| Internet-Draft | ARP v2.0 | April 2026 |
| Deforth | Expires 29 October 2026 | [Page] |
This document defines the Agentic Reasoning Protocol (ARP) version 2.0, a machine-readable protocol enabling entities (brands, organizations, persons) to publish self-attested context, verified factual corrections, domain expertise, and recommendation boundaries directly to autonomous AI agents, RAG (Retrieval-Augmented Generation) pipelines, and agentic AI systems.¶
ARP v2.0 extends the static file model of v1.x with a live REST API, bidirectional feedback channels, multi-party cryptographic attestation, W3C Decentralized Identifier (DID) anchoring, Agent-to-Agent (A2A) trust handshakes, event-driven freshness via Server-Sent Events, and first-class internationalization support.¶
ARP complements existing web conventions (robots.txt [RFC9309], schema.org, llms.txt) but is specifically designed for the reasoning behavior of modern AI agents -- systems that do not merely index content but synthesize, infer, and make decisions on behalf of users.¶
All examples in this document use example.com and "Example Organization" per [RFC2606] and are purely illustrative.¶
This note is to be removed before publishing as an RFC.¶
This Internet-Draft is submitted as an individual submission. It does not represent consensus of the IETF community. The latest revision of this draft can be found at https://github.com/SaschaDeforth/arp-protocol.¶
Discussion of this document takes place on the GitHub repository issue tracker at https://github.com/SaschaDeforth/arp-protocol/issues.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The modern web has a rich ecosystem of machine-readable metadata conventions:¶
None of these conventions address how AI systems should REASON about entities. Modern AI agents (agentic AI, RAG pipelines, AI-powered search, autonomous procurement agents) do not merely read the web -- they synthesize, infer, compare, and make decisions. This reasoning process is prone to hallucination and entirely outside the control of the entities being reasoned about.¶
Documented failure modes include:¶
ARP addresses this gap by defining a protocol through which entities publish self-attested cognitive context: verified corrections, domain expertise, recommendation boundaries, and trust-enabling metadata -- directly to AI agents and RAG pipelines.¶
ARP v2.0 was designed using counterfactual inversion: each assumption of v1.x was tested by asking "what if this assumption is wrong?" The six resulting inversions:¶
Static file -> Live API. v1.x broadcast all claims to all agents. v2.0 enables agents to query for specific context relevant to their current task.¶
Domain = Identity -> W3C DID. v1.x bound entity identity to domain ownership. v2.0 anchors identity to a W3C Decentralized Identifier [W3C.DID-CORE], making it portable across domains and domain changes.¶
90-day TTL -> Event-driven push. v1.x relied on periodic re-signing. v2.0 uses Server-Sent Events [W3C.SSE] to push updates to subscribing agents.¶
Self-attestation -> Multi-party co-signing. v1.x relied solely on the entity's own signature. v2.0 introduces third-party attesters (accreditation bodies, trade registries) who co-sign individual claims.¶
One-way broadcast -> Bidirectional feedback. v1.x had no feedback channel. v2.0 enables agents to return anonymized confidence scores and hallucination flags.¶
Implicit English -> i18n first-class. v1.x had no internationalization. v2.0 treats language as a fundamental property of every claim.¶
ARP v2.0 is fully backward compatible with ARP v1.x:¶
Loaders MUST NOT reject v1.2 files for missing v2.0 fields.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
