SLIM (Secure Low-Latency Interactive Messaging) is a next-generation communication framework that provides the secure, scalable transport layer for AI agent protocols like A2A (Agent-to-Agent) and MCP (Model Context Protocol).
- π Read the full documentation
- π Get Started
- π» Code Examples - Python | Go | Dotnet | Java | Kotlin
- π Integrations - A2A | MCP | OpenTelemetry
- π Deployment Strategies
- π Technical blog posts
SLIM uses a distributed architecture with three main components:
- Data Plane: Pure message routing layer that forwards packets based on hierarchical names without inspecting application content
- Session Layer: Handles reliable delivery, end-to-end MLS encryption, and group membership management
- Control Plane: Manages configuration, monitoring, and orchestration of SLIM routing nodes
This separation enables efficient deployment: SLIM routing nodes run only the lightweight data plane, while applications use language bindings with the full stack (data plane client + session layer + SLIMRPC) for secure, feature-rich communication.
To build the project and work with the code, you will need the following installed in your system:
Taskfile is required to run all the build operations. Follow the installation instructions in the Taskfile documentations to find the best installation method for your system.
with brew
brew install go-taskwith curl
sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b ~/.local/binSLIM is implemented in Rust. Install with rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | shSLIM consists of multiple components with different installation methods:
- SLIM Node (data plane): Docker, Cargo, or Helm
- Control Plane: Docker or Helm
- slimctl CLI: Download from releases
- Language Bindings: Python (pip), Go, C#, JavaScript/TypeScript, Kotlin
π¦ Complete installation instructions
Set the build profile you prefer. Available options:
- debug
- release
PROFILE=release
# PROFILE=debug
task build PROFILE=${PROFILE}This will build all SLIM binaries.
To run a multiarch image of SLIM (linux/arm64 & linux/amd64):
REPO_ROOT="$(git rev-parse --show-toplevel)"
docker build -t slim -f "${REPO_ROOT}/Dockerfile" --platform linux/amd64,linux/arm64 "${REPO_ROOT}"Or alternatively, with docker buildx bake:
pushd $(git rev-parse --show-toplevel) && IMAGE_REPO=slim IMAGE_TAG=latest docker buildx bake slim && popdContainer Image on Windows
The container image build process was tested on Windows 10 + Hyper-V and Windows 11 + WSL 2. The instructions below assume Powershell 7.
Set the repo root environment variable:
$env:REPO_ROOT = "C:\Users\<your-user>\slim"Before building, ensure the Dockerfile uses LF line endings (not CRLF). In VSCode, click CRLF in the bottom-right corner and select LF, then save.
Build the container (arm64 is not supported on Windows):
docker buildx build `
-t slim `
-f "$env:REPO_ROOT\Dockerfile" `
--platform linux/amd64 `
"$env:REPO_ROOT"SLIM is run as a binary (typically deployed as a workload in k8s). Language bindings are maintained separately in the slim-bindings repository.
SLIM can run in server mode, in client mode or both (i.e. spawning a server and connecting to another SLIM instance at the same time).
To run SLIM binary as server, a configuration file is needed to setup the basic runtime options. Some basic examples are provided in the config folder:
- reference is a reference configuration, with comments explaining all the available options.
- base is a base configuration for a server without encryption and authentication.
- tls is a configuration for a server with encryption enabled, with no authentication.
- basic-auth is a configuration for a server with encryption and basic auth enabled.
- jwt-auth-hmac is a configuration for a server with JWT authentication using HMAC keys.
- jwt-auth-rsa is a configuration for a server with JWT authentication using RSA keys.
- jwt-auth-ecdsa is a configuration for a server with JWT authentication using ECDSA keys.
- mtls is a configuration for a server expecting clients to authenticate with a trusted certificate.
- spire is a configuration for a server using SPIFFE/SPIRE for identity and authentication.
- unix is a configuration for a server listening on a Unix domain socket.
- websocket is a configuration for a server using WebSocket transport.
- proxy is a configuration for running behind an HTTP/HTTPS proxy.
- logging is a configuration showing logging options.
- telemetry is a configuration with OpenTelemetry integration.
- east-west is a multi-node configuration for east-west traffic between two SLIM nodes.
- full-mesh is a multi-node configuration for a full-mesh topology with multiple replicas.
- exponential-backoff is a configuration demonstrating exponential backoff for reconnections.
- fixed-interval-backoff is a configuration demonstrating fixed-interval backoff for reconnections.
To run SLIM as server:
MODE=base
# MODE=tls
# MODE=basic-auth; export PASSWORD=12345 # Unix/Linux/macOS
# MODE=basic-auth; $env:PASSWORD = "12345" # Windows PowerShell
# MODE=mtls
cargo run --bin slim -- --config ./config/${MODE}/server-config.yamlOr, using the container image (assuming the image name is
slim):
docker run -it \
-e PASSWORD=${PASSWORD} \
-v ./config/base/server-config.yaml:/config.yaml \
-p 46357:46357 \
ghcr.io/agntcy/slim:latest /slim --config /config.yamlTo run the SLIM binary as client, you will need to configure it to start one (or more) clients at startup, and you will need to provide the address of a remote SLIM server. As usually, some configuration examples are available in the config folder:
- reference is a reference configuration, with comments explaining all the available options.
- base is a base configuration for a client without encryption and authentication.
- tls is a configuration for a client with encryption enabled, with no authentication.
- basic-auth is a configuration for a client with encryption and basic auth enabled.
- jwt-auth-hmac is a configuration for a client with JWT authentication using HMAC keys.
- jwt-auth-rsa is a configuration for a client with JWT authentication using RSA keys.
- jwt-auth-ecdsa is a configuration for a client with JWT authentication using ECDSA keys.
- mtls is a configuration for a client connecting to a server with a trusted certificate.
- spire is a configuration for a client using SPIFFE/SPIRE for identity and authentication.
- unix is a configuration for a client connecting via a Unix domain socket.
- websocket is a configuration for a client using WebSocket transport.
To run SLIM as client:
MODE=base
# MODE=tls
# MODE=basic-auth; export PASSWORD=12345 # Unix/Linux/macOS
# MODE=basic-auth; $env:PASSWORD = "12345" # Windows PowerShell
# MODE=mtls
cargo run --bin slim -- --config ./config/${MODE}/client-config.yamlOr, using the container image (assuming the image name is
slim):
docker run -it \
-e PASSWORD=${PASSWORD} \
-v ./config/base/client-config.yaml:/config.yaml \
ghcr.io/agntcy/slim:latest /slim --config /config.yamlRun the core Rust tests:
task testRun the linter for Rust code:
task lint-
crates: Rust workspace crates
- slim: SLIM node binary for message forwarding
- datapath: Core data plane message routing
- proto: Protobuf definitions and generated code
- controller: Routing controller
- control-plane: Control plane service
- channel-manager: Channel management
- session: Session layer with MLS encryption
- service: Service layer (SLIMRPC)
- auth: Authentication and authorization
- config: Configuration management
- mls: MLS protocol implementation
- slimctl: CLI tool for SLIM management
- tracing: Tracing and observability
- version: Version information
- signal: Signal handling
- testing: Test utilities
- examples: Example applications
- Language bindings live in slim-bindings: Python, Go, Dotnet, Kotlin, Java
-
charts: Kubernetes deployment
- slim: Helm chart for data-plane nodes
- slim-control-plane: Helm chart for control-plane services
- π Documentation
- π IETF Specification
- π¬ Slack Community
- π₯ YouTube Channel
Distributed under Apache 2.0 License. See LICENSE for more information.
Copyright AGNTCY Contributors (https://github.com/agntcy)