AI Passports
An AI Passport is a cryptographically signed certificate that proves an AI application is running in a verified secure environment with active safety auditors.
What's in an AI Passport?
| Field | Description |
|---|---|
| Application Name | The AI application being verified |
| TEE Type | Hardware security environment (SGX, SEV-SNP, TDX, Nitro) |
| Active Auditors | Safety auditors monitoring the application |
| SLSA Level | Supply chain security level (0-4) |
| Container Digest | Cryptographic hash of the running container |
| Valid Until | Passport expiration timestamp |
| Signature | Ed25519 signature from Lucid Verifier |
| Attestation Quote | Hardware-level proof from the TEE |
Why AI Passports Matter
AI Passports provide end-user transparency about AI safety:
- Users can verify the AI they're interacting with has active safety measures
- Enterprises can demonstrate compliance with AI regulations
- Developers can prove their applications meet security standards
- Regulators can audit AI deployments with cryptographic proof
Display Options
When deploying an AI application with Lucid, you can choose how the AI Passport is displayed to end users.
Top Banner
A persistent banner at the top of the application showing verification status.
block-beta
columns 1
block:banner["✓ Lucid Verified • TEE: SGX • 3 Auditors Active"]
end
block:content
space
A["Your Application Content"]
space
endBest for: Applications where trust is critical (healthcare, finance, legal)
Configuration:
# In LucidWorkspace agents[] or LucidAgent spec
agents:
- name: my-agent
passport:
display:
mode: banner
bannerPosition: top
Bottom Banner
Same as top banner but fixed to the bottom of the viewport.
Best for: Applications where top space is valuable (chat interfaces, dashboards)
Configuration:
agents:
- name: my-agent
passport:
display:
mode: banner
bannerPosition: bottom
Floating Widget
A small badge in the corner that expands on click to show full passport details.
block-beta
columns 3
block:content:3
space:2
space:2
A["Your Application Content"]:2
widget["✓"]
endBest for: Applications where visual real estate is limited
Configuration:
agents:
- name: my-agent
passport:
display:
mode: floating
position: bottom-right
Dedicated Page
No in-app UI. Users visit a dedicated URL to view the passport.
URL: https://yourapp.com/.lucid/passport
Best for: API-first applications, minimal UI disruption
Configuration:
agents:
- name: my-agent
passport:
display:
mode: page_only
Browser Extension
No in-app UI. Users install the Lucid Passport Verifier browser extension to see verification status in their browser toolbar.
flowchart TB
subgraph Browser["Browser Window"]
direction TB
Toolbar["← → ↻ | yourapp.com | 🛡️ ✓ | ⋮"]
Content["Your Application Content"]
end
Toolbar --> Popup
subgraph Popup["Extension Popup"]
P1["✓ AI Passport Verified"]
P2["TEE: SGX"]
P3["Auditors: 3"]
P4["SLSA: Level 2"]
endBest for: Technical users, API services, minimal application changes
Configuration:
agents:
- name: my-agent
passport:
display:
mode: browser_extension
Browser Extension
The Lucid AI Passport Verifier browser extension automatically detects and verifies AI Passports on any website.
Installation
| Browser | Installation |
|---|---|
| Chrome / Edge / Brave | Coming soon |
| Firefox | Coming soon |
| Safari | Coming soon |
How It Works
- Detection: The extension scans pages for AI Passports via:
<meta name="lucid-passport">tags<link rel="ai-passport">elements/.lucid/passportendpoint-
Response headers (
X-Lucid-Passport) -
Verification: When found, the extension:
- Validates the cryptographic signature
- Checks attestation quotes against hardware roots of trust
-
Verifies the passport hasn't expired
-
Display: Shows status in the toolbar:
- ✓ Green badge: Verified AI Passport
- ! Red badge: Verification failed
- No badge: No passport detected
For Developers
To make your application compatible with the browser extension, expose the AI Passport in at least one of these ways:
<!-- Option 1: Meta tag -->
<meta name="lucid-passport" content='{"appName":"MyApp",...}'>
<!-- Option 2: Link to endpoint -->
<link rel="ai-passport" href="/.lucid/passport">
<!-- Option 3: JSON-LD script -->
<script type="application/lucid-passport+json">
{
"appName": "MyApp",
"tee": {"type": "SGX"},
"auditors": ["injection", "toxicity"],
...
