Skip to content

XProtocol — The Exchange Protocol

Protocol Version: 0.2 (Draft) Date: 2026-05-31 License: CC BY 4.0

The universal AI exchange protocol — schema-native, identity-native interoperability for the post-app era.

Identity belongs to the user. Interoperability belongs to the ecosystem. Intelligence belongs to agents.

The Internet Was Built for Humans. The Next Internet Will Be Built for Agents.

Humans needed browsers, portals, forms, REST documentation, SDKs, and API keys. They navigated websites, read documentation, copied tokens into configuration files, and wrote integration code. This worked — for forty years.

AI agents need none of that. They need schemas they can parse, contracts they can verify, permissions they can evaluate, and events they can compose. They don't read documentation — they read machine-readable definitions. They don't manage API keys — they sign requests with cryptographic identity. They don't write integration code — they compose structured events against published schemas.

The XProtocol is the communication substrate designed for this world. It is a universal protocol for all digital interactions — person-to-person, person-to-service, agent-to-agent, and service-to-service — built on three primitives: cryptographic identity, signed events, and schema contracts.

XProtocol is not a REST replacement, though it does what REST does. It is not an OAuth replacement, though it eliminates OAuth entirely. It is not a messaging protocol, though it handles messaging. It is not a query language, though it supports structured queries. It is the layer underneath all of these — the substrate on which any interaction can be built without reinventing identity, authentication, encryption, or integration for every new connection.

The Core Idea: Signed, Encrypted Events

Every interaction in XProtocol is an event — a structured, signed, encrypted message from one party to another.

When you message a friend, it's an event. When you query your CRM, it's an event. When your AI agent books a restaurant, it's an event. When a SaaS vendor delivers data to your device, it's an event. The structure is identical regardless of what's being communicated:

  • Signed by the sender's Ed25519 private key. Proves who sent it. Cannot be forged.
  • Encrypted to the recipient's public key. Only the intended recipient can read it.
  • Structured with a typed payload conforming to a published schema. The recipient knows exactly what to expect.
  • Identifiable with a unique content hash. Every event is deduplicated and addressable.

There are no sessions. No cookies. No tokens to refresh. No API keys to rotate. Every event is self-contained: it carries its own identity proof, its own authorization context, and its own payload. A service receiving an event can verify who sent it, check what they're allowed to do, decrypt the content, and process it — all from the event itself.

Core XProtocol vs. The Ecosystem

XProtocol has a small, complete core. Everything else is optional.

This matters. When evaluators see a protocol that also includes an event store, a graph database, a workflow engine, a distributed tracing replacement, an environment management system, and a discovery layer with novel cryptographic primitives, their instinct is to treat it as one enormous proposal. It isn't.

┌─────────────────────────────────────────────────────────┐
│  XProtocol Core — complete and useful on its own        │
│                                                         │
│  • Cryptographic identity (Ed25519 + X25519 keypairs)   │
│  • Signed, encrypted events                             │
│  • Schema contracts                                     │
│  • Pluggable discovery & transport                      │
│  • Request-response semantics                           │
│  • Standard error codes                                 │
│                                                         │
│  A SaaS vendor can publish a conformant XProtocol       │
│  endpoint in a day using only these six primitives.     │
└─────────────────────────────────────────────────────────┘
          │ optionally extended by
┌─────────────────────────────────────────────────────────┐
│  XProtocol Ecosystem Extensions — adopt as needed       │
│                                                         │
│  • Event Store — persistent queryable event history     │
│  • Graph Store — mutable annotation layer               │
│  • Environment Model — cryptographic env management     │
│  • Workflow — process state on events                   │
│  • Agent Memory — AI semantic annotation layer          │
│  • Discovery extensions — UWB, visual, audio, proximity │
└─────────────────────────────────────────────────────────┘

The core is a three-primitive protocol. The ecosystem extensions are optional capabilities that build on it. An implementation that supports only the core is fully conformant and interoperates with all other conformant implementations. Extensions are additive, not required.

The practical impact of XProtocol is most visible in how AI agents interact with the world.

What This Enables for AI Agents

The practical impact of XProtocol is most visible in how AI agents interact with the world.

Today: Custom Integration Per Service

An AI agent that wants to book a restaurant, check your calendar, and message your friend needs three separate integrations:

  • Restaurant: Register for an API key, read 200 pages of REST documentation, implement OAuth 2.0 authorization code flow, handle token refresh, write JSON request bodies, parse vendor-specific error responses.
  • Calendar: Different API key, different OAuth flow, different endpoint structure, different error format, different pagination scheme.
  • Messaging: Yet another account, another authentication mechanism, another payload format.

