| Internet-Draft | AAuth | January 2026 |
| Hardt | Expires 13 July 2026 | [Page] |
Agent Auth (AAuth) is an authentication and authorization protocol for modern distributed systems. It provides progressive authentication from abuse prevention to full authorization, verified agent identity alongside user identity, cryptographic proof of resource legitimacy, and unified authentication and authorization in a single flow. The protocol uses HTTP Message Signatures for proof-of-possession on every request, eliminating bearer tokens and shared secrets.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
OAuth was created to replace the anti-pattern of users providing their passwords to applications to scrape their data from web sites. With OAuth, users could authorize an application to scoped access of their data without sharing their passwords. The internet has evolved significantly since the release of OAuth 2.0.¶
Security requirements have changed. Exfiltration of bearer tokens has become a common attack vector. While proof-of-possession with digital signatures is now practical and widely supported, bearer tokens and shared secrets are still used in most deployments.¶
Applications are distributed and more diverse. When OAuth 2.0 was created, the client was typically a server. Today it may also be one of many widely distributed instances of a desktop, mobile, or command line application where managing a single long lived shared secret or private key is impractical.¶
Agents have loosened the client-server model. Tightly bound, pre-registered client and server relationships are giving way to more open and dynamic ecosystems. In environments like the Model Context Protocol (MCP), a client may interact with any server, not just those it was pre-registered with.¶
Enterprise systems span multiple trust domains. Organizations deploy hundreds of applications across vendors, each requiring access to resources in different security contexts. Role-based authorization is often insufficient. Fine-grained, dynamic access control often requires verifying both the calling application and user's identity.¶
OAuth scopes have become insufficient for modern authorization. Traditional OAuth scopes like read or write provide only coarse-grained labels that fail to convey what data will be accessed, under what conditions, for what purpose, or for how long. This opacity prevents meaningful user consent and makes it impossible to enforce least privilege.¶
Resources have varying auth requirements. Resources need different levels of protection for different operations. Public endpoints rely on IP addresses for rate limiting and abuse prevention. Application identity is verified through IP whitelisting, mTLS, or long-lived credentials. Authorization uses API keys, manually provisioned tokens, or OAuth flows. These varying requirements have led to fragmented solutions.¶
Applications require both authentication and authorization. OAuth 2.0 provides authorization (delegated access). OpenID Connect provides authentication (user identity via SSO). Both protocols excel in their designed use cases, but applications often need both authentication and authorization in contexts where the separation creates friction.¶
AAuth is an exploratory specification examining what new capabilities and features may be useful to address use cases that are not well-served by existing protocols like OAuth 2.0, OpenID Connect (OIDC), and SAML.¶
{::boilerplate bcp14-tagged}¶
/.well-known/aauth-agent.¶
sub identifier.¶
/.well-known/aauth-issuer.¶
/.well-known/aauth-resource.¶
AAuth uses a three-party model where agents access resources with authorization from auth servers. All requests are signed using HTTP Message Signatures ([RFC9421]).¶
AAuth defines three token types, all of which are proof-of-possession tokens:¶
Resources can require different authentication levels via the Agent-Auth response header:¶
Resources use the Agent-Auth response header to indicate authentication requirements when returning 401 Unauthorized.¶
When a resource requires only a signed request:¶
HTTP/1.1 401 Unauthorized Agent-Auth: httpsig¶
When a resource requires verified agent identity:¶
HTTP/1.1 401 Unauthorized Agent-Auth: httpsig; identity=?1¶
Agent tokens enable agent servers to delegate signing authority to agent delegates while maintaining a stable agent identity.¶
An agent token is a JWT with typ: agent+jwt containing:¶
Header:
- alg: Signing algorithm
- typ: agent+jwt
- kid: Key identifier¶
Payload:
- iss: Agent server URL (the agent identifier)
- sub: Agent delegate identifier (stable across key rotations)
- cnf: Confirmation claim with jwk containing the delegate's public key
- iat: Issued at timestamp
- exp: Expiration timestamp¶
Agent delegates present agent tokens via the Signature-Key header using scheme=jwt:¶
Signature-Key: sig=jwt; jwt="eyJhbGciOiJFZERTQSIsInR5cCI6ImFnZW50K2p3dCJ9..."¶
Resource tokens provide cryptographic proof of resource identity, preventing confused deputy and MITM attacks.¶
A resource token is a JWT with typ: resource+jwt containing:¶
Header:
- alg: Signing algorithm
- typ: resource+jwt
- kid: Key identifier¶
Payload:
- iss: Resource URL
- aud: Auth server URL
- agent: Agent identifier
- agent_jkt: JWK thumbprint of the agent's current signing key
- exp: Expiration timestamp
- scope: Requested scopes (optional)¶
Resources include resource tokens in the Agent-Auth header when requiring authorization:¶
Agent-Auth: httpsig; auth-token; resource_token="eyJ..."; auth_server="https://auth.example"¶
Auth tokens grant agents access to resources after authentication and authorization.¶
An auth token is a JWT with typ: auth+jwt containing:¶
Header:
- alg: Signing algorithm
- typ: auth+jwt
- kid: Key identifier¶
Payload:
- iss: Auth server URL
- aud: Resource URL(s)
- agent: Agent identifier
- cnf: Confirmation claim with jwk containing the agent's public key
- sub: User identifier (if user-delegated access)
- scope: Authorized scopes
- iat: Issued at timestamp
- exp: Expiration timestamp¶
Agents present auth tokens via the Signature-Key header using scheme=jwt:¶
Signature-Key: sig=jwt; jwt="eyJhbGciOiJFZERTQSIsInR5cCI6ImF1dGgrand0In0..."¶
Participants publish metadata at well-known URLs to enable discovery.¶
Published at /.well-known/aauth-agent:¶
{
"agent": "https://agent.example",
"jwks_uri": "https://agent.example/.well-known/jwks.json"
}
¶
Published at /.well-known/aauth-issuer:¶
{
"issuer": "https://auth.example",
"agent_token_endpoint": "https://auth.example/token",
"agent_auth_endpoint": "https://auth.example/authorize",
"jwks_uri": "https://auth.example/.well-known/jwks.json"
}
¶
Published at /.well-known/aauth-resource:¶
{
"resource": "https://resource.example",
"jwks_uri": "https://resource.example/.well-known/jwks.json",
"additional_signature_components": ["content-type", "content-digest"]
}
¶
AAuth uses HTTP Message Signatures ([RFC9421]) for request authentication.¶
All AAuth requests MUST include:¶
The Signature-Key header ([I-D.hardt-httpbis-signature-key]) provides keying material:¶
HTTP Message Signatures in AAuth MUST cover:¶
@method: HTTP method¶
@authority: Target host¶
@path: Request path¶
signature-key: The Signature-Key header value¶
Resources MAY require additional components via additional_signature_components in metadata.¶
The Signature-Input header MUST include:¶
created: Signature creation timestamp (Unix time)¶
The created timestamp MUST NOT be more than 60 seconds in the past or future.¶
AAuth uses the OAuth 2.0 error response format ([RFC6749] Section 5.2).¶
{
"error": "invalid_request",
"error_description": "Human-readable description"
}
¶
The HTTP Message Signature is missing, malformed, or verification failed. When the signature is missing required components, the response SHOULD include required_components:¶
{
"error": "invalid_signature",
"error_description": "Signature missing required components",
"required_components": ["@method", "@authority", "@path", "signature-key"]
}
¶
The agent token is missing, malformed, expired, or signature verification failed.¶
The resource token is missing, malformed, expired, or signature verification failed.¶
The auth token is missing, malformed, expired, or signature verification failed.¶
The key binding verification failed. The public key used to sign the request does not match the key bound in the token.¶
All AAuth tokens are proof-of-possession tokens. The holder must prove possession of the private key corresponding to the public key in the token's cnf claim.¶
HTTP Message Signatures provide:¶
This specification registers the following Well-Known URIs:¶
This specification registers the following media types:¶
This specification registers the following HTTP header:¶
Agent-Auth: Authentication and authorization requirements¶
The author would like to thank reviewers for their feedback on this specification.¶