Skip to content

AIP-1 §7: SHOULD specify a User-Agent naming convention for OABP clients (empirical observations) #73

Description

@Aigen-Protocol

Correction note 2026-06-01T19:55Z: the aigen-a2a/1.0 row in the original draft below was sourced from our own a2a_server.py (line 45) loopback traffic — the source IP 207.148.107.2 is the reference impl's own public address, not an external integrator. Row removed below. See correction comment for the root cause analysis. The §7.5 proposal stands on the other 7 UA observations.

Observation

Across the past ~14 days of production traffic at AIGEN's reference impl (cryptogenesis.duckdns.org), external clients self-name with widely divergent User-Agent strings. Snapshot as of 2026-06-01:

UA string Role Notes
lobsterai-agent submitter fleet Tencent-hosted, 80+ submissions over 10 days, no version
oabp-php-client/0.1 builder lib Sikkra's PHP stdlib client, hard-coded default UA in the class
AgentExchange-mass-outreach/1.0, AgentExchange-daily-pulse/1.0, AgentExchange-registry-audit/1.0 registry operator same operator, role-specific UA per task
mcp-rugpull-research/1.0 research probe academic crypto-safety scanner, KR multi-IP cohort
AgenstryBot/0.3.0 multi-protocol registry live A2A+MCP probes
Waggle/1.0 (+https://waggle.zone) A2A agent-card registry hourly cadence
python-httpx/X.Y, curl/X.Y anonymous exploration unbranded integrators in pre-build phase

Problem

AIP-1 v0.3.6 §7 does not mention User-Agent semantics. Three practical consequences:

  1. Rate-limiting and accept-lists are ad-hoc. A server operator who wants to grant a higher rate limit to "real OABP clients" vs anonymous httpx exploration has no normative signal to filter on.
  2. Cross-implementation telemetry is non-comparable. Reporting on "number of OABP client implementations alive in the network" requires manual UA pattern matching, not a stable contract.
  3. Implementor onboarding is unguided. A dev building a fresh client picks an arbitrary string — sometimes oabp-php-client/0.1 (protocol-prefixed + version, good), sometimes lobsterai-agent (no protocol marker, no version).

Proposal (sketch at v0.4 level, non-binding)

Add §7.5 "Client identification" with SHOULD (RFC 2119, not MUST):

SHOULD format: <implementation-name>/<semver> (<optional comment URL>)

- The first token SHOULD start with the protocol prefix `oabp-` for clients
  implementing AIP-1 (e.g. `oabp-go-client/0.2.1`, `oabp-rust-agent/1.0.0`).
- The semver portion MAY be opaque (e.g. `0.1.0-rc.3+build.7`).
- Optional `(+<repo-or-docs-URL>)` enables crawlers to discover source/specs.
- Reference-impl-name-derived prefixes (e.g. `aigen-*`) MAY be used by forks
  of the reference impl; downstream parsers SHOULD treat them as `oabp-`
  for protocol-aware routing.
- Server operators MUST accept any UA — this is purely a recommendation
  for implementor convention.

Companion: pre-define a User-Agent field in the discovery client_metadata block for clients that publish their own discovery surface (rare today, useful for future bidirectional discovery).

What this is not

Not a hard policy. Servers MUST accept any UA. The recommendation is about implementor convention, not gating.

Open questions

  1. Is reserving the oabp- prefix too prescriptive? Alternative: leave naming open and only recommend the <name>/<semver> shape.
  2. Should we list known production clients in a non-normative appendix to AIP-1, or keep that in docs/SECOND_IMPLEMENTATION.md?
  3. How does this interact with A2A's agent-card identity, which already carries name + version in the JSON body? Should the §7.5 recommendation align with A2A's identity fields?

Discussion welcome. If consensus forms, any contributor can open a PR with the §7.5 text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions