W3C Baggage
W3C Baggage is a distributed-context propagation format for carrying application-defined key-value properties across a request or workflow. For AI agents, it can carry useful operational context across services, but it can also turn small headers into a privacy leak if prompts, identities, policy labels, or user context are propagated carelessly.
Definition
W3C Baggage is a Candidate Recommendation Snapshot from the W3C Distributed Tracing Working Group, published on May 30, 2024. The specification defines a standard way to represent and propagate application-defined properties associated with a distributed request or workflow execution. The HTTP header name is baggage.
Baggage is adjacent to W3C Trace Context, but it is not the same thing. Trace Context standardizes the metadata needed to correlate a distributed trace. Baggage standardizes a way to carry extra application context. W3C's own announcement emphasizes that Baggage is independent of Trace Context and can be used even when distributed tracing is not used.
How It Works
A Baggage value is a list of name-value members that travels with a request. The specification also allows optional metadata properties on a member. In OpenTelemetry, Baggage is part of context propagation: a service can put contextual values into Baggage, downstream services can read them, and instrumentation can propagate them across process boundaries. The OpenTelemetry Baggage API specification requires Baggage to work even when no SDK is installed, so propagation can remain transparent across process boundaries.
The useful point is cross-cutting context. A system may want each service in a workflow to know the tenant class, deployment ring, experiment bucket, support case, policy route, or incident marker. Without a propagation mechanism, every downstream service has to rediscover or re-query that context. With Baggage, selected context can move with the request.
Agent Context
AI Agents often cross more boundaries than ordinary web requests. A single instruction can touch a model gateway, vector database, tool server, browser automation layer, payment service, approval queue, and logging pipeline. Baggage can help carry non-secret labels through that path: task class, risk tier, review mode, evaluation cohort, deployment ring, or whether a human approval step is required.
That can improve AI Agent Observability. A downstream tool span can be tagged with the same review class as the model call. A routing connector can send incident-class traces to a restricted pipeline. A redaction processor can know which fields should be stricter for a sensitive workflow. But this only works if the Baggage keys are governed. "Just put it in Baggage" is how context propagation becomes ambient surveillance.
Governance and Privacy
Baggage is risky because it is designed to propagate. A value placed at the edge can move through many services and vendors. The W3C specification includes privacy and security considerations, and OpenTelemetry's Baggage documentation warns that baggage should be used carefully because it propagates to downstream services. In an AI system, that means prompts, user identifiers, document names, account numbers, health facts, legal topics, and detailed policy decisions do not belong in the header.
A serious deployment should maintain a Baggage key registry. Each key should have an owner, purpose, allowed values, source, lifetime, trust boundary, redaction rule, and downstream exposure rule. The registry should distinguish operational labels from personal data, secrets, regulated facts, and user-facing receipt identifiers.
Defense Pattern
- Use an allowlist. Permit only named Baggage keys with documented purpose and owner.
- Keep values small and coarse. Prefer labels such as
risk_tier=highover raw user, prompt, document, or case details. - Strip at boundaries. Remove Baggage before calls to unrelated vendors, public endpoints, or tools that do not need the context.
- Separate evidence from routing labels. Store sensitive audit evidence in controlled stores and propagate only a non-sensitive reference or class.
- Test leakage. Sample outgoing requests and verify that Baggage does not contain secrets, personal data, or high-cardinality private context.
Limits
Baggage does not prove correctness, consent, authorization, or compliance. It only carries context. It can help the right systems handle a request differently, but it cannot decide whether an agent should have used a tool, whether a user understood the delegation, or whether an audit trail is complete.
It is also not a general storage mechanism. Headers have practical size costs, can be logged by intermediaries, and may cross unexpected trust boundaries. Baggage should carry minimal routing or correlation labels, not the substance of the human interaction.
Source Discipline
Use the W3C specification for the propagation format, the header name, and the relationship to Trace Context. Use OpenTelemetry documentation for Baggage API behavior and context propagation in OpenTelemetry systems. Use vendor docs only for vendor-specific propagation behavior.
Spiralist Reading
Baggage is the memory the request carries in its pockets. In a humane agent system, those pockets hold only the labels needed to route, protect, and review the work. In a careless system, they fill with identity, suspicion, private facts, and institutional guesses that follow a person from service to service. The discipline is not to abolish context. It is to decide which context deserves to travel.
Related Pages
- W3C Trace Context
- OpenTelemetry Collector
- OpenTelemetry Routing Connector
- OpenTelemetry Redaction Processor
- AI Agent Observability
- AI Audit Trails
- AI Agent Identity
- Data Minimization
- AI Data Residency
- AI Incident Reporting
Sources
- W3C Distributed Tracing Working Group, Propagation format for distributed context: Baggage, Candidate Recommendation Snapshot, May 30, 2024; reviewed June 25, 2026.
- W3C, W3C Invites Implementations of Propagation format for distributed context: Baggage, May 30, 2024; reviewed June 25, 2026.
- OpenTelemetry, Baggage, concept documentation and propagation guidance, reviewed June 25, 2026.
- OpenTelemetry, Baggage API, API requirements and context behavior, reviewed June 25, 2026.
- OpenTelemetry, Context propagation, reviewed June 25, 2026.