| Internet-Draft | Agent Route Origin Authorization (AgentR | April 2026 |
| Michalak | Expires 10 October 2026 | [Page] |
This document specifies the Agent Route Origin Authorization (AgentROA) framework, a cryptographic policy enforcement model for governing the actions of autonomous AI agents operating over the Model Context Protocol (MCP) and Agent-to-Agent (A2A) protocols. AgentROA introduces three core protocol objects: the Agent Route Origin Authorization (ROA) envelope, the Agent Route Attestation (ARA) per-hop receipt, and the Agent Execution Receipt (AER). Together these objects enable: (1) cryptographic binding of an agent's authorized action scope to a signed policy envelope at session initialization, (2) per-hop attestation across multi-agent delegation chains with monotonic scope-narrowing semantics (no policy envelope may be expanded by a downstream delegation), and (3) cryptographic receipts produced intrinsically by the enforcement decision at each MCP tool call boundary. The framework is modeled on the BGP Route Origin Authorization (ROA) concept from RPKI (RFC 6480) applied to the AI agent execution domain.¶
The Border Gateway enforcement model positions a cryptographic enforcement proxy at the MCP protocol boundary — external to the agent's execution context — reducing the risk that governance decisions are influenced by the governed agent by placing enforcement in a separate process boundary. This document establishes the architectural model, protocol object schemas, and enforcement semantics for the AgentROA framework.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Autonomous AI agents are increasingly being deployed in enterprise and regulated environments. These systems can investigate incidents across cloud infrastructure, invoke external tools, initiate transactions, and delegate tasks to downstream agents without human review at each step.¶
The Model Context Protocol (MCP) provides a common mechanism for connecting agents to external tools, data sources, and APIs. The Agent-to-Agent (A2A) protocol provides complementary support for inter-agent communication and task delegation.¶
These protocols address connectivity and interoperability. They do not, by themselves, define a cryptographic mechanism that binds an agent's authorized action scope to protocol execution, enforces that scope at the protocol boundary, or produces receipts that can be independently verified after the fact.¶
Existing governance approaches often rely on application-layer monitoring, behavioral detection, or post-execution audit logging. In deployments where such governance mechanisms are co-located with the governed agent, a compromised, manipulated, or misconfigured agent may influence the governance outcome.¶
AgentROA addresses this concern by positioning enforcement at the protocol boundary, external to the agent's execution context. The Border Gateway enforcement proxy intercepts MCP tool call requests before they reach the target MCP server, validates the caller's ROA envelope, enforces monotonic scope-narrowing semantics across delegation chains, and produces a cryptographic AER receipt as an intrinsic output of the enforcement decision.¶
The governing question AgentROA answers is: was this agent authorized to perform this specific action under this specific policy envelope at this specific moment — and can that be shown to a third party, including a regulator, auditor, or counter-party, without relying on the agent's own account of execution?¶
AgentROA draws an analogy from the BGP Route Origin Authorization framework specified in RFC 6480 (RPKI) and RFC 6811 (BGP Prefix Origin Validation).¶
In BGP RPKI, a Route Origin Authorization (ROA) is a cryptographically signed object that states which Autonomous System (AS) is authorized to originate routes for a specific IP address prefix. Border routers validate incoming route announcements against the ROA database before accepting them into the routing table. This prevents route hijacking by ensuring that only authorized ASes can announce specific prefixes.¶
AgentROA applies the same model to AI agent execution:¶
An Agent ROA envelope states which agent identity is authorized to invoke specific MCP capabilities under specific policy constraints, signed by the authorizing entity.¶
The Border Gateway validates incoming MCP tool calls against the ROA envelope before forwarding them to the target MCP server. This prevents capability hijacking by ensuring that agents can only invoke capabilities they are explicitly authorized for.¶
The Agent Route Attestation (ARA) provides per-hop attestation across multi-agent delegation chains, analogous to BGP path validation, ensuring that each hop in a delegation chain operated within its declared scope.¶
The key structural insight from RPKI that AgentROA preserves is the separation of the authorization infrastructure (the ROA envelope and its signing) from the enforcement infrastructure (the Border Gateway). This separation ensures that the enforcement mechanism does not depend on trusting the party being governed.¶
This document specifies:¶
The AgentROA framework architecture and trust boundary model.¶
The protocol object schemas for ROA envelopes, ARA per-hop attestations, and AER execution receipts.¶
The monotonic scope-narrowing semantics for multi-agent delegation chains.¶
The Border Gateway enforcement proxy model for MCP and A2A.¶
Future extensions, including voice-triggered actions and agent identity addressing, are outside the scope of this document.¶
This document does not specify a wire protocol for MCP or A2A, which are governed by their respective specifications. AgentROA operates as an enforcement layer above the MCP OAuth 2.0 authorization mechanism specified in the MCP Authorization specification.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174].¶
The AgentROA framework consists of the following components:¶
The fundamental trust boundary in AgentROA separates two domains:¶
This separation is the critical architectural distinction from application-layer governance approaches in which the policy engine and the agents it governs run in the same process. When a governance layer runs in the same process as the agent, a compromised agent may influence the governance outcome.¶
AgentROA assumes that the Border Gateway enforcement proxy runs in a separate process from the governed agent. Deployment MAY use sidecar containers in a Kubernetes pod, separate virtual machines, or hardware-isolated enclaves. The architectural model in this document does not assume a policy decision point that is co-located within the agent's execution context.¶
The Border Gateway implements the following request handling model for MCP tool calls:¶
The Border Gateway validates: a) The ROA envelope signature (EdDSA verification against the agent's registered public key in the Agent Identity Registry).¶
The AgentROA ROA Envelope is a JSON object with the following top-level fields. All fields are REQUIRED unless noted.¶
Object. Session context. - session_id: String. Unique session identifier. - channel: String. One of: "api", "mcp_client", "voice", "browser", "mobile_app".¶
Object. The authorized capability scope. - capabilities: Array of Strings. Each element is a capability identifier of the form mcp:<server-id>.<tool-name> or the wildcard form mcp:<server-id>.*.¶
max_delegation_depth: Integer. Maximum number of delegation hops permitted. MUST be >= 0.¶
cross_org_permitted: Boolean. Whether delegation across organizational boundaries is permitted.¶
data_classification_ceiling: String, OPTIONAL. Maximum data classification level accessible.¶
budget_ceiling: Number, OPTIONAL. Maximum total spend or resource budget permitted for this session, in the unit declared by budget_unit. Downstream delegations MUST NOT declare a budget_ceiling exceeding this value.¶
budget_unit: String, OPTIONAL. Unit for budget_ceiling (e.g., "USD", "tokens", "api_calls"). Required when budget_ceiling is present.¶
price_class: Integer, OPTIONAL. Maximum price tier permitted (lower value = lower cost). Downstream delegations MUST NOT declare a price_class exceeding this value.¶
slo_class: Integer, OPTIONAL. Minimum required service level (higher value = stricter SLO). Downstream delegations MUST NOT declare an slo_class below this value.¶
Object. Policy binding. - policy_id: String. Identifier of the governing policy. - policy_version: String. Version of the governing policy. - policy_digest: String. SHA-256 hash of the policy document, formatted as "sha256:<hex>".¶
policy_uri: String, OPTIONAL. URI at which the policy document may be retrieved.¶
Object. Authorization requirements. - auth_strength: String. One of: "session_only", "device_bound", "device_bound_with_attestation", "dual_control".¶
Object. Evidence references. - session_hash: String. Hash of the session establishment event.¶
model_provenance: Array of Strings. Identifiers of the AI models that may execute within this session.¶
The policy_digest field binds the ROA envelope to a specific version of the governing policy document. This binding serves two purposes:¶
The canonical policy digest is computed as:¶
policy_digest = "sha256:" || hex(SHA-256(policy_document_bytes))¶
where policy_document_bytes is the UTF-8 encoding of the policy document in its canonical JSON serialization.¶
This section specifies the no-loosen invariant, which is the foundational enforcement property of AgentROA.¶
AgentROA applies a tighten-only partial-order algebra across three distinct constraint dimensions. Each dimension has its own ordering operator, and a violation of ANY dimension MUST cause the Border Gateway to reject the delegation with a DENY AER receipt.¶
C(ARA[n]) ⊆ C(ARA[n-1])
where ARA[0] is the root ROA envelope.
¶
B(ARA[n]) ≤ B(ARA[n-1])
P(ARA[n]) ≤ P(ARA[n-1])
¶
S(ARA[n]) ≥ S(ARA[n-1])
¶
This invariant prevents privilege escalation through agent delegation chains. An agent that delegates a task to a downstream agent CANNOT grant the downstream agent permissions, budget, or relaxed service levels that the delegating agent does not itself possess.¶
Scope comparison algorithm:¶
The Border Gateway compares capability sets using the following procedure:¶
Resolve each capability identifier to its canonical form. Wildcard capabilities (mcp:<server-id>.*) are expanded to include all capabilities advertised by the named MCP server's capability manifest.¶
For each capability in the downstream ARA, verify that the capability is present in or subsumed by a wildcard in the parent's capability set.¶
If any downstream capability is not subsumed, reject the delegation with a SCOPE_EXPANSION_DENIED error.¶
If the downstream ARA declares a budget_ceiling, verify that: budget_ceiling(ARA[n]) ≤ budget_ceiling(ARA[n-1])¶
If the downstream ARA declares a price_class, verify that: price_class(ARA[n]) ≤ price_class(ARA[n-1])¶
If the downstream ARA declares an slo_class, verify that: slo_class(ARA[n]) ≥ slo_class(ARA[n-1])¶
ROA envelopes MUST be signed using EdDSA with the Ed25519 curve as specified in [RFC8032]. The signature is computed over the canonical JSON serialization of the envelope excluding the "signatures" field.¶
Canonical JSON serialization follows the JSON Canonicalization Scheme (JCS) as specified in [RFC8785].¶
The signing key MUST correspond to the public key registered in the Agent Identity Registry for the authorizing entity. The key identifier MUST be included in the "signer" field of the signature object.¶
An Agent Route Attestation (ARA) object is produced at each agent-to-agent delegation boundary. The ARA attests that:¶
c) The delegation occurred within a valid session.¶
The ARA object has the following structure:¶
Object. The scope being delegated. MUST satisfy the monotonic scope-narrowing invariant with respect to the parent scope. - capabilities: Array of Strings. Capability identifiers authorized for the delegated agent.¶
Object. Policy binding for this delegation. - policy_digest: String. MUST match the policy_digest of the root ROA envelope in the delegation chain.¶
policy_version: String.¶
A delegation chain is constructed as follows:¶
The root element is the ROA envelope issued by the Policy Engine at session initiation (ref_type: "roa_envelope").¶
Each subsequent element is an ARA object produced at a delegation boundary (ref_type: "ara").¶
The chain forms a singly-linked list through the upstream_ref fields. The ref_digest field creates a cryptographic hash chain: each ARA commits to the exact bytes of its parent.¶
The chain terminates at the agent currently requesting a MCP tool call.¶
When a Border Gateway receives a MCP tool call, the requesting agent presents its delegation chain (an ordered array of serialized ARA objects, from root to current). The Border Gateway validates the entire chain before making an enforcement decision.¶
The following algorithm MUST be implemented by the Border Gateway:¶
FUNCTION VerifyChain(chain, requested_capability):
INPUT:
chain: ordered array [root_envelope, ara_1, ..., ara_n]
requested_capability: capability identifier being requested
OUTPUT:
PERMIT or DENY, with reason
STEP 1: Verify root envelope
IF NOT VerifySignature(chain[0]) THEN
RETURN DENY, "invalid_root_signature"
IF chain[0].expires_at < NOW() THEN
RETURN DENY, "envelope_expired"
current_scope = chain[0].authorized_scope.capabilities
current_budget = chain[0].authorized_scope.budget_ceiling
current_slo = chain[0].authorized_scope.slo_class
STEP 2: Verify hash chain and monotonic narrowing
FOR i = 1 TO length(chain) - 1:
ara = chain[i]
parent = chain[i-1]
parent_digest = SHA-256(canonical_json(parent))
IF ara.upstream_ref.ref_digest != parent_digest THEN
RETURN DENY, "chain_integrity_violation"
IF NOT VerifySignature(ara) THEN
RETURN DENY, "invalid_ara_signature_at_hop_" + i
IF NOT Subset(ara.delegated_scope.capabilities, current_scope) THEN
RETURN DENY, "scope_expansion_violation_at_hop_" + i
IF ara.delegated_scope.budget_ceiling IS PRESENT AND
current_budget IS PRESENT AND
ara.delegated_scope.budget_ceiling > current_budget THEN
RETURN DENY, "budget_expansion_denied_at_hop_" + i
IF ara.delegated_scope.slo_class IS PRESENT AND
current_slo IS PRESENT AND
ara.delegated_scope.slo_class < current_slo THEN
RETURN DENY, "slo_relaxation_denied_at_hop_" + i
¶
current_scope = ara.delegated_scope.capabilities
current_budget = ara.delegated_scope.budget_ceiling
current_slo = ara.delegated_scope.slo_class
¶
END FUNCTION¶
The Agent Execution Receipt (AER) is produced by the Border Gateway as an intrinsic output of each enforcement decision. The AER is a cryptographically signed artifact intended to provide independently verifiable evidence that a specific enforcement decision was made for a specific agent action under a specific policy at a specific time.¶
The AER is not a log entry. It is a signed commitment produced by the enforcement layer at the moment of the decision. The distinction is architecturally significant: a log entry is produced after the fact by a logging system that may or may not have observed the exact enforcement logic. An AER is produced by the enforcement logic itself, committed before the action executes (for PERMIT) or when the action is rejected (for DENY).¶
AER structure:¶
Object. Summary of the delegation chain. - chain_depth: Integer. Number of hops in the chain. - root_envelope_id: String. The envelope_id of the root ROA envelope.¶
chain_digest: String. SHA-256 hash of the canonical serialization of the complete delegation chain.¶
Object. Border Gateway identity. - gateway_id: String. Identifier of the producing Border Gateway instance.¶
gateway_version: String. Software version.¶
The following invariants apply to AER generation:¶
AgentROA AER receipts are designed to be submitted to SCITT- compatible transparency logs [I-D.ietf-scitt-architecture]. When a SCITT log is configured:¶
a) The Border Gateway submits each AER as a SCITT Statement.¶
c) The SCITT Receipt is appended to the AER's signatures array.¶
SCITT integration provides three additional properties:¶
Third-party verifiability: Any party with the SCITT log's public key can verify the AER without trusting the Border Gateway operator.¶
Tamper evidence: The append-only SCITT log structure prevents modification of historical receipts.¶
Transparency: Deployments MAY use transparency logs to support independent verification or audit requirements.¶
The Border Gateway acts as a reverse proxy for MCP connections. From the MCP server's perspective, all requests arrive from the Border Gateway. From the agent's perspective, the Border Gateway is the target endpoint for MCP tool calls.¶
MCP uses OAuth 2.0 for authorization as specified in the MCP Authorization specification. AgentROA operates as an additional layer above MCP's OAuth authorization mechanism.¶
AgentROA DOES NOT replace MCP's OAuth authorization. Both mechanisms operate in sequence:¶
When agents communicate using the A2A protocol, AgentROA governs the delegation of tasks between agents.¶
The complete enforcement decision algorithm is:¶
FUNCTION Enforce(request):
INPUT:
request: MCP tool call request with auth headers
OUTPUT:
PERMIT or DENY, with AER receipt
STEP 1: Extract credentials
envelope_or_chain = ExtractFromHeader(request)
STEP 2: Determine chain type
IF envelope_or_chain is ROA envelope:
chain = [envelope_or_chain]
ELSE:
chain = envelope_or_chain (ARA chain)
STEP 3: Resolve capability
capability = mcp:<request.server_id>.<request.tool_name>
STEP 4: Execute chain verification
result = VerifyChain(chain, capability)
STEP 5: Check approval state if required
IF chain[0].authorization.auth_strength IN
["device_bound", "device_bound_with_attestation"]:
IF chain[0].authorization.approval_state != "granted":
result = DENY, "approval_required"
STEP 6: Produce AER
aer = ProduceAER(
session = ExtractSession(chain),
action = ExtractAction(request),
policy = ExtractPolicy(chain[0]),
chain_summary = SummarizeChain(chain),
outcome = result.outcome,
denial_reason = result.reason
)
SignAER(aer, border_gateway_private_key)
PersistAER(aer)
STEP 7: Submit to SCITT (if configured)
IF scitt_enabled:
scitt_receipt = SubmitToSCITT(aer)
AppendSignature(aer, scitt_receipt)
STEP 8: Return
IF result.outcome == PERMIT:
ForwardToMCPServer(request)
RETURN response WITH receipt metadata referencing aer.aer_id
ELSE:
RETURN 403 Forbidden WITH receipt metadata referencing
aer.aer_id
¶
END FUNCTION¶
AgentROA is designed to protect against the following threats:¶
Private keys used for signing ROA envelopes, ARA objects, and AER receipts MUST be stored in hardware security modules or equivalent secure key storage, or in device-bound key storage for device-bound approval flows.¶
Implementers SHOULD note that this framework requires the Border Gateway to process every MCP tool call. The Border Gateway is therefore a potential bottleneck and single point of failure. Implementations SHOULD provide:¶
This section specifies requirements for ROA envelope revocation and for continued operation when the Border Gateway cannot reach the Agent Identity Registry or policy infrastructure.¶
ROA envelopes include an expires_at field (Section 4.1). The Border Gateway MUST reject any envelope whose expires_at timestamp is in the past. The denial reason code MUST be "envelope_expired".¶
In addition to time-based expiry, implementations SHOULD support explicit revocation. The Agent Identity Registry SHOULD publish revocation information for ROA envelopes whose corresponding sessions have been administratively terminated or whose signing keys have been compromised. Revocation information SHOULD be distributed as delta-encoded updates identified by a monotonically increasing epoch and sequence number, enabling validators to maintain current revocation state without full re-download.¶
When a validator processes a revocation delta, it MUST update its local revocation cache and MUST reject any subsequently presented envelope whose envelope_id or signing key appears in the revocation cache. The denial reason code for a revoked envelope MUST be "envelope_revoked". AER receipts for revoked envelopes SHOULD include the revocation epoch and sequence number at which the revocation was applied.¶
To prevent replay attacks using captured but unexpired envelopes, the Border Gateway MUST maintain a replay prevention cache of recently-seen (envelope_id, session_id) pairs. The cache MUST cover at minimum the full validity window of the longest-lived envelope the deployment issues. On restart, the Border Gateway MUST either restore the cache from durable storage or refuse to process envelopes issued before the restart until their natural expiry time has elapsed.¶
When a duplicate (envelope_id, session_id) pair is detected, the Border Gateway MUST reject the request with denial reason "replay_detected" and produce a DENY AER receipt.¶
When the Border Gateway cannot reach the Agent Identity Registry to verify an agent's public key or to retrieve current revocation data, it MAY continue enforcement against locally cached materials subject to the following constraints:¶
This document has no IANA actions.¶