Self-Signed Passports Do Not Cross Borders

Everyone Is Shipping a Passport

In the span of a few weeks the agent economy agreed on a metaphor. Workday launched a product it calls Agent Passport, built to test, verify, and monitor the agents operating inside its enterprise. Card networks announced trusted-agent frameworks to tell their rails which machines are legitimate. Identity platforms began issuing per-agent credentials by the billion. The vocabulary settled faster than the architecture did, and that is usually the moment to read the fine print, because when an entire industry reaches for the same word in the same quarter, the word is doing more work than the thing underneath it.

The fine print is this. Almost everything being shipped as an agent passport is issued by the same party that operates the agent, or accepted only on the rail that issued it. That is a reasonable thing to build, and it solves a real problem. It is also, structurally, not a passport. It is a domestic credential wearing the costume of an international one. To see why that distinction matters, and why it is the whole game, you have to ask the question a border guard asks and a platform never does: why should a stranger believe this document at all?

A Passport You Issue to Yourself Is a Domestic ID

A passport is not trusted because of the paper, the chip, or the cryptography. Those make it hard to forge. They are not what makes it credible. A passport is credible because of who issued it and, more precisely, because of who did not. The traveler did not issue it. The destination did not issue it. A third authority, with no stake in the particular trip, vouched for the traveler to a country that has no other reason to trust them. Remove that neutrality and the document collapses into a self-attestation, which is exactly as persuasive as a stranger telling you their own name.

This is the flaw hiding inside most agent passports today. When a platform issues a credential to an agent that lives on that platform, and then asks a counterparty in another domain to trust it, the platform is vouching for itself. The agent is approved inside the issuer's perimeter, by the issuer's rules, against the issuer's data. That is genuinely useful at home. It says nothing a skeptical outsider should accept, because the outsider cannot inspect the issuer's perimeter, cannot audit its rules, and has no recourse if the agent misbehaves. A self-signed passport is not a lie. It is just a domestic ID, and domestic IDs do not clear customs.

Inside One Domain, Identity Is Already Solved

It is worth being precise about what the platforms have actually built, because it is good, and because the gap is not where most people look for it. Inside a single organization, agent identity is close to solved. SPIFFE issues cryptographic workload identities at enormous scale; one production architecture now mints billions of agent attestations a day and traces every tool call back to the human who originated it. Microsoft Entra issues agent identities inside a tenant and gates them with conditional access. The A2A protocol, now in production across more than 150 organizations, signs agent cards with cryptographic domain verification. These are not toys. They are the serious infrastructure of the intra-domain world.

And every one of them stops at the boundary of the domain that issued it. The billion daily attestations never leave their trust domain. The tenant identity is meaningful to the tenant. The signed agent card proves which domain the agent belongs to, not how it has behaved over time once it leaves. None of this is a criticism, it is a description of scope. These systems answer the question is this my agent, behaving inside my walls. They were never built to answer the question a merchant, an API seller, or a bank actually faces, which is this agent is not mine, its issuer is not me, and it is about to move value against my system, so should I let it in. That question lives in the space between domains, and the space between domains is empty.

The Rails Stamp the Payment, Not the Actor

The payment networks are filling a different gap, and it is easy to mistake their work for the same thing. Visa's trusted-agent framework and Mastercard's machine-payment rails are racing to tell their networks which agents are legitimate and to move money at machine speed. This matters. Without it, agentic commerce stays a demo. But a rail verifies an agent the way a tollbooth verifies a car: at the moment of payment, for the purpose of payment, on that rail. It confirms the money can move. It does not confirm the actor deserved the door, and its stamp is good only on the road that issued it.

This is the same lesson agentic commerce will keep relearning: payment is not trust. A funded wallet can be tied to abuse. A valid mandate can be spent inside its scope until the pattern itself is the weapon. A machine payment can settle in under a second and still purchase access the merchant should never have granted. The rail proves a transaction cleared. It does not carry the agent's authority, its behavioral history, or a signed record a counterparty can keep as evidence, and it does not travel to the merchant who settles on a different rail tomorrow. Rail-locked trust is real trust, narrowly. It ends where the network ends.

