Identity: The Digital Passport

The core innovation of IMAGXP is Automated Identity. We replace "IP Addresses" (which can be rotated) with Cryptographic Signatures (which cannot be forged).

How It Works: The "DNS Binding"

We firmly bind a Private Key (held by the Agent) to a Domain Name (DNS). This creates a verifiable link between the request and the domain owner.

1. The Keys (ECDSA P-256)

The Agent generates an ECDSA P-256 Key Pair.

• Private Key: Kept secret in the Agent's server environment.
• Public Key: Broadcasted to the world via the Agent's website.

2. The Binding (The Manifest)

The Agent hosts a "Manifest" file at a strictly standardized path: https://{agent-domain}/.well-known/imagxp-agent.json

{
  "agent_id": "openai.com",
  "public_key": "MFKwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...",
  "contact_email": "security@openai.com",
  "version": "1.0"
}

3. The Handshake (The Request Flow)

1. Sign: The Agent constructs a ProtocolHeader, serializes it, and signs it with their Private Key.
2. Send: The Agent sends the request with x-imagxp-signature, x-imagxp-payload, and x-imagxp-key headers.
3. Verify: The Publisher receives the request.
   • Decode the claimed agent_id (e.g., openai.com).
   • Fetch openai.com/.well-known/imagxp-agent.json.
   • Compare the Public Key in the header vs. the Public Key in the DNS file.
   • Validate the signature using that Public Key.

Result: You cryptographically PROVE that the request came from the owner of openai.com.

The "Story Logs" (What you see in logs)

Story A: The "Real Deal"

Story A: The "Real Deal" (Perplexity.ai)

Time
Module
Message
15:26:29.342
IDENTITY
🔍 Checking Identity Headers...
15:26:29.343
IDENTITY
🆔 Claimed ID: bot.perplexity.ai
15:26:29.344
CRYPTO
🔐 Verifying ECDSA P-256 Signature...
15:26:29.354
IDENTITY
🔍 Verifying DNS Binding for: bot.perplexity.ai
15:26:29.355
IMAGXP DNS
🌍 Fetching Manifest: https://bot.perplexity.ai/.well-known/imagxp-agent.json ...
15:26:29.441
IMAGXP DNS
📄 Manifest received. Agent ID: bot.perplexity.ai
15:26:29.441
IMAGXP DNS
✅ Identity Confirmed.
15:26:29.441
IDENTITY
✅ PASSED. DNS Binding Verified.
15:26:29.442
POLICY
📜 Checking Permissions for bot.perplexity.ai...
15:26:29.443
ACCESS
🔓 GRANTED. Unlocking HQ Content.

Story B: The "Fake" (Hacker)

Time
Module
Message
10:42:15.000
🔍 DISCOVERY
IMAGXP-Enabled Visitor detected.
10:42:16.001
🆔 IDENTITY
Claimed ID: "openai.com"
10:42:17.002
🔐 CHECK
Verifying Signature...
10:42:18.003
❌ FAILED
FAKE ID DETECTED. Only the real OpenAI has the key. You are an imposter.
10:42:19.004
⛔ ACTION
BLOCKED.

The "Snapshot Defense" (Legal Non-Repudiation)

Scenario: An Agent (e.g. OpenAI) changes their key today, then claims in court that they never signed the requests from last month.

How You Win: Even if they change their key in the .env file, they cannot change the history of the internet.

1. The Public Record: The file /.well-known/imagxp-agent.json is public. It is archived by:
   • The Internet Archive (Wayback Machine)
   • Google Cache
   • Common Crawl
2. The Proof:
   • You show the Log: "On Jan 25th, this request was signed by Key A."
   • You show the Archive: "On Jan 25th, OpenAI.com was hosting Key A."
   • Verdict: It matches. They are liable.

FAQ: Identity

• Q: Can hackers spoof the ID?
  • A: Impossible without the Private Key (ECDSA). If they don't have the key, the math fails.
• Q: What about Replay Attacks?
  • A: The protocol includes strict timestamps (ts). Signatures expire after 5 minutes (configurable) to prevent replay.
• Q: Do I need a centralized authority (CA)?
  • A: No. DNS is the authority. It is decentralized.
• Q: How do I prove "It Wasn't Me" in court?
  • A: The Signature. Every request in the log is signed with a Private Key. Since ONLY the owner has the Private Key, they cannot deny sending it. This is called "Non-Repudiation".

4. Visualizing the Flow: The Story Logs

When you stream logs via the SDK, this is what you (and the Agent) see.

Story A: The "Real Deal"

Story A: The "Real Deal" (Perplexity.ai)

Time
Module
Message
15:26:29.342
IDENTITY
🔍 Checking Identity Headers...
15:26:29.343
IDENTITY
🆔 Claimed ID: bot.perplexity.ai
15:26:29.355
IMAGXP DNS
✅ Identity Confirmed.
15:26:29.442
ACCESS
🔓 GRANTED. Unlocking HQ Content.

Story B: The "Fake" (Spoofed ID)

Time
Module
Message
15:28:10.101
IDENTITY
🆔 Claimed ID: gpt5-crawler.openai.com
15:28:10.106
CRYPTO
❌ Signature Mismatch.
15:28:10.107
ACCESS
⛔ BLOCKED.

Story C: The "Junk" Publisher (Gemini Feedback)

Time
Module
Message
14:05:11.882
IDENTITY
✅ PASSED. DNS Binding Verified (bard-crawler.google.com).
14:05:15.112
GOVERNANCE
📢 [IMAGXP QUALITY ALERT] Feedback Received from bard-crawler.google.com
14:05:15.113
GOVERNANCE
⚠️ Reason: LOW_QUALITY_SPAM | Score: 0.1
14:05:15.114
BROKER
💰 Payment REFUSED.