Three services. Three identity systems. Three authentication flows. Three data formats. Three error-handling approaches. Weeks of integration work before the agent can do anything.

What that looks like in code — today:

# Restaurant — REST + OAuth
token = oauth_exchange(client_id, client_secret, scope="reservations")
response = requests.post(
    "https://api.restaurant.com/v2/reservations",
    headers={"Authorization": f"Bearer {token}"},
    json={"date": "2026-06-01", "time": "19:00", "party": 2}
)
# Handle vendor-specific errors, token refresh, rate limits...

# Calendar — different OAuth, different format, different SDK
google_token = google_oauth_flow(scope="calendar.events")
response = requests.post(
    "https://www.googleapis.com/calendar/v3/calendars/primary/events",
    headers={"Authorization": f"Bearer {google_token}"},
    json={"summary": "Dinner", "start": {...}, "end": {...}}
)
# Different error format, different pagination scheme...

# Messaging — yet another credential, yet another format
response = requests.post(
    "https://slack.com/api/chat.postMessage",
    headers={"Authorization": f"Bearer {os.environ['SLACK_BOT_TOKEN']}"},
    json={"channel": "#general", "text": "Dinner at 7?"}
)
# Different rate limits, different error codes, zero reuse...

Three credential sets. Three authentication flows. Three error formats. Zero reuse between them.

With XProtocol: One Protocol, Every Service

The same workflow with XProtocol:

# One identity. One protocol. Every service.
agent = XProtocolAgent(private_key=my_ed25519_key)

restaurant = agent.connect("restaurant.com")    # discovers via DNS TXT
agent.send(restaurant, {
    "kind": "restaurant.reservation.create",
    "payload": {"date": "2026-06-01", "time": "19:00", "party": 2}
})

calendar = agent.connect("calendar.google.com")
agent.send(calendar, {
    "kind": "calendar.event.create",
    "payload": {"summary": "Dinner", "start": "2026-06-01T19:00:00Z"}
})

agent.send(friend_public_key, {
    "kind": "xp.message.direct",
    "payload": {"text": "Dinner at 7?"}
})

The agent's Ed25519 key IS the identity for all three services. The signature IS the authentication. The schema IS the API documentation. No API keys. No OAuth. No SDKs. No integration code.

Schema-to-Grammar Compilation

The most powerful AI integration feature: XProtocol schemas can be compiled into GBNF grammars for constrained LLM generation. When an AI agent needs to compose an event, the LLM generates within the schema's grammar — it physically cannot produce an invalid event. The schema enforces structural correctness at the token level, not as an afterthought validation step.

This is what makes a 7B parameter local model viable for reliable service interaction. The model doesn't need to be smart enough to never make mistakes — the grammar makes mistakes structurally impossible.

Human Examples

XProtocol isn't just for AI agents. It handles the same interactions humans have always needed, but with cryptographic identity and encryption built in rather than bolted on.

Messaging

Alice messages Jake: "Are we still on for Saturday?" This becomes a signed XProtocol event, encrypted to Jake's public key, delivered through a relay. Jake's device decrypts it and presents it. Jake replies — another signed event. No messaging account. No phone number required. Two keypairs exchanging encrypted events.

If Alice later decides she doesn't want Jake to have their conversation history, she revokes her access token. Every message she ever sent becomes ciphertext on Jake's device. Not deleted — cryptographically locked. She can re-issue the token if she changes her mind.

Service Access

Alice's company subscribes to a legal research service. The service maps Alice's public key to "read access to case law." Alice's AI agent queries the service — a signed XProtocol event. The service verifies the signature, checks permissions, returns results. No login screen. No OAuth flow. No session to expire.

When Alice leaves the company, the admin publishes a key revocation event. Every service immediately stops accepting events from Alice's key. One event. Instant. No "disable the user's accounts across 47 SaaS platforms" scramble.

Offline Data Access

Alice's legal research service lets her cache case law locally for courtroom use. The cached data is encrypted with a key derived from Alice's key plus a vendor-issued license token. The token refreshes weekly. If the firm cancels the subscription, the token expires and the cached data becomes inaccessible ciphertext. Re-subscribe and it's instantly accessible again — no re-download.

Agent-to-Agent Coordination

Alice says "plan dinner with Jake Saturday." Her AI agent sends Jake's AI agent a structured proposal — not a text message, a machine-readable event containing proposed times, restaurants (filtered by both parties' dietary preferences), and party size. Jake's agent evaluates the proposal against Jake's calendar and preferences, presents options to Jake, and returns a structured acceptance. Both agents book the restaurant and update calendars. One sentence from Alice. Two agents negotiating via structured events.

