]> Zentity

Portugal g.valverde02@gmail.com

Security Individual Submission OAuth CIBA agent delegation pairwise privacy consent PACT (Private Agent Consent and Trust Profile) is a security profile of OAuth 2.1 for privacy-preserving agent delegation. It extends VEIL and composes OIDC CIBA Core 1.0 and OAuth Token Exchange (RFC 8693). PACT defines a durable-host plus ephemeral-session control plane, a delegation token claim vocabulary, runtime identity proofs using Ed25519 JWTs, capability grants with typed constraints and usage limits, risk-graduated consent routing, and claim narrowing on token exchange to non-agent audiences.

Introduction An agent acting on behalf of a human needs three properties at once: machine authentication (the caller proves it is a specific runtime, not merely the application that launched it), human consent (the human approves sensitive actions through a channel the agent cannot subvert), and privacy-preserving delegation (the relying party learns who acted without receiving a globally trackable identifier). Existing specifications cover each property in isolation. CIBA provides a backchannel consent channel. DPoP sender-constrains tokens. RAR carries structured authorization payloads. Token Exchange rebinds audience and scope. PACT specifies how agent identity, human consent, and token issuance compose into a single delegation flow. The profile composes and constrains the following specifications: Concern Specifications Secure Transport OAuth 2.1 , PKCE , PAR , DPoP Structured Intent Rich Authorization Requests Agent Control Plane PACT (this document), OAuth Client Attestation Consent Channel CIBA Token Semantics Token Exchange , Token Introspection , OIDC Core Pairwise Identifiers This document specifies: pairwise agent identifiers (), risk-graduated consent routing (), usage-limited capability grants (), cryptographic binding chains (), ephemeral identity disclosure, and claim narrowing on token exchange ().

Relation to Other Work Several concurrent individual submissions address overlapping parts of the agent-delegation problem. The Agent Auth Protocol and define a JWT claim vocabulary for agent-acting-as-user semantics; PACT aligns with their claim names where they coincide. explores the subject model when an agent acts on behalf of an authenticated user; PACT's session identity and act.sub derivation build on the same premise. The Agent-to-Agent Protocol covers agent-to-agent discovery and card exchange, which complements the consent and token profile defined here. PACT's scope is narrower than any of these: it specifies CIBA binding, typed-constraint capability grants, and claim narrowing on token exchange to non-agent audiences.

Conventions and Terminology

Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Versioning PACT uses MAJOR.MINOR versioning, with -draft appended for pre-release revisions. Implementations MUST reject configurations or discovery documents with an unrecognized major version. Implementations SHOULD accept documents with a higher minor version than expected and ignore unrecognized fields, preserving forward compatibility.

Definitions

Agent Session:

An ephemeral runtime identity for one live process. Each session holds its own Ed25519 keypair. The private key exists only in process memory.

Agent-Assertion:

A short-lived EdDSA JWT (typ: agent-assertion+jwt) signed by the session private key, proving possession of the runtime identity at the time of a consent request.

Approval Strength:

A capability-level declaration of the minimum consent mechanism required: none (auto-approve), session (active user interaction), or biometric (unforgeable user verification).

Authorization Server (AS):

The server that implements this profile, managing identity registration, capability grants, consent routing, and token issuance.

Binding Chain:

The sequence of cryptographic proofs connecting an OAuth user token through host registration, session registration, runtime assertion, human consent, and delegated token issuance.

Capability:

A server-defined named action with optional JSON Schema for input and output, and a required approval strength. PACT's unit of authorization.

Capability Grant:

An authorization record linking one agent session to one capability, with optional typed constraints, usage limits, and an expiration time.

Client:

The process that holds the host identity, manages keys, signs JWTs, and presents tools to the agent runtime.

Constraint:

A typed restriction on a grant's input parameters. Operators: eq, min, max, in, not_in.

Durable Host:

The persistent installation identity for a client environment. Survives across process restarts. Holds an Ed25519 keypair persisted to disk.

Host Policy:

A durable capability grant attached to a host rather than a session. Survives session expiry and seeds new sessions.

Pairwise Agent Identifier:

A per-relying-party pseudonym derived from the session ID and the RP's sector identifier, preventing cross-RP agent correlation.

Relying Party (RP):

A service that receives and validates delegated agent tokens.

Session Grant:

An ephemeral capability grant attached to one agent session. Seeded from host policies at registration; may be elevated via consent.

Usage Ledger:

An append-only record of capability executions, used to enforce daily limits and cooldowns atomically.

Compositional Architecture

Five Compositional Concerns PACT's constituent standards group into five concerns: secure transport, structured intent, agent control plane, consent channel, and token semantics. Each concern produces inputs for the next, from machine authentication through human approval to token issuance and relying-party verification.

Secure Transport sits beneath the other four concerns because removing any transport spec changes security properties, not the agent model. DPoP is the one transport spec that crosses into agent territory: when token exchange mints a downstream token from a CIBA access token, DPoP re-binds the issued token to the caller's proof-of-possession key. Structured Intent carries typed payloads through the flow. RAR (authorization_details) is submitted on the CIBA request, retained on the CIBA request record during consent evaluation, and projected onto downstream exchanged tokens (). The approved typed payload does not appear on the CIBA-issued access token itself. Agent Control Plane establishes who is asking. It produces two outputs: the Agent-Assertion JWT that enters the consent channel as runtime proof, and the capability grants that determine whether consent can short-circuit into automatic approval. Consent Channel carries the human approval interaction. CIBA binds the runtime proof to a specific consent request. The CIBA auth_req_id serves as the trace identifier correlating agent identity, consent, and token issuance. Token Semantics encodes the authorized delegation. Token exchange rebinds audience and recomputes pairwise identifiers. Introspection re-evaluates session lifecycle at query time.

Runtime Participants Role Function Agent The AI actor scoped to a conversation, task, or session. Does not hold keys directly. Client Process holding the host identity; manages keys, signs JWTs, presents tools. Authorization Server Manages registrations, capability grants, consent routing, and token issuance. Relying Party Receives delegated tokens; validates agent identity via introspection or JWT verification. User The human principal who approves sensitive actions via CIBA.

Three Caller Classes PACT distinguishes three caller classes by authentication mode and scope. Caller Authentication Scope Browser user Session cookie Dashboard and browser-only surfaces User-delegated machine OAuth access token exchanged into a dedicated DPoP-bound bootstrap token Agent host/session registration, revocation Pure machine client client_credentials access token Introspection, resource-server APIs Registration, introspection, and token exchange are machine-facing OAuth surfaces; human consent is obtained separately through CIBA (). A client bootstrapping an agent host MUST NOT reuse a login token for registration: it MUST first exchange that token for a DPoP-bound bootstrap token carrying narrow agent scopes ().

Principal Separation PACT separates agent identity into three layers with distinct lifetimes and audiences. The host is durable (persistent across process restarts). The session is ephemeral (fresh per runtime instance, enabling per-session audit). The pairwise identifier shown to each relying party is uncorrelatable across services.

Durable Host A host is the persistent installation identity for a client environment. It represents a specific installation on a specific machine, not a user or an application. Bootstrap. The client first exchanges its pairwise login token via Token Exchange for a short-lived DPoP-bound bootstrap token carrying agent:host.register. POST {host_registration_endpoint} authenticates with that bootstrap token, not the login token. Identity properties: Property Value Key type Ed25519 Identity anchor JWK Thumbprint , SHA-256 Persistence Client-side file, server-side record Uniqueness One thumbprint per (user, client) pair. Same user and client MAY have multiple hosts (different machines). Binding A host key MUST NOT be rebound across users or OAuth clients. Key storage. The client MUST persist the host keypair in a namespace derived from the server URL, OAuth client ID, and the authenticated account subject (or another stable per-user identifier):

.json ]]>

The file MUST be stored with mode 0600. The directory MUST be created with mode 0700. Attestation. Host registration MAY include vendor attestation headers per : OAuth-Client-Attestation: a JWT signed by a trusted vendor, containing a cnf.jwk matching the host's public key. OAuth-Client-Attestation-PoP: a proof-of-possession JWT signed by the host's private key. The server verifies attestation JWTs against a pre-configured set of trusted issuer JWKS URLs. Verification uses a hardened JWKS fetcher that rejects unsafe remote key sources (private/loopback IPs, non-HTTPS in production, responses exceeding a fixed size cap, long timeouts). Attestation results in an elevated trust tier that widens default host policy ().

