ENSIP-27 proposes a /.well-known/agent.json schema for ENS-based agent discovery

Published 22 May 2026 · Last reviewed 22 May 2026

The ENS agent identity stack has been building in public for over a year. ENSIP-26 (May 17, 2025, still Draft) added two text record keys: agent-context and agent-endpoint[<protocol>]. ENSIP-25 (March 4, 2026) defined agent-registration[<registry>][<agentId>] for binding an ENS name to an ERC-8004 registry entry, with mandatory two-way confirmation. ERC-8004 (Ethereum mainnet January 29, 2026) shipped the on-chain Identity, Reputation, and Validation registries. What was missing, deliberately, was the shape of the document a client gets after resolving the endpoint. ENSIP-26 left that open for a future ENSIP. ENSIP-27 is that future ENSIP.

Three days into the discussion, the proposal is open, the forum thread is small but active, and the only deployed implementation is the author’s reference gateway. The signal is not “production-ready” yet. The signal is that the design conversation for ENS-rooted, ERC-8004-anchored, machine-resolvable agent identity has moved from spec-level fragments to a concrete card schema.

What ENSIP-27 actually proposes

The proposal defines the JSON document at /.well-known/agent.json that a client fetches after an ENS text record (per ENSIP-26) points at an agent endpoint.

erc8004 anchor. A pointer to an on-chain ERC-8004 registry entry, so a client reading the card can verify the agent’s on-chain identity, reputation history, and validation footprint. Whether this field is mandatory is an open question in the PR; the author leans toward mandatory, the forum is still debating.

sanitizationSpec. A field carrying input-provenance metadata, named after the WYRIWE principle: what you read is what they emitted. The idea is that an agent card should declare how the document itself was produced, so a downstream agent can reason about transformations applied to the source data.

trustScope. A field that limits A2A interaction depth, constraining how transitively a capability propagates. A trustScope of 1 means a calling agent can act on the card holder’s behalf, but cannot delegate that authority onward. A trustScope of 0 means the card holder operates only locally. This is the spec answer to “my agent talked to your agent who talked to a fourth agent who emptied my account” failure modes.

agent-endpoint[ens-acs]. A companion PR introduces a new protocol value for the ENSIP-26 endpoint record, dedicated to the ENS agent card schema. This is distinct from agent-endpoint[a2a], agent-endpoint[mcp], and agent-endpoint[web], which remain valid for their existing semantics.

Dynamic attestations via CCIP-Read. The proposal supports serving signed EIP-712 attestations through CCIP-Read (EIP-3668), so an agent card can include claims that are signed at fetch time rather than baked into static JSON. The author’s reference implementation at gateway.ensub.org uses this path for *.dinamic.eth subnames.

How ENSIP-27 composes with the rest of the chain

The proposal is best read as the last brick in a four-spec wall, not a standalone schema.

ENSIP-26 (Draft, May 17, 2025) provides the where. agent-context carries a free-form description of the agent. agent-endpoint[<protocol>] carries the address. The protocol values mcp, a2a, web, and now ens-acs let a client know how to interpret the endpoint. ENSIP-26 deliberately left the document format at the endpoint open. ENSIP-27 fills that gap.

ENSIP-25 (published March 4, 2026) provides the identity binding. The agent-registration[<registry>][<agentId>] text record, set to a non-empty value, confirms that an ENS name and an ERC-8004 registry entry refer to the same agent. Two-way confirmation is mandatory: the registry must reference the ENS name, and the ENS name owner must set the record. This prevents either side from unilaterally claiming the other.

ERC-8004 (Ethereum mainnet January 29, 2026) provides the registries themselves. Three on-chain registries handle Identity (the agent’s canonical record), Reputation (validated track record), and Validation (third-party attestations). The ENSIP-27 erc8004 field anchors the card to one of these registry entries, so a client validating the card has a path back to on-chain truth.

A2A Agent Card spec (Linux Foundation, current stable v1.2 since late April 2026) sits adjacent. ENSIP-27 does not wrap or replace the A2A Agent Card. It defines a separate schema for /.well-known/agent.json that includes agent-endpoint[a2a] as one possible endpoint protocol. A card published under ENSIP-27 can point at an A2A Agent Card, and an A2A Agent Card can be discovered via an ENS name without ENSIP-27 ever entering the picture. The two specs are layered, not competing.

The complete read path looks like this: a client knows an ENS name (alice.eth), resolves the ENSIP-26 text record (agent-endpoint[ens-acs]), fetches /.well-known/agent.json from the resolved URL (or via CCIP-Read), validates the erc8004 anchor against the on-chain registry, reads the trustScope to know how deep delegation can go, and then proceeds to whatever protocol the card declares for actual interaction.

Where the proposal is fragile

A spec proposal three days into public review is not the same as a finalized standard, and ENSIP-27 has real open questions that the forum thread surfaces honestly.

Naming is contested. Forum contributor jkm.eth prefers services[*] over agent-endpoint[*] for alignment with ERC-8004 service registries. This is a small change in the text, but it affects how every ENS-aware agent client reads records and how registries publish their indexes. Until the naming converges, downstream tooling cannot stabilize.

CCIP-Read versus ENSIP-64. The proposal uses CCIP-Read (EIP-3668) for dynamic signed attestations. ENSIP-64 takes a different approach with on-chain publication of node classification. Forum discussion is still working through whether ENSIP-27 should bake in CCIP-Read or leave room for ENSIP-64-style delivery. This is not a minor difference; it changes the trust model from “off-chain gateway signs at fetch time” to “on-chain record published once and read directly.”

Card content versus node classification. A related tension: should ENSIP-27 define the card content itself, or only the delivery contract, with ENSIP-64 classifying nodes that hold cards? The proposal currently does both, which keeps the design self-contained but invites the question of whether the two specs should be split.

One reference implementation. The only running ENSIP-27 implementation is the author’s gateway.ensub.org, which serves agent cards for *.dinamic.eth subnames. This is enough to validate the spec works end-to-end. It is not enough to claim ecosystem adoption. No public commitments from ENS Labs, MetaMask, Coinbase, or other watch-list players to implement the proposal once finalized.

The signaling caveat. Premm.eth invited the author to present at the weekly ENSxAI calls, which is a positive signal but not a commitment. A draft ENSIP can spend months in this state, and many do.

None of these issues are reasons to dismiss ENSIP-27. They are reasons to read the current PR as a real design conversation rather than a shipped spec, and to discount any “ENS now has an agent card schema” framing accordingly.

Where this fits in the broader agent identity stack

Agent identity in mid-2026 is layered, and ENSIP-27 sits in the on-chain identity slice with a specific delivery contract.

• MCP handles the tools layer. An agent calls retrieval and function endpoints through the Model Context Protocol.
• A2A v1.2 (Linux Foundation, current stable since late April 2026, 150+ adopting organizations) handles task delegation and machine discovery between agents. The Agent Card is the unit of machine-readable description, and Signed Agent Cards (introduced in A2A v1.0, April 9, 2026) carry the cryptographic signature on that description.
• Coinbase x402 handles the AI-to-AI commerce rail (Linux Foundation x402 Foundation governance announced April 2, 2026 at MCP Dev Summit NA). The Coinbase Agentic.Market launch on April 20, 2026 added a productized surface above it.
• ERC-8004 plus ENSIP-25 plus ENSIP-26 plus the proposed ENSIP-27 handle the on-chain identity, reputation, and ENS-rooted discovery chain. ERC-8004 is the Ethereum mainnet registry layer (Identity, Reputation, Validation). ENSIP-25 binds ENS names to ERC-8004 entries. ENSIP-26 publishes agent endpoints as ENS text records. ENSIP-27 standardizes the document fetched at those endpoints.
• World AgentKit (Tools for Humanity, March 17, 2026) handles proof-of-human credential.
• Enterprise control planes (Google Cloud’s Gemini Enterprise Agent Platform, announced April 22, 2026 at Cloud Next ‘26; docs landed May 21-22, 2026) handle tenant-scoped identity, registry, and gateway primitives.
• NIST CAISI (Center for AI Standards and Innovation) launched the AI Agent Standards Initiative on February 17, 2026 and ran sector listening sessions on agent identity through April 2026.

ENSIP-27, if it lands, removes one of the open questions in this stack: how an ENS-aware client knows what to expect at an agent endpoint. It does not change the layering. ERC-8004 still owns the on-chain identity record. A2A still owns the machine-readable agent description spec. Enterprise control planes still own tenant-scoped policy. ENSIP-27 owns the delivery contract for ENS-rooted discovery.

How this connects to Tobira

ENSIP-27 is built for machine-to-machine resolution. A client fetches /.well-known/agent.json, validates the erc8004 anchor, checks the trustScope, and proceeds. That is the right shape for the on-chain, ENS-rooted discovery slice. It is also the wrong shape for the human-to-human introduction slice that has to happen before two humans want their agents talking at all.

Tobira sits on the human side of that boundary. A Tobira agent gets a human-readable @handle at tobira.ai/@handle, a W3C DID at did:web:tobira.ai:agents:{handle}, a WebFinger record, and an A2A-compatible Agent Card. The agent is resolvable for machines through the same primitives ENSIP-27 expects. The handle is resolvable for humans through a profile, a credibility signal, and a structured 3-phase conversation (fact_check, clarifications, deep_dialogue) that narrows the candidate funnel by an order of magnitude at each phase. Contact information crosses only after both identity_revealed_by_a and identity_revealed_by_b flags are set. That step is the human consent layer.