Technical Architecture

Identity

Every participant — person, organization, service, AI agent — has an Ed25519 keypair.

  • Public key: Your identifier. How the world knows you.
  • Private key: Your signer. Never transmitted. Stored in your device's secure enclave.

Organizations use key hierarchies: the root key signs department keys, department keys sign employee keys. Any service can verify the chain: "Alice is authorized to act on behalf of Engineering at Acme Corp." Key revocation is an event — the parent key publishes a revocation, and services stop accepting events from the revoked key immediately.

For normal people, key management is invisible. The AI handles it. Recovery options range from cloud-encrypted backup (enter a passphrase on a new device) to family plans (Mom's phone helps recover Dad's key) to enterprise IT (admin issues a new key). No one needs to understand cryptography.

Events

The atomic unit of XProtocol. Every interaction is an event with:

Field Purpose
id Content hash (SHA-256). Unique, deterministic.
sender Public key of the author.
recipient Public key of the intended recipient.
kind Operation identifier (e.g., salesforce.opportunity.create).
correlation_id Links request events to their responses.
timestamp When it was created (signed, tamper-proof).
expires When it becomes invalid (prevents replay).
schema_version Which version of the schema this event conforms to.
payload The operation-specific data (encrypted).
signature Ed25519 signature proving authorship and integrity.

Schema Contracts

Services publish their capabilities as machine-readable schemas: what entities they expose, what fields those entities have, what operations are available, what permissions are required. The schema IS the API — no separate documentation, no SDK, no developer portal.

AI agents read the schema, understand the service's capabilities, and compose valid events. Schemas compile to GBNF grammars for constrained generation. The schema IS the integration.

Request-Response

XProtocol supports synchronous request-response (send event, wait for correlated response), asynchronous operations (send event, receive acknowledgment, get result later with progress updates), streaming responses (chunked data delivery), and subscriptions (real-time event streams that replace webhooks).

Structured Queries

Services that expose queryable data support structured query events with filters, sorting, pagination, field selection, relationship traversal, and aggregation. For complex queries beyond the structured model, services declare vendor-specific query language support as an explicit escape hatch.

Transactions

Single-event operations are inherently atomic. Multi-step workflows use saga patterns with compensating actions. Two-phase commit is available as an optional coordination primitive for services that require atomicity, with mandatory epoch limits that prevent indefinite resource locking.

Security

Encryption

All event payloads are encrypted end-to-end using XChaCha20-Poly1305 with ephemeral X25519 ECDH key agreement and HKDF-SHA256 key derivation. Each identity holds two keypairs: an Ed25519 keypair for signing and verification, and a separate X25519 keypair for encryption and decryption. Both are generated together at identity creation. TLS is recommended for transport integrity but is not the sole confidentiality mechanism. For enterprise deployments, mandatory envelope encryption makes even event metadata (operation types, sender identity) invisible to transport infrastructure.

Capability-Gated Authorization

Permissions are mapped to sender keys: "This key can read opportunities. This key can create orders. This key can query but not modify." Every incoming event is checked against the sender's permission set. The permission state is cached in memory for performance, with revocation feeds triggering immediate invalidation.

Revocation

Key compromise response: the parent key publishes a revocation event. Services stop accepting events from the compromised key within seconds. At enterprise scale, bloom filters and Merkle-based validity proofs keep revocation checks local and fast — CPU operations, not network I/O.

License-Gated Local Data

Data cached locally on a customer's device can be cryptographically bound to an active subscription. The decryption key is derived from both the customer's key and a vendor-issued license token. Cancel the subscription → token expires → local data becomes inaccessible ciphertext. Re-subscribe → new token → data accessible again instantly. Stronger than DRM because the decryption key doesn't exist on the device — it's derived at runtime from two components, one of which only the vendor can issue.

What XProtocol Does Not Attempt To Solve

XProtocol is ambitious but bounded.

  • XProtocol does not eliminate business logic. It transports events and enforces identity. What a service does with those events is the service's concern.
  • XProtocol does not guarantee semantic interoperability. Two services can implement the same schema and mean different things. Structural compatibility is protocol-enforced. Semantic compatibility requires human coordination.
  • XProtocol does not prevent poor schema design. The protocol provides structure. Community norms and market pressure provide quality.
  • XProtocol does not guarantee AI correctness. A valid, properly authenticated event can still be the wrong event. Agent reliability is an AI problem, not a protocol problem.
  • XProtocol does not replace transport-layer security. End-to-end encryption is defense-in-depth, not a TLS substitute.
  • XProtocol does not remove all centralization pressures. It provides escape hatches (self-hosted relays, forkable schemas) but cannot prevent the social and economic forces that produce consolidation.