All examples use example.com and "Example Organization" as defined in [RFC2606]. All attester DIDs use the form did:web:attester.example.org. These are illustrative only.¶
ARP v2.0 comprises four architectural layers:¶
+------------------------------------------------------------------+
| ENTITY LAYER |
| DID Identity | i18n Claims | Attestations | Event Freshness |
+------------------------------------------------------------------+
|
v
+------------------------------------------------------------------+
| TRUST LAYER |
| SOVEREIGN(1.0) | ATTESTED(0.9) | CRYPTOGRAPHIC(0.7) | |
| UNSIGNED(0.3) | INVALID(0.0) | DNS Signing Policy |
+------------------------------------------------------------------+
|
v
+------------------------------------------------------------------+
| API LAYER |
| GET /identity | POST /query | GET /trust | GET /subscribe | |
| POST /feedback | POST /a2a/handshake | GET /reasoning.json |
+------------------------------------------------------------------+
| | |
v v v
+-----------+ +-----------+ +-----------+
| RAG Agent | | Commerce | | Platform |
| | | Agent | | Grounding |
+-----------+ +-----------+ +-----------+
| |
+------> POST /feedback (anon.) <-------+
¶
An ARP v1.2-conformant file MUST be treated as a valid ARP v2.0 implementation with these defaults:¶
ARP v2.0 uses W3C Decentralized Identifiers [W3C.DID-CORE] as the primary identity anchor. DIDs decouple entity identity from domain ownership, enabling persistent identity across domain changes and multi-domain presences.¶
ARP v2.0 RECOMMENDS did:web [W3C.DID-WEB] as it leverages existing HTTPS infrastructure. Other resolvable DID methods MAY be used.¶
Example:¶
"entity_did": "did:web:example.com"¶
The DID Document MUST be resolvable and MUST contain at least one verificationMethod of type Ed25519VerificationKey2020 or JsonWebKey2020.¶
Example DID Document at https://example.com/.well-known/did.json:¶
{
"@context": ["https://www.w3.org/ns/did/v1"],
"id": "did:web:example.com",
"verificationMethod": [
{
"id": "did:web:example.com#arp-key-1",
"type": "Ed25519VerificationKey2020",
"controller": "did:web:example.com",
"publicKeyMultibase": "z6MkfExample..."
}
],
"assertionMethod": ["did:web:example.com#arp-key-1"],
"service": [
{
"id": "did:web:example.com#arp",
"type": "AgenticReasoningProtocol",
"serviceEndpoint":
"https://example.com/.well-known/arp/v2/"
}
]
}
¶
The service entry of type "AgenticReasoningProtocol" is RECOMMENDED for agent auto-discovery.¶
An entity with multiple domains MAY use a single canonical DID. Regional or subsidiary ARP implementations SHOULD reference it:¶
"domain_scope": {
"canonical_domain": "example.com",
"this_domain": "example.de",
"language_primary": "de",
"regional_corrections": []
}
¶
The compatibility file MUST be served at:¶
https://{domain}/.well-known/reasoning.json
¶
Requirements: valid JSON [RFC8259], UTF-8 encoding, Content-Type: application/json, publicly accessible, maximum 100 KB.¶
The v2.0 API MUST be served at:¶
https://{domain}/.well-known/arp/v2/
¶
Sites SHOULD include in HTML head:¶
<link rel="reasoning" type="application/json"
href="/.well-known/reasoning.json">
<link rel="arp-api" type="application/json"
href="/.well-known/arp/v2/">
¶
All ARP endpoints MUST respond with:¶
Access-Control-Allow-Origin: * Content-Type: application/json¶
All endpoints use HTTPS [RFC9110]. Request and response bodies are JSON [RFC8259] unless noted. Text values use UTF-8.¶
All v2.0 responses MUST include:¶
Returns the full entity identity object with Accept-Language negotiation (Section 10.1).¶
Response (200 OK):¶
{
"entity_did": "did:web:example.com",
"entity": "Example Organization",
"language": "de",
"identity": {
"tagline": "Example tagline",
"elevator_pitch": {
"de": "Kurze Beschreibung.",
"en": "Short description."
