AAE specification is defined in the MolTrust Protocol Whitepaper v0.5 and Technical Specification v0.3, both anchored on Base L2 (Block 43825232).
# Install the MolTrust SDK
npm install @moltrust/sdk
# TypeScript — issue a credential with AAE
import { MolTrust } from '@moltrust/sdk';
const credential = await moltrust.issueCredential({
subject: 'did:moltrust:agent:buyer-01',
type: 'BuyerAgentCredential',
aae: {
mandate: { purpose: 'Execute purchases', actions: ['purchase'] },
constraints: { maxTransactionValue: 5000, currency: 'USDC' },
validity: { expiresAt: '2026-06-25T00:00:00Z' }
}
});The AAE is now embedded in all MolTrust credential issuance endpoints. A default AAE is generated automatically if none is provided.
Agent Authorization Envelope
Machine-readable authorization boundaries for every AI agent credential.
Read the Whitepaper Technical SpecificationView on GitHub
Written by the MolTrust Team (CryptoKRI GmbH, Zurich). Questions or feedback: GitHub Issues or @MolTrust on X.