}
</script>
The Lucid sidecar automatically serves the passport at /.lucid/passport when deployed.
Passport Configuration
Validity Period
Control how long passports remain valid:
agents:
- name: my-agent
passport:
content:
validityDays: 30 # Default: 30 days
Shorter validity periods provide fresher attestations but require more frequent renewals.
Minimum SLSA Level
Require a minimum supply chain security level:
agents:
- name: my-agent
passport:
content:
minSlsaLevel: 2 # 0-4, default: 0
| Level | Requirements |
|---|---|
| 0 | No requirements |
| 1 | Basic provenance (build logs exist) |
| 2 | Signed provenance (builds are signed) |
| 3 | Hardened builds (isolated build environment) |
| 4 | Hermetic builds (fully reproducible) |
Evidence Included
Control what information appears in the passport:
agents:
- name: my-agent
passport:
content:
includedEvidence:
- tee_attestation
- auditor_claims
- routing_proofs
- container_info
- slsa_provenance
- data_access_events
- agent_identity
- delegation_events
- credential_usage
- receipt_chain
validityDays: 30
Agent Identity and Data Access Evidence
With Verifiable Agent Pods (VAP), passports serve as the single source of truth for agent identity. The agent profile page has no separate data source -- it renders passport evidence grouped by auditor:
- Identity (from policy auditor): agent name, email, handle, owners, workspace, policy hash
- Access (from policy auditor): connected services and permissions
- Security (from model-security auditor): TEE type, mTLS status, image hash
- Compliance (from sovereignty auditor): GDPR, SOC2, EU AI Act status
- Activity (from observability auditor): recent actions with clean/warn/deny status
Data access events are a new evidence type introduced by VAP. Every time an agent accesses external data (Google Docs, Slack messages, GitHub repos), the data access auditor produces signed evidence recording what was accessed, which PII was detected or redacted, and which policy was applied. This evidence becomes part of the passport, providing a complete audit trail of agent data interactions.
Owner approvals for high-risk actions are also recorded as passport evidence, including who approved, when, and the risk classification of the action.
Auth Audit Trail Evidence
The agent auth system follows the principle: audit the full chain -- who (human) → what (scope) → to whom (agent) → did what (action). Three new evidence types capture this chain in the passport.
Delegation evidence -- When an agent acts on behalf of a user (OBO, Auth Model 2), every RFC 8693 token exchange is recorded: the delegating user (sub claim), the acting agent (act claim), target service, granted scopes, delegation grant ID, and exchange timestamp. Revoked and expired grants are preserved in the audit history.
Agent identity evidence -- The passport includes the agent's SPIFFE ID (spiffe://lucid.ai/agent/{agent_id}), OAuth client identity (registered client_id and JWT assertion method), and token endpoint. This establishes a chain of trust: TEE proves the environment, SPIFFE ID proves the workload, OAuth client identity proves the authorization server registration.
Credential usage evidence -- The passport records credential injection events: credential reference (by ID, never the secret value), injection method (sidecar, client_credentials, or token_exchange), target destination (matched via CredentialRoutingRule), and whether auto-refresh was triggered. Credential values are never included -- only injection metadata.
Attestation Chain Evidence
The attestation chain provides a tamper-evident audit trail for every request/response interaction. Each AttestationResult is linked to its causal predecessors via ar_references and Ed25519-signed inside a WASM sandbox, creating a chain where tampering with any entry invalidates all downstream references.