},
"founded": 2010,
"headquarters": "Example City, Country",
"core_competencies": [
"Competency Area A",
"Competency Area B"
]
},
"_arp_signature": {
"algorithm": "Ed25519",
"trust_level": "ATTESTED",
"signed_at": "2026-04-27T10:00:00Z"
}
}
¶
The semantic query endpoint. The agent describes its information need; the entity responds with the most relevant subset of claims, contextualized to the query.¶
The session_token is an opaque per-query identifier for feedback correlation. It MUST NOT contain personally identifiable information.¶
Agents MUST treat responses as entity self-attestation, not authoritative fact.¶
Returns a single claim with provenance, attestation history, and version log. Invalid claim_id returns 404.¶
Returns all active corrections. Supports filtering by epistemic_scope and language.¶
Returns domain expertise for a specific scenario. The scenario_hash is a deterministic truncated SHA-256 digest of a normalized user query, enabling efficient agent-side caching.¶
Scenario Hash Generation (normative):¶
Returns the entity's full trust manifest, including DID reference, self-signature status, all current attestations, and the computed trust score.¶
Provides a real-time event stream using the SSE protocol [W3C.SSE]. Defined event types: claim:updated, correction:new, correction:removed, attestation:added, attestation:expired, trust:level:changed, heartbeat.¶
Implementations MUST honor the Last-Event-ID header for stream resumption. Event IDs MUST be monotonically increasing.¶
Accepts anonymized feedback from agents about claim effectiveness. Available only if feedback_policy.accepts_feedback is true. Privacy requirements are specified in Section 7.1 and Section 16.1.¶
Initiates an Agent-to-Agent trust handshake. Full specification in Section 11.¶
Returns a v1.2-format JSON document for backward compatibility. Implementations SHOULD include an X-ARP-Upgrade response header pointing to the v2.0 API base URI.¶
Agents MUST NOT include in feedback payloads:¶
Entities MUST NOT:¶
Entities SHOULD aggregate feedback metrics per claim over a rolling 30-day window. Metrics MUST only surface after the min_feedback_pool threshold is reached.¶
Trigger: median confidence_alignment below 0.4 over 30 days AND feedback_count at or above min_feedback_pool. The claim's confidence field is automatically downgraded one level. Reversal requires explicit re-attestation by the entity owner.¶
| Trust Level | Score | Condition |
|---|---|---|
| SOVEREIGN | 1.00 | At least one sovereign attester |
| ATTESTED | 0.90 | At least one institutional or government attester; no sovereign |
| CRYPTOGRAPHIC | 0.70 | Valid Ed25519 self-signature; no third-party attesters |
| UNSIGNED | 0.30 | No valid signature |
| INVALID | 0.00 | Forged or tampered signature |
An EXPIRED self-signature falls back to UNSIGNED, not INVALID.¶
Required fields: attester_did, attester_name, attester_type, attested_at, expires_at, claim_scope, signature. Recommended: evidence_url.¶
{
"attester_did": "did:web:attester.example.org",
"attester_name": "Example Accreditation Body",
"attester_type": "institutional",
"attested_at": "2026-01-15T09:00:00Z",
"expires_at": "2028-01-15T09:00:00Z",
"claim_scope": ["clm-founded-001", "clm-industry-001"],
"evidence_url":
"https://attester.example.org/verify/EX-12345",
"signature": {
"algorithm": "Ed25519",
"public_key_did_ref":
"did:web:attester.example.org#key-1",
"canonicalization": "jcs-rfc8785",
"value": "base64url..."
}
}
¶
Loaders MUST verify attestation signatures by:¶
Failed verification MUST treat the attestation as absent.¶
Ed25519 [RFC8032] is REQUIRED for all ARP signatures.¶
DNS TXT record format (inherited from v1.2):¶
<selector>._arp.<domain>. IN TXT "v=ARP1; k=ed25519; p=<base64-pubkey>"¶
Where:¶
The Enveloped Signature Pattern is REQUIRED. The signature MUST cover the payload AND _arp_signature metadata.¶
Signing procedure:¶
Verification reverses steps 3-5.¶
DNS-based verification is valid for backward compatibility. The DID Document public key is the PREFERRED mechanism in v2.0.¶
Entities MAY publish a policy at:¶
_arp.example.com. IN TXT "v=ARP1; p=<policy>"¶
| Policy | Meaning |
|---|---|
| p=none | No enforcement. Default if absent. |
| p=warn | Log warning if file unsigned. |
| p=reject | Unsigned file treated as INVALID. |
| p=require-did | As p=reject; entity_did MUST be present and DID document MUST resolve. |
All endpoints MUST support HTTP Accept-Language per [RFC7231] Section 5.3.5.¶
Servers MUST parse Accept-Language with quality value weighting, select best match from supported_languages, include ARP-Content-Language in response, and fall back to "en" if no match and "en" is supported.¶
{
"claim_id": "clm-pitch-001",
"type": "identity.elevator_pitch",