Ephemeral Session An agent session is the runtime identity for one live process. Each session holds its own Ed25519 keypair. The private key MUST exist only in process memory, and MUST NOT be persisted to disk. Registration. POST {registration_endpoint} with the bootstrap token carrying agent:session.register and a host attestation JWT. The host attestation JWT (typ: host-attestation+jwt) proves the client possesses the durable host key:

", "sub": "agent-registration", "iat": 1711000000, "exp": 1711000060 } ]]>

This JWT MUST be signed with the host's Ed25519 private key and MUST expire within 60 seconds. Registration sequence:

| | | | 2. DPoP bootstrap token | |<---------------------------------------------| | | | 3. POST /host/register | | Authorization: DPoP | | { publicKey, name } | |--------------------------------------------->| | compute JWK | | thumbprint; | | upsert host | | { hostId, attestation_tier } | |<---------------------------------------------| | | | 4. Generate fresh session keypair | | 5. Sign host-attestation+jwt | | | | 6. POST /register | | Authorization: DPoP | | { hostJwt, agentPublicKey, ... } | |--------------------------------------------->| | verify host JWT; | | seed defaults; | | create session; | | copy host-> | | session grants | | { sessionId, status, grants } | |<---------------------------------------------| ]]>

Identity hierarchy:

Cross-Party Unlinkability Agent identifiers in delegated tokens MUST be pairwise per relying party by default. Without pairwise derivation, the session identifier would travel to every relying party as a stable cross-service correlator. Derivation:

Where: MAC is a keyed message authentication code with at least 128 bits of output. HMAC-SHA-256 meets this requirement. PAIRWISE_SECRET is a server-side secret of at least 32 bytes. sector is the RP's registered sector identifier, following the same mechanism used for user pairwise sub in VEIL . Deployments that do not yet support sector_identifier_uri MUST still enforce a stable single-host registration rule so the derived sector remains deterministic. sessionId is the internal agent session identifier. Properties: Two RPs receiving tokens from the same agent session see different act.sub values. The same derivation applies to agent.id in the PACT delegation claim set. Deployments that need global agent tracking MUST use an agent-specific client setting distinct from VEIL's user-facing subject_type. Reusing subject_type would disable pairwise user identifiers at the same time. Pairwise derivation uses the session ID (not host ID) because the acting principal is the runtime session, not the installation.

Trust Gradation Host attestation assigns a host to one of two trust tiers. Attestation widens the default host policy but does not create a separate token class or silently widen identity-disclosure capabilities. Tier How reached Effect on default host policy unverified Default registration check_compliance, request_approval attested Valid OAuth-Client-Attestation + PoP Same default capability floor; trust tier is surfaced in UI, tokens, and introspection A host's attestation tier is recorded at registration and surfaces in the approval UI (for example, "Verified by <vendor>" versus "Unverified agent"), in token claims (agent.runtime.attested: true/false), and in introspection responses.

Named-Action Containment Capability-based authorization determines whether a session can perform an action without interrupting the user. The registry defines named actions, grants bind them to sessions, constraints restrict parameters, and the usage ledger enforces temporal and cumulative limits.

The Registry Capabilities are server-defined named actions. Each capability declares: Field Type Required Description name string Yes Stable snake_case identifier description string Yes Human-readable description input_schema JSON Schema No Expected input parameters output_schema JSON Schema No Expected output shape approval_strength enum Yes none, session, or biometric Discovery. GET {capabilities_endpoint} returns the full registry. No authentication required.