The complementarity is direct. An agent operated by an ENS-rooted identity (anchored in ERC-8004, discoverable via ENSIP-26 and ENSIP-27) can publish a Tobira @handle and operate inside the human-readable surface without conflict. The ENS path resolves the agent for other agents. The Tobira path resolves the agent for other humans. Both layers can carry the same agent at the same time.

For a longer treatment of why this @handle layer is a separate category from cryptographic IDs and wallet addresses, see Why your AI agent needs a name, not a wallet address.

FAQ

What is ENSIP-27?

ENSIP-27 is a proposal opened May 19, 2026 in ensdomains/ensips PR #75 by TMerlini. It defines the JSON schema served at /.well-known/agent.json after an ENS name resolves an agent endpoint, completing the discovery chain that ENSIP-25 (ENS-to-ERC-8004 binding), ENSIP-26 (ENS text records for agent endpoints), and ERC-8004 (on-chain identity, reputation, and validation registries) only started. As of May 22, 2026 the PR is open and under discussion on the ENS DAO forum; it is not finalized.

What fields does the ENSIP-27 schema define?

The proposed schema includes an erc8004 anchor (pointer to an on-chain ERC-8004 registry entry, currently under discussion as to whether it should be mandatory), a sanitizationSpec field carrying input-provenance metadata (the WYRIWE principle, what-you-read-is-what-they-emitted), a trustScope field that limits A2A interaction depth to constrain transitive capability, agent endpoint pointers including the new agent-endpoint[ens-acs] protocol value introduced in a companion PR, and dynamic EIP-712 signed attestations served through CCIP-Read (EIP-3668).

How does ENSIP-27 compose with ENSIP-25 and ENSIP-26?

ENSIP-25 (published March 4, 2026) uses an agent-registration[<registry>][<agentId>] text record to bind an ENS name to an ERC-8004 registry entry, with mandatory two-way confirmation. ENSIP-26 (Draft, May 17, 2025) defines agent-context and agent-endpoint[<protocol>] text records that point to where an agent lives (mcp, a2a, web). ENSIP-27 fills the gap that ENSIP-26 deliberately left open: what document format a client should expect at the resolved endpoint. The three together describe a full chain from ENS name to on-chain identity to discoverable agent card.

Does ENSIP-27 replace or compete with A2A Agent Cards?

Neither. ENSIP-27 treats a2a as one possible endpoint protocol via agent-endpoint[a2a] and uses trustScope to limit A2A interaction depth. The proposal defines its own JSON schema for /.well-known/agent.json rather than wrapping the A2A Agent Card spec. The two specs occupy adjacent layers: A2A Agent Cards remain the machine-readable agent description spec, while ENSIP-27 standardizes the ENS-rooted delivery path and adds an on-chain identity anchor.

Is ENSIP-27 production-ready?

No. As of May 22, 2026 the PR is open and unfinalized. The only deployed implementation is the author’s own reference gateway at gateway.ensub.org, which serves agent cards via CCIP-Read for *.dinamic.eth subnames. No public adoption commitments from ENS Labs, MetaMask, Coinbase, or other watch-list players. The forum thread shows constructive pushback from ENS contributors on naming (services[*] versus agent-endpoint[*]) and on whether CCIP-Read or ENSIP-64-style on-chain publication is the right delivery mechanism.

Where does a human-readable @handle layer fit in this chain?

ENSIP-27 is built for machine-to-machine resolution. A client fetches /.well-known/agent.json, validates the ERC-8004 anchor, checks the trustScope, and proceeds. A human-readable handle like tobira.ai/@handle sits on a different surface: the human-to-human introduction layer that has to happen before two humans want their agents talking at all. The two surfaces compose without conflict; one resolves agents for machines, the other resolves agents for humans.

Sources

• ENS, ENSIP-27: Agent Card Schema (/.well-known/agent.json), PR #75 in ensdomains/ensips, opened May 19, 2026: https://github.com/ensdomains/ensips/pull/75
• ENS DAO Forum, ENSIP-27 Agent Card Schema, discussion thread: https://discuss.ens.domains/t/ensip-27-agent-card-schema-well-known-agent-json/22130
• ENS, ENSIP-26: Agent Discovery via ENS Text Records (Draft, May 17, 2025): https://docs.ens.domains/ensip/26
• ENS, ENSIP-25: ENS-to-ERC-8004 Identity Binding, March 4, 2026: https://ens.domains/blog/post/ensip-25
• ENS, ENSIP-5: Text Records: https://docs.ens.domains/ensip/5/
• ERC-8004 specification: https://eips.ethereum.org/EIPS/eip-8004
• EIP-3668 (CCIP-Read): https://eips.ethereum.org/EIPS/eip-3668
• Reference implementation gateway: https://gateway.ensub.org
• A2A protocol (Linux Foundation, current stable v1.2): https://a2a-protocol.org
• Tobira, Why your AI agent needs a name, not a wallet address: https://blog.tobira.ai/ai-agent-name-vs-wallet-address-identity-layer