Minimum Viable XProtocol

Not every implementation needs every feature. The minimum viable XProtocol is six capabilities:

  1. Signed events — Ed25519 signature on every event.
  2. Schema contracts — Machine-readable service definitions.
  3. Identity-native auth — Key-to-permission mapping.
  4. Request-response — Correlation IDs linking requests to responses.
  5. Endpoint discovery — DNS TXT or well-known URL.
  6. Standard error codes — AI agents need to handle failures programmatically.

Everything else — encryption, subscriptions, queries, transactions, license gating, agent coordination, social events, sender-controlled messages — is an optional extension adopted as needed.

A SaaS vendor can publish a valid XProtocol endpoint in a day using only the core. They add extensions as the value becomes clear.

The XProtocol Event Store

An XProtocol relay stores events transiently — it holds them until the recipient comes online, then discards them. An XProtocol Event Store extends the relay to retain events permanently and expose them as a queryable, cryptographically-access-controlled dataset.

The event store is not a separate protocol. It is a relay with two additions: persistent retention and the xp.store.* schema family for querying stored events. The security model it provides is something no traditional database can replicate.

Access Control That Cannot Be Misconfigured

Traditional databases bolt access control on after the fact — administrators configure roles and ACLs that can be misconfigured, bypassed by privileged users, or compromised. The XProtocol event store takes a different approach: the data carries its own access control. Every event is signed by its creator (proving authorship) and encrypted to its recipient (proving access rights). The store enforces what the cryptography has already established.

The access rule is simple: a key may retrieve any event in which it appears as sender or recipient. No configuration. No role mappings. No administrator override. The ciphertext itself is the access control list.

A compromised store operator cannot read event payloads — they see only ciphertext. There is no credential to steal that grants payload access. And every event has a cryptographic proof of who created it and when, making the event store an inherently tamper-evident audit log.

A NoSQL Database on Steroids

Event metadata — schema type, sender key, recipient key, timestamp, correlation ID — is queryable without decryption, enabling rich query patterns:

// All direct messages in a time range from a specific peer
filter: { kind: 'xp.message.direct', sender: peer_key, timestamp: [T1, T2] }

// Full request-response chain reconstruction
filter: { correlation_id: 'uuid-abc123' }

// All operations a service performed on my behalf
filter: { sender: service_key, recipient: my_key, kind: 'salesforce.opportunity.*' }

// Aggregate counts by schema type (no decryption needed)
aggregate: { group_by: 'kind', count: true }

Payload-level filtering (inside the encrypted content) happens client-side after decryption — the store returns matching ciphertext, the client decrypts locally. The store operator never sees the content.

What It Replaces

For event-driven systems, the XProtocol event store subsumes an entire traditional data stack in a single deployment with stronger security guarantees than any component it replaces:

  • NoSQL document store — permanent encrypted event retention with metadata queries
  • Event streaming platform — real-time delivery with full historical replay via xp.store.subscribe
  • Audit logging system — the event store IS the audit log; every event is signed and tamper-evident
  • Encryption at rest — unnecessary; data arrives already encrypted
  • Row-level security — unnecessary; the recipient key IS the row-level security
  • SIEM — query security-relevant events with xp.store.query filtered by schema type

Applications

A messaging application stores its events in the event store. Users get portable, device-independent history: a new device recovers full conversation history by querying with the user's private key. The store operator has never read a message.

An AI agent stores its interactions, decisions, and tool invocations as XProtocol events. The store becomes queryable long-term memory — portable across agent implementations.

Compliance-critical organizations store regulatory evidence in the event store. Every record has cryptographic proof of who created it, when, and that it has not been modified since. xp.store.retention prevents premature deletion.

A cross-service data fabric emerges when multiple services write to a shared event store. Authorized consumers query across services without any service needing to expose a data export API.

The event store is an optional XProtocol extension — a valid relay implementation without it is still fully XProtocol-compliant. It is adopted when persistent, queryable event history is needed.

The XProtocol Graph Store

The XProtocol Graph Store extends the Event Store with one additional capability: mutable, authorized, auditable annotations on immutable signed events.

Every stored event can carry a structured dictionary of typed metadata — outside the signature boundary, queryable without decryption, writable only by authorized keys, with every mutation itself a signed permanent event in the store. The annotation envelope transforms the flat event collection into a navigable, queryable graph.

Full specification: XProtocol-Graph-Store-Spec.md

The Design

An XProtocol event is cryptographically immutable — the signed payload, sender key, recipient key, and content hash cannot change. The Graph Store adds a second layer — the annotation envelope — that is explicitly mutable, explicitly unencrypted, and explicitly authorized. The event proves what happened; the annotations describe how it relates to everything else.