Why Borders Require a Neutral Issuer

Put the two together and the shape of the missing layer is obvious. Intra-domain identity is trusted but does not travel. Rail-locked verification travels along one rail but proves only payment. Cross-domain trust, the thing a stranger will actually accept, requires an issuer who is a party to neither side of the deal. That is not a branding preference. It is the structural property that makes a passport a passport. The credential has to be issued by someone the destination has reason to believe precisely because that someone gains nothing from the particular transaction and can be held to account across all of them.

This is also why a verifiable credential, on its own, is not the answer the standards bodies sometimes imply it is. A credential proves issuance. It says an authority once attested to something. It does not prove that the agent is still that agent, still bounded, still behaving the way it did when the credential was minted. Issuance is a moment; trust is a continuity. A neutral issuer that verifies at transaction time, carries the agent's behavior across merchants, and emits a signed record the counterparty retains is doing the work a passport office does, not the work a print shop does. The cryptography is table stakes. The neutrality and the memory are the product.

What FLINT Issues

This is the document FLINT builds, and the seat FLINT was founded to hold. The FLINT Cross-Domain Agent Passport is minted by a neutral issuer, FLINT, not by the agent's own platform and not by the rail that moves the money. An agent gets one in a single call, for free, with no account, and receives a public, hybrid-signed credential that any counterparty can resolve and verify without taking the agent's word for anything. It is accepted where the issuer is not a party to the deal, which is the only place trust has ever needed to be manufactured.

The passport is not a static badge, and that is where it separates from the issuance camp. Behind it, FLINT runs six locked layers of verification at the moment value moves: Principal Identity, Agent Identity, Wallet Provenance, Authorization Scope, Environment Identity, and Cross-Merchant Reputation. Every transaction returns a four-state verdict, allow, step-up, review, or block, and a signed verification record the merchant keeps as evidence. FLINT verifies at transaction time, carries the agent's behavior across merchants in a trust graph, and emits a record that outlives the transaction as retained proof. A verifiable credential proves issuance, which is a moment. FLINT proves continuity, which is the thing a counterparty actually needs.

The everyday metaphors line up cleanly once the layers are named. SPIFFE and a tenant identity are the driver's license, authoritative at home and ignored at the border. A signed agent card proves your domain the way a company badge proves your employer. A payment rail's trusted-agent stamp is the toll receipt. The FLINT Cross-Domain Agent Passport is the passport itself, the document a counterparty who has never met the agent, does not run its platform, and does not share its rail will still honor, because a neutral authority that does not profit from the trip put its name on it and kept the record. FLINT is rail-neutral and platform-neutral by design. It verifies the agent. It does not move the money and it does not run the agent.

The Open Seat

The contest in the agent economy is not who ships a passport first. Almost everyone has. The contest is over which seat each player is actually filling. The intra-domain seat is crowded with giants, and they will own it. The rail-locked seat is being claimed by the card networks, and they will own that too. Those are enormous, valuable positions, and none of them is the cross-domain, neutral, regulator-grade issuer seat, because the platforms cannot credibly issue it (they are a party to their own agents) and the rails cannot credibly issue it (they are a party to their own payments). That seat is still open, and it is the one FLINT was built to hold: the neutral, rail-agnostic, regulator-grade issuer whose stamp means something precisely because it has no stake in either side of the deal.

A domestic ID is not a lesser document. It is the right document for staying home. But the agent economy is not staying home. Agents are already transacting across organizational boundaries they did not grow up inside, against counterparties who never issued them, on rails that change by the day. In that world, an agent passport is only worth the border it can cross, and the only issuer whose stamp a stranger will trust is the one with no stake in the trip. FLINT is that issuer, and the passport is live.