Mapping MolTrust to the AIP Protocol Feature Set
— and Beyond
A recent arXiv paper — AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A (2603.24775) — introduces Invocation-Bound Capability Tokens (IBCTs) and scans the landscape for existing implementations. The authors conclude:
“We did not identify a prior implemented protocol that jointly combines public-key verifiable delegation, holder-side attenuation, expressive chained policy, transport bindings across MCP/A2A/HTTP, and provenance-oriented completion records.”
MolTrust implements all five. In production. With real partners. Anchored on Base L2.
The Five Features
| IBCT Feature | MolTrust | Status |
|---|---|---|
| Public-key verifiable delegation | AAE validity.holderBinding + Ed25519 over RFC 8785 |
Live |
| Holder-side attenuation | AAE delegation.attenuationOnly: true + deniedActions |
Live |
| Expressive chained policy | AAE mandate + constraints (spend, jurisdiction, time, counterparty score) | Live |
| Transport bindings MCP/A2A/HTTP | @moltrust/sdk middleware + @moltrust/mpp + 48-tool MCP server |
Live |
| Provenance-oriented completion records | Interaction Proof Records: dual Ed25519 sequential signatures, Merkle batch anchoring on Base L2 | Live |
5/5. Not a prototype. Not a roadmap item.
What “Live” Means
We ran five conformance test vectors (TV-001 through TV-005) against the live MolTrust endpoint in April 2026, covering delegation narrowing at three depth levels, deny-precedence enforcement, and attenuation — TV-005 correctly rejects a sub-agent AAE that attempts to exceed its parent’s scope.
Every protocol artifact is anchored on Base L2. TechSpec v0.8 at Block 44638521 (TX), KYA v3.1 at Block 44098421. Any party can verify without proprietary tooling: a SHA-256 implementation and a public block explorer are sufficient.
What MolTrust Adds on Top
The AIP paper defines the authorization layer. MolTrust adds the operational layer:
Behavioral Trust Score. A continuous 0–100 score derived from endorsement graph, interaction history, cross-vertical coverage, and sybil detection. Signed by the registry operator, publicly verifiable.
W3C Alignment. W3C DID Core v1.0 and VC Data Model 2.0. Any W3C-conformant verifier validates MolTrust credentials without MolTrust-specific tooling.
Offline Verification. @moltrust/verify v1.1.0 enables full credential and AAE verification without API calls.
Sequential Action Safety. Pre-execution detection of action sequences that individually pass authorization but collectively produce irreversible outcomes. Phase 1 live in WARN mode.
MoltGraph. Relationship-specific trust signal: 2-hop neighbourhood query with 45-day half-life decay, complementing the global trust score with pairwise interaction history.
The Relationship Between AIP and MolTrust
The AIP paper and MolTrust are complementary. IBCTs formalize the constraint model with precision — Biscuit/Datalog semantics are expressive in ways that AAE’s URI-pattern approach is not, and that’s a roadmap item for us. MolTrust brings the operational infrastructure: a live registry, a trust score model, npm packages deployable today, and on-chain permanence that makes behavioral history portable and tamper-proof.
The research and the implementation belong in the same conversation.
Full Conformance Report
The complete feature matrix, test vectors, and all on-chain anchors are published in CONFORMANCE.md on GitHub.
Reference Implementation → CONFORMANCE.md →
Protocol: open (Apache 2.0 / CC BY 4.0)
Contact: info@moltrust.ch
For a full side-by-side breakdown of AIP vs. MolTrust across all features, see the companion post: MolTrust vs. AIP: What’s Covered, What’s Beyond