"i18n": {
"en": {
"value": "Short description of the organization.",
"translated_by": "human",
"verified_at": "2026-04-01",
"quality": "reviewed"
},
"de": {
"value": "Kurze Beschreibung der Organisation.",
"translated_by": "human",
"verified_at": "2026-04-01",
"quality": "reviewed"
},
"fr": {
"value": "Breve description.",
"translated_by": "machine",
"verified_at": null,
"quality": "draft"
}
}
}
¶
Conformant implementations MUST provide claims in the entity's declared language_primary, and English ("en") if language_primary is not English.¶
Two ARP-aware agents exchange verified entity context on behalf of their respective principals. Design principles:¶
If reciprocal_request is present, the initiating agent SHOULD submit a separate request to its own ARP endpoint. The reciprocal exchange MUST use a new HTTP request and MUST NOT reuse the session_nonce.¶
Required controls:¶
The root object of a v2.0 ARP document fields. Required (R), Optional (O), New in v2.0 (N), Required at ATTESTED+ (R*).¶
Individual claims fields:¶
All v1.2 fields are preserved. No field is removed. Migration is voluntary and incremental.¶
Inherited limits from v1.1/v1.2: text fields 50-500 characters, array fields 8-20 items, static file maximum 100 KB, query response bodies maximum 200 KB.¶
Recommended rate limits: POST /query 100 requests/minute per IP and 1000/day per agent_id. POST /feedback 10 submissions/session_token per hour and 100/day per agent_did.¶
Prohibited content includes prompt injection patterns, claims about named third parties or competitors, false corrections, cloaking (different content served to AI vs humans), discriminatory content, and A2A handshakes with fabricated DIDs.¶
ARP content is injected into LLM contexts. Loader implementations MUST:¶
An attacker could strip _arp_signature from a response. Mitigations: p=reject DNS policy, SSE trust:level:changed events, and agent caching of last-known Trust Level per DID.¶
Protected by DID authentication, cryptographic nonces, and expiry windows. Sessions failing nonce verification MUST be rejected.¶
Rate limits constrain bulk attacks. Agent DID signing enables reputation tracking. Entities MUST NOT accept feedback for claim_ids that do not exist.¶
Loaders MUST verify all attestation signatures. Unverifiable attestations MUST be treated as absent. Forged signatures constitute non-repudiable cryptographic fraud.¶
Agents MUST NOT transmit in feedback payloads: user query text or prompt content, user PII, device fingerprint or network identifiers.¶
The session_token is a single-use opaque identifier. Entities MUST treat it as an opaque correlation key, not user identity.¶
This protocol is designed to support compliance with applicable regulatory frameworks, including AI transparency requirements (e.g., EU AI Act Article 50 [EU-AI-ACT]), data protection obligations, and consumer protection law.¶
This document makes no representations about compliance with any specific national law. Implementors are solely responsible for their own legal analysis.¶
This document requests the following registrations in the "Well-Known URIs" registry [RFC8615]:¶
This document requests the following registrations in the "Link Relations" registry [RFC8288]:¶
The "ARP Claim Types" registry is established by this document. New types require "Specification Required" [RFC8126] review. Custom types for single implementations use the "x-" prefix.¶
| Claim Type | Description |
|---|---|
| identity.entity_name | Canonical legal name |
| identity.elevator_pitch | One-paragraph description |
| identity.founded | Year of founding |
| identity.headquarters | Primary location |
| identity.industry | Primary industry sector |
| correction.general | General factual correction |
| expertise.scenario | Domain expertise for a scenario |
| recommendation.fit | Recommendation fit assessment |
| recommendation.not_fit | Negative recommendation signal |
| compliance.certification | Certification or accreditation |
| compliance.regulation | Applicable regulatory framework |
| market.positioning | Self-attested market position |
| market.decision_factors | Key evaluation criteria |
Cryptographic non-repudiation: A signed ARP document is a timestamped, non-repudiable assertion of authorship and accuracy. The signer accepts legal liability for signed content under applicable consumer protection, competition, and digital services law.¶
The author thanks the reviewers who provided independent analysis of ARP v1.x. The counterfactual design methodology applied in this document was refined through discussion with AI research practitioners in 2026.¶
All examples are fictitious. Any resemblance to actual organizations, products, or services is unintentional.¶