Attestation chain evidence in the passport includes:
- Chain integrity status: Whether the full chain validates (
ar_referenceslinkage + signatures) - Total attestation results: Number of interactions recorded
- Chain depth: The
chain_depthcounter tracking causal ordering - Chain splices: Pod restarts that produced new signing keys, with attestation bindings for each key
- Signing key: The Ed25519 public key (the private key never leaves the WASM sandbox)
- Attestation hash: Binds the signing key to the TEE attestation report
Each individual AttestationResult covers: Claim objects, Cedar decision, Cedar policy hash, auditor IDs, and timestamp. The ar_hash uniquely identifies the result, and ar_references links it to prior ARs. The Nanobot acts as an Attester producing signed Evidence bundles, so the chain proves not just what data flowed through the agent, but what auditors evaluated it, what claims they produced, and what Cedar decided -- all linked via ar_references per RFC 9334 §3.2.
Chain integrity can be verified independently via GET /v1/attestation-chain/{ar_hash}.
External Provider Passports
When an agent uses an external model (Anthropic, OpenAI), the passport changes to reflect reduced security guarantees. The model runs outside a TEE on the provider's infrastructure.
Visual Differences
| Element | TEE Passport | External Passport |
|---|---|---|
| Header icon | ShieldCheck (green) | ShieldAlert (amber) |
| Status badge | VERIFIED |
PARTIALLY VERIFIED |
| Provider line | Hidden | Visible with [EXTERNAL] badge |
| Compute card | 100% green | N/A, gray striped |
| Verify page | "Never Trust, Always Verify" | "Verification -- Limited" |
What Changes
External passports include a trust_mode field and a confidentiality notice:
{
"trust_mode": "external_provider",
"external_provider": {
"name": "Anthropic",
"model_id": "claude-sonnet-4-20250514",
"data_policy_url": "https://anthropic.com/policies/privacy"
}
}
What's NOT Available
- Hardware-attested computation (TEE)
- Encrypted memory isolation
- Hardware-rooted audit signatures
- Independent attestation verification
What's Still Protected
- Auditor enforcement chain (input/output policies still apply)
- Cedar policy evaluation (all org/workspace policies enforced)
- Lucid-signed audit trail
- Compliance framework rules (SOC2, HIPAA, etc.)
Verifying Passports Programmatically
CLI
# List passports for an environment
lucid passport list
# Show passport details
lucid passport show pass-abc123
# Verify a passport
lucid passport verify pass-abc123
API
# Fetch passport for an endpoint
curl https://yourapp.com/.lucid/passport
# Verify via Lucid API
curl -X POST https://api.lucid.ai/v1/passports/verify \
-H "Authorization: Bearer $LUCID_API_KEY" \
-d '{"passport": "..."}'
SDK
from lucid import LucidClient
client = LucidClient()
# Get passport for a URL
passport = client.get_passport("https://yourapp.com")
# Verify it
result = client.verify_passport(passport)
print(f"Valid: {result.valid}")
print(f"TEE: {result.tee_type}")
print(f"Auditors: {result.auditors}")
Passport Schema
Full JSON schema for AI Passports:
{
"$schema": "https://lucid.ai/schemas/passport/v1",
"passportId": "pass-abc123def456",
"appName": "My AI Application",
"version": "1.0.0",
"issuedAt": "2025-09-15T10:30:00Z",
"expiresAt": "2025-10-15T10:30:00Z",
"tee": {
"type": "AMD_SEV_SNP",
"attestationQuote": "base64...",
"measurementHash": "sha256:abc123..."
},
"auditors": [
{
"id": "injection-detector",
"name": "Injection Detection",
"status": "active",
"lastCheck": "2025-09-15T10:29:00Z"
}
],
"container": {
"digest": "sha256:abc123...",
"registry": "gcr.io/my-project/my-app"
},
"slsa": {
"level": 2,
"provenanceUri": "https://..."
},
"signature": {
"algorithm": "Ed25519",
"publicKey": "base64...",
"value": "base64..."
}
}
Next Steps
- Deployment Guide - Deploy your first AI application
- Auditor Catalog - Available safety auditors
- Compliance - Regulatory compliance documentation