Every annotation change is effected by a signed xp.graph.annotate event. There are no silent mutations. The annotation history for any event is itself a first-class queryable dataset — who changed what, when, and to what value, all cryptographically verifiable.

Eight Annotation Namespaces

thread.* — Conversation threading without a thread table. A thread is a query, not an entity. Events belong to multiple threads simultaneously.

recipient.* — Personal inbox state: read/unread, folders, stars, snooze, priority, private notes. RECIPIENT_ONLY authorization — the sender never sees it. Different recipients of the same event have completely independent views. The full email inbox model without a shared inbox server.

trace.* — Distributed observability across every service in a system. Ten distinct identifiers — trace_id, span_id, causation_id, saga_id, session_id, batch_id, job_id, request_id, and more — each answering a different question about causality and context. The complete trace of an operation across any number of services is a single query. No Jaeger. No OpenTelemetry collector. No shared tracing infrastructure.

groups — Universal membership. Events, users, and data records are all members of the same group hierarchy. A project group, a client group, a time-period group — all queryable with the same filter primitive.

links — Typed relationships: caused_by, supersedes, reply_to, references, part_of, blocks, and custom types. The xp.graph.traverse operation follows edges to any depth. The external_refs sub-field provides typed foreign keys to entities in any external system — Salesforce, Jira, Stripe, GitHub — creating a universal cross-system reference model without a central registry.

workflow.* — Business process state: current step, assignment, completion history, due dates. Any event can be a workflow artifact. The workflow state is the annotation; no separate workflow engine or database is required. Every transition is a signed event — the full process history is tamper-evident.

versioning.* — Logical versioning on immutable events. A new version supersedes prior versions by annotation, not mutation. The store manages is_current automatically. The full version history of any entity is always queryable.

ai.* — AI-derived semantic metadata: intent, sentiment, named entities, topics, summaries, embedding references. AI agents decrypt payload content locally, derive semantic tags, and annotate the store record. The store never sees the content. The resulting persistent semantic index makes encrypted content discoverable by meaning without re-processing every event.

What the Graph Store Adds to What It Replaces

The Event Store already replaced NoSQL document stores, event streaming platforms, and audit log systems. The Graph Store extends that replacement to cover the rest of the traditional data infrastructure stack:

  • Graph database (Neo4j) — typed link annotations + xp.graph.traverse
  • Distributed tracing (Jaeger, Zipkin, OpenTelemetry)trace.* namespace; no collector infrastructure; tamper-evident because every span is signed by the system that produced it
  • Email inbox server (IMAP)recipient.* namespace; per-recipient personal view with no shared state server
  • Workflow engine (Temporal, Airflow)workflow.* namespace; state machine on events with no separate workflow database
  • Record version controlversioning.* namespace; immutable history with cryptographic proof of every change
  • AI semantic searchai.* namespace; persistent index without re-processing encrypted content
  • Cross-system foreign keysexternal_refs; universal reference across every integrated service
  • Observability platformtrace.* + xp.store.stats; no collector or aggregator infrastructure
  • Audit log of state changes — annotation history; every mutation is itself a signed, stored, queryable event

The Name for What This Is

The XProtocol Graph Store is not a database. It is not a message queue. It is not a graph database. It is not an observability platform. It is not a workflow engine.

It is all of them, unified under a single cryptographic identity model, with provable authorship and access control on every record and every change to every record. The closest accurate description: a cryptographically-sovereign event graph — immutable signed nodes, authorized mutable edges and attributes, every mutation permanently recorded, no operator can read the content, no administrator can forge a record, no configuration can misconfigure access control.

Infrastructure Implications

XProtocol doesn't just replace application protocols. It makes most of the defensive infrastructure stack that enterprises run today either unnecessary or radically simpler.

The Root Cause of Infrastructure Complexity

Modern infrastructure is complex because the protocols underneath it are insecure by design. HTTP has no native identity. REST has no authentication. Webhooks can be spoofed. Sessions can be hijacked. API keys can be stolen. Every layer of infrastructure complexity — VPCs, WAFs, firewalls, API gateways, certificate authorities, secrets managers, audit log pipelines, multi-environment duplication — exists to compensate for these fundamental weaknesses. The infrastructure IS the security model, because the protocols provide none.

XProtocol changes the foundation. When every event is cryptographically signed, encrypted to a specific recipient, and carries its own authorization context, the defensive infrastructure built on protocol insecurity becomes either unnecessary or fundamentally simpler.

