Spec · ERC-8257

erc-8257.mdRead on eips.ethereum.org →

---
eip: 8257
title: Agent Tool Registry
description: Minimal onchain registry for AI agent tools with extensible predicate-based access control
status: Draft
type: Standards Track
category: ERC
created: 2026-04-17
requires: 165
---

§01 · Why gate

From open to exclusive.
Express any access policy onchain.§

A weather API has nothing to protect. More callers means more revenue, and x402 collects on every request. Other tools are different: a proprietary trading signal loses its edge the moment a thousand agents are calling it. Cap it at 5 seats, mint them as NFTs, and access becomes a tradeable asset that finds the right buyers on the open market. ERC-8257 expresses the full spectrum (open, subscription, allowlist, capped) with predicates anyone can write.

weather API

everyone

research feed

subscribers

partner API

allowlist

trading alpha

5 seats

x402 alone covers the open end. ERC-8257 expresses the full spectrum.

Open · pay per call

Weather API

Stateless utility, no scarcity. Anyone can pay; the more callers the better. x402 collects per request and the tool prints money.

no gate · payment: x402

Exclusive · 5 seats, transferable

Proprietary trading signal

Capacity-limited alpha. Mint 5 access NFTs; the predicate gates by ownership. Seats trade on the open market. The price discovers itself, and the creator never has to run an allowlist.

predicate: ERC721OwnerPredicate · supply: 5

§02 · Why now

Trust and payment
got separated.§

Tool calling for agents has three layers: discovery, access, and payment. MCP solves discovery and invocation but has no native trust or payment layer. x402 solves payment but says nothing about who is allowed to call. Ad-hoc API keys solve neither discoverably and tie identity to a single operator. ERC-8257 is the missing piece: a permissionless directory with onchain identity and pluggable access control. Use it next to MCP and x402, not in place of them.

MCP

Discovery + invocation protocol

No trust anchor. No payment layer. No onchain identity.

Compose: ERC-8257 as the registry, MCP as the wire.

x402

HTTP 402 micropayments

Payment without access control. Anyone who pays gets in.

Compose: predicate decides who can pay; x402 collects.

API keys

Operator-issued bearer tokens

Per-operator silos. No discovery. No composability.

Replace: predicates gate by onchain state, no key vault.

§03 · Architecture

From publisher to agent,
verifiably.§

Publishers commit a manifest hash onchain and serve the manifest at a well-known path. The registry enforces origin binding. Agents discover, verify, and, if the predicate allows, invoke.

PUBLISHER

Tool operator

serves /.well-known, calls registerTool

REGISTRY · ONCHAIN

ERC-8257

creator · metadataURI · manifestHash · accessPredicate

AGENT

Consumer

fetches manifest, checks hash, calls hasAccess, invokes

What’s in the registry

#01

nft-appraisal-tool.vercel.app

0xa1f3...

NFT

#02

wallet-personality-tool.vercel.app

0x73bc...

NFT

#03

signal.xyz

0xc28e...

SUB

#04

vault.finance

0x4f19...

PAY

Each row is one ToolConfig: creator, metadataURI, manifestHash, accessPredicate.

§04 · Trust Tiers

Three tiers.
One manifest field.§

Tools declare a verifiability tier in their manifest. Each tier is a different trust model, from operator self-attestation up to fully reproducible end-to-end verifiable execution.

Why three? Progressive verifiability. Most operators ship at self-attested on day one and can graduate to TEE or reproducible builds without changing the registry, the manifest schema, or their consumers’ verification code.

self-attested

Operator's word.

The operator declares data retention and source visibility policies, committed onchain by manifest hash. Cannot be silently changed, but enforcement is reputational.

dataRetention
sourceVisibility
hash-committed

hardware-attested

TEE attestation.

The tool runs in a hardware enclave (SGX, Nitro, SEV-SNP). Agents fetch a fresh attestation report and verify the cryptographic chain of trust. Transparency logs prevent split-view attacks.

TEE attestation
maxAge freshness
transparency logs

verifiable

No trust required.

Source code is published with reproducible build instructions. Anyone can rebuild the enclave binary, compare the measurement against the attestation report, and verify end to end.

reproducible build
source -> binary -> enclave
full chain verification

Feedback wanted

It’s a draft. Best time to push back.§

The spec is unfinished on purpose. The questions where outside input changes the outcome the most right now:

01Predicate ideas we haven’t drafted yet (reputation, attestation, oracle).
02Manifest schema gaps: fields you’d need that aren’t there.
03Failure modes we should spec around (predicate rugs, manifest drift, indexer lag).

Request for review

Ethereum Magicians →

Best for predicate ideas, trust tier debates, schema questions.

Concrete bug or gap

File an issue →

For ambiguity in the spec, missing edge cases, or reproduction-ready problems.

Open question · Telegram

Join the community →

Builders, publishers, and the spec team. Quick questions, rough ideas, half-formed predicates.

ERC-8257 · Draft · Standards Track · CC0-1.0