I’ve published the first draft of an open specification called ATF (API / Agentic Trust Framework).
ATF defines a minimal cryptographic protocol for API clients to prove identity on every request using signatures, nonce, and timestamp — without shared secrets or OAuth.
This is an early draft (v0.1), focused only on client → provider trust.
Spec and threat model are public. Feedback and criticism welcome.