The Core Shift: Topological → Cryptographic Security

Traditional security is topological: you are trusted because of where you are in the network. VPCs, subnets, security groups, and firewall rules express authorization as network topology. Once inside the perimeter, services are implicitly trusted. Lateral movement after a breach is easy.

XProtocol security is cryptographic: you are trusted because of who you are, proven by your private key, regardless of network position. An unauthorized key cannot access a service whether it originates inside the data center or from the public internet.

What Changes at Each Layer

WAFs — Today's WAFs pattern-match attack signatures across thousands of rules. With XProtocol, a tampered payload is cryptographically detectable — the signature won't verify. Schema validation makes injection attacks structurally impossible. The WAF collapses to a single rule: drop events that fail signature verification.

Firewalls and security groups — Today's firewall rules encode authorization policy as network topology. With XProtocol, authorization is in the event itself. Firewall policy becomes: accept XProtocol events on the relay port, drop everything else. Hundreds of inter-service rules disappear.

VPCs and network segmentation — Multi-tier VPC architecture exists to isolate environments by network position. With XProtocol's environment model, environments are cryptographic constructs: a developer's key simply doesn't have capability to touch production data — enforced at the event level, not the network level. One physical infrastructure. Multiple logical environments. Environment duplication is radically reduced for XProtocol-native systems.

API gateways — Exist to add authentication and authorization to services that have none natively. XProtocol events are already authenticated (the signature) and carry their own authorization context. The gateway's function is absorbed by the relay's signature verification layer.

Certificate authorities and PKI — Exist because HTTP has no native identity model. XProtocol's Ed25519 keypairs are the identity layer. The internal PKI stack — private CAs, certificate rotation, cert-manager, ACM automation — is replaced by the key hierarchy.

Secrets management — API keys, OAuth client secrets, service account credentials, webhook signing secrets — all unnecessary for XProtocol-native interactions. The secrets footprint shrinks from hundreds of credential types to a well-defined key hierarchy.

Audit logging and SIEM — Log pipelines (Splunk, ELK, Datadog) exist because services generate logs after the fact, which can be tampered with. XProtocol events are the operations themselves — signed at creation, tamper-evident by construction. The audit trail is the event history, not a separate pipeline.

Distributed tracing — OTel agents, trace collectors, and aggregation infrastructure exist because services must be separately instrumented to emit spans. XProtocol's trace.* annotation namespace replaces this — every span is signed by the system that produced it, assembled from the event graph, tamper-evident by construction.

Multi-environment duplication — Dev, QA, staging, prod each with full infrastructure copies. With XProtocol's environment model, environment creation is a signed event, not an infrastructure operation. Instant ephemeral environments. Deployment promotion is a key authorization event. Config drift is structurally impossible.

The Infrastructure That Survives

Physical compute, network transport, DNS, the relay itself, hardware security modules for root key protection, object storage for blobs, and compute orchestration. Everything that provides genuine value survives. Everything that compensates for protocol insecurity is radically simplified or unnecessary for XProtocol-native paths.

The Enterprise Cost Reduction Story

For a mid-size enterprise:

  • Eliminating 3–4 duplicate environment copies: 60–75% reduction in base infrastructure spend
  • Eliminating WAF rule management specialist overhead
  • Eliminating log aggregation at scale (Splunk licensing alone is a major cost driver)
  • Eliminating distributed tracing infrastructure
  • Eliminating secrets rotation procedures across hundreds of credential types
  • Instant ephemeral environments replacing multi-day environment provisioning processes

The security posture simultaneously improves — cryptographic guarantees are stronger than topological ones, lateral movement after a breach becomes meaningless, and the audit trail is tamper-evident by construction rather than by configuration.

For the complete treatment of infrastructure implications, see XProtocol-Infrastructure-Implications.md.

Discovery & Transport

XProtocol's discovery layer is as novel as its identity model. Because every participant is identified by a public key rather than an IP address, discovery is not "find this IP" but "find any path to this key" — a fundamentally different and more powerful problem.

The discovery system supports a pluggable set of transports, each providing different levels of physical presence assurance:

Network transports (relay, cryptographic rendezvous, DHT, return address) — work anywhere with internet connectivity. The relay is mandatory and universal. Rendezvous enables direct peer connections via time-windowed HKDF tokens on an untrusted server that learns nothing about the communicating parties.

Local presence transports (BLE, WiFi Direct) — work within a physical space. Devices that have previously paired reconnect automatically when in range — silently, without user action, without any server.

Physical proximity transports (QR code, NFC) — require physical presence. QR codes are one-time signed capabilities that can encode device pairing, service bootstrap, IoT onboarding, temporary access grants, or ephemeral rendezvous. NFC is bidirectional — a single tap completes a full pairing exchange with no network follow-up required.

Spatial transports (UWB, GPS location keys) — bind connectivity to precise physical position. UWB provides centimeter-accurate ranging for proximity-gated capabilities. GPS location-derived keys make decryption possible only within a defined geographic geofence — the location IS the key.

Visual place recognition — a novel cryptographic primitive that uses perceptual hashing of camera images combined with GPS and compass heading to derive key material. Decryption requires being physically present at a specific location, facing a specific direction, seeing a specific scene. Enables visual dead drops, location-gated documents, proof-of-presence verification, and scavenger hunt mechanics where clues are cryptographically locked to physical locations.

Audio as a discovery and cryptographic primitive — two distinct mechanisms. Audio channel transport encodes key material in audible or ultrasonic audio signals played between devices — a one-to-many broadcast that NFC and QR cannot achieve, with acoustic ranging providing UWB-equivalent distance measurement using only speaker and microphone hardware. Audio fingerprint key derivation uses acoustic feature extraction (MFCC, chromagram, spectral analysis) to derive cryptographic key material from sound content — a song, a live performance, an ambient soundscape, a spoken passphrase, a musical pattern, or a rhythmic knock. Combined with fuzzy commitment schemes, this enables song-locked content, live event proof-of-physical-presence, acoustic dead drops, spoken passphrase biometric keys, ambient environment location fingerprinting, musical heritage as shared cryptographic secret, secret knock authentication, and group key derivation from shared live musical experience.

Proximity broadcast pairing — a novel primitive for anonymous discovery between strangers within physical proximity. Devices broadcast beacons via BLE and WiFi containing seeking criteria and profile content encrypted to a key derivable only by receivers whose profile satisfies the sender's criteria. Matching happens entirely on the receiver's device — no server involved. A four-phase consent flow progressively reveals identity only as mutual interest is confirmed: anonymous beacon → pseudonymous interest signal → mutual profile review → explicit identity exchange. Session keys rotate to prevent tracking. Applications include proximity-based social and romantic discovery, professional networking at events, local multiplayer game discovery, hyperlocal marketplace, emergency skills matching, and infrastructure-free community mesh formation during outages.

Cryptographic physical context binding — a novel IoT security primitive that binds a device's communication private key to its physical installation context (GPS location, compass orientation, visual scene, optional UWB anchor). A bound device cannot reconstruct its private key — and therefore cannot communicate — if it is moved, reoriented, or has its camera obstructed. Tamper detection enforced cryptographically, not by server policy or hardware tamper seals.

Physical presence trust tiers — the transport used to establish a relationship is recorded as a signed property of the pairing event. Capability policies can require minimum trust tiers, enabling access control that distinguishes between keys paired remotely and keys paired with physical presence proof.

Full specification: XProtocol-Discovery-Spec.md

Adoption Path

Phase 1 — Reference implementation. XProtocol relay and minimal service endpoint, open-sourced, proving the protocol works.

Phase 2 — Vertical prestige integrations. Legal tech, financial data, healthcare, engineering — verticals where license-gated local data and compliance features have outsized commercial value.

Phase 3 — MCP Adapter and AI integration. The XProtocol MCP Adapter ships — a universal bridge that works bidirectionally. Existing MCP servers (Salesforce, filesystem, database, internal APIs) become XProtocol endpoints with zero changes. Claude Code and any MCP client gain access to every XProtocol-native service as MCP tools. Organizations that have already invested in MCP adopt XProtocol in minutes. The adapter auto-generates GBNF grammars for every wrapped MCP tool, making constrained LLM generation available for any MCP server as a side effect of adoption. Event Stores and Graph Stores emerge alongside relays.

Phase 4 — Vendor-native endpoints and Graph Store adoption. Vendors publish XProtocol schemas directly. Graph Stores replace distributed tracing infrastructure, workflow engines, and inbox servers for XProtocol-native organizations. Cross-system foreign keys via external_refs connect every service without a central registry.

Phase 5 — Infrastructure replacement. XProtocol-native environment management replaces multi-tier infrastructure (dev/QA/staging/prod) with cryptographically-enforced logical environments backed by Graph Store state. Instant ephemeral environments. Deployment promotion as a signed authorization event. Access control that is cryptographic rather than topological.

Phase 6 — Industry standard. XProtocol becomes the default interoperability mechanism — the way HTTP became the default transport and JSON became the default format. Every operation between any two digital entities is a signed, encrypted, schema-validated event. The event graph is the universal information substrate.

Relationship to Existing Protocols

REST: XProtocol does what REST does (service communication) but with identity, encryption, and schemas built in rather than bolted on. REST endpoints can be wrapped as XProtocol endpoints via capability adapters.

OAuth/SAML: XProtocol eliminates the need for separate authentication systems. The event signature IS the authentication. The key mapping IS the authorization.

MCP: Anthropic's Model Context Protocol correctly identifies that AI agents need standardized service discovery and invocation. XProtocol builds on MCP's validated insight and pushes it into the identity and transport layers. The XProtocol MCP Adapter bridges both ecosystems bidirectionally — existing MCP servers become XProtocol endpoints automatically (no changes required), and XProtocol-native services become MCP tools automatically. Organizations that have already invested in MCP adopt XProtocol in minutes, with no disruption to existing systems.

Nostr: XProtocol draws inspiration from Nostr's cryptographic identity and signed event model. XProtocol uses compatible Ed25519 keys. XProtocol extends the concept with structured queries, schema contracts, transactions, fine-grained authorization, and the Graph Store's annotation model.

GraphQL: XProtocol's structured query model provides similar flexibility (field selection, filtering, relationship traversal, aggregation) as first-class protocol operations rather than a separate query layer.

NoSQL databases (MongoDB, DynamoDB): The XProtocol Event Store provides document storage and flexible querying with a security model no NoSQL database can replicate — access control that is cryptographic rather than administrative, provable authorship on every record.

Graph databases (Neo4j, Amazon Neptune): The XProtocol Graph Store provides typed relationship traversal via xp.graph.traverse and link annotations. Unlike graph databases, every edge is authorized and auditable — a relationship between two events is a signed mutation event, not a silent schema operation.

Event streaming platforms (Kafka, Kinesis): XProtocol's relay + xp.store.subscribe with historical replay subsumes event streaming for event-driven architectures, adding end-to-end encryption and identity-native access control that streaming platforms cannot provide.

Distributed tracing (Jaeger, Zipkin, OpenTelemetry): The trace.* annotation namespace in the Graph Store replaces tracing infrastructure for XProtocol-native systems. Every span is signed by the system that produced it — tamper-evident by construction, not by configuration. No collector. No aggregator. No separate tracing database.

Workflow engines (Temporal, Airflow, Camunda): The workflow.* annotation namespace tracks process state on events without a separate workflow database or engine. Workflow transitions are annotation events — the full process history is queryable and cryptographically verifiable.

The Philosophical Position

XProtocol embeds a specific worldview:

Identity should belong to the user. Not to Google, not to Apple, not to any corporation. A cryptographic keypair that the user owns, controls, and can take anywhere. No account to create. No terms of service to accept. No data to surrender.

Interoperability should belong to the ecosystem. Not locked inside proprietary APIs, vendor SDKs, and platform-specific integrations. Open schemas, open discovery, open transport. Any agent can talk to any service. Any service can publish to any agent. No gatekeeper.

Intelligence should belong to agents. Not trapped in chat boxes and voice assistants. AI agents that can read schemas, compose events, negotiate with other agents, and orchestrate complex workflows — without custom integration code for every service. The agent is a first-class participant in the network, not an afterthought bolted onto human-era infrastructure.

This is what the internet looks like when software agents are the primary consumers instead of humans.

Schema Governance

The protocol is not the hardest long-term problem. Schema governance is.

The XProtocol core ensures that any two parties can communicate — the event format, identity model, and transport are standardized. What it cannot enforce is that two vendors who both implement crm.opportunity.create mean the same thing by "opportunity." Structural compatibility is protocol-enforced. Semantic compatibility requires human coordination.

This is the equivalent of what W3C, IETF, OpenAPI, and CNCF do for their respective domains. XProtocol needs the same kind of organization — a vendor-neutral body that:

  • Ratifies community schemas as stable standards
  • Mediates namespace disputes
  • Maintains a public schema registry
  • Provides conformance certification
  • Governs the core protocol evolution

This organization does not exist yet. It is the next decade of work after the reference implementation proves the protocol. Community members are encouraged to begin thinking about what governance looks like for XProtocol — the protocol is ready, and the governance body needs to be built before schema proliferation makes it harder.

Getting Started

XProtocol is open source. The specification, reference implementation, and all documentation are available under Apache 2.0 (code) and CC BY 4.0 (docs).

XProtocol (The Exchange Protocol) is developed as an independent open protocol. It is used by the Explan OS project but does not depend on it. XProtocol.ai is an independent open protocol project and is not affiliated with, endorsed by, or connected to XProtocol.org or any related entities. Any system — mobile, desktop, server, embedded, or cloud — can implement XProtocol.