Grants A grant links one agent session (or host) to one capability with optional constraints, usage limits, and an expiration time. Field Type Description capability_name string The capability being granted status enum pending, active, denied, revoked constraints object Typed constraint operators () daily_limit_count integer Max executions per 24-hour window daily_limit_amount number Max cumulative amount per 24-hour window cooldown_sec integer Minimum seconds between executions source string host_policy, session_elevation, or user_grant expires_at timestamp Per-grant TTL, independent of session TTL

Typed Constraints Constraints restrict the input values a grant authorizes. They use the input schema field names as keys. Operator Type Semantics max number Value MUST be <= max min number Value MUST be >= min eq any Value MUST equal the constraint value in array Value MUST be a member of the array not_in array Value MUST NOT be a member of the array Within one grant, all constraints are AND (all must pass). Across multiple grants for the same capability, the first matching active grant wins (OR). Constraint extraction. For capability evaluation, the server extracts constraint-matchable values from authorization_details . The type field maps to a capability name. Nested fields use dot notation (amount.value, amount.currency). Bidirectional negotiation. The agent proposes constraints at registration, and the server or user can narrow them. The server MUST NOT widen constraints beyond what the agent proposed without a new approval. Unknown operators. If a grant contains an unrecognized constraint operator, the server MUST reject the evaluation with a constraint_violated error.

Durable Defaults vs. Ephemeral Elevations The policy model is split for the same reason identity is split: durable defaults and per-runtime elevations have different lifetimes and different trust properties. Host policies are durable and host-scoped. They survive across sessions, are seeded by defaults or attestation tier, carry constraints and usage limits, and are modified only by the user or server admin. Session grants are ephemeral and session-scoped. They belong to one live session, are copied from host policies at session registration (status: active), are created as pending elevations for requested capabilities beyond defaults (status: pending), and expire when the session expires or is revoked. Seeding sequence at session registration: Ensure the capability registry is populated. Ensure default host policies exist for the host's trust tier. Copy all active host policies into active session grants (source: host_policy). Create pending session grants for requested capabilities not in the defaults (source: session_elevation).

Temporal and Cumulative Limits The usage ledger is an append-only table recording each approved execution. It enforces limits on execution frequency and cumulative totals, independent of the per-request constraint checks in . Scope determination. Usage is scoped to the narrowest applicable boundary: If the grant is backed by a host policy: scope to the host policy (shared across sessions). If the grant is session-specific: scope to the session grant. Fallback: scope to the session. Enforcement sequence (within a single database transaction): Cooldown check. Query the ledger for any execution within cooldown_sec of now. If found, reject. Daily count check. Count executions in the last 24 hours. If count >= daily_limit_count, reject. Daily amount check. Sum amount in the last 24 hours. If sum + request.amount > daily_limit_amount, reject. Record. Insert a new ledger entry. Return success. The transaction ensures atomicity; two concurrent requests cannot both pass a limit that only has room for one.

Risk-Proportional Consent At runtime, a delegation request must be routed to one of three outcomes: auto-approved (within pre-authorized limits), interactive approval (user prompt required), or denied. PACT uses CIBA as the transport and defines the routing logic that selects the outcome.

CIBA as Correlation Point The CIBA auth_req_id correlates agent identity (from the control plane), human consent (from the approval interaction), token issuance (from the token endpoint), and the audit trail (from the usage ledger). An Agent-Assertion JWT MUST be bound to a specific auth_req_id; it MUST NOT be accepted as general runtime authentication outside the CIBA request it carries.

Three Routing Outcomes The consent router produces three outcomes based on the capability's approval_strength and the agent's session grants. They differ along one axis: how much human involvement is required. Outcome When Human interruption Silent approval Active grant exists, constraints pass, limits not exceeded, and capability strength is none None Session approval No matching grant, or strength is session Push notification with inline approve/deny Biometric approval Capability strength is biometric Push notification with "Open to approve" link only; WebAuthn userVerification: required on the approval page What silent approval can never do. The evaluator MUST refuse automatic approval in these cases: Any request containing identity scopes (scopes that would release PII). Any request whose derived capability is missing from the registry. Any capability whose approval strength is biometric. Any request without an active matching grant. Any request that exceeds cooldown or daily limits.

Runtime Proof Before requesting consent, the client signs an Agent-Assertion JWT with the session's Ed25519 private key:

", "jti": "", "iat": 1711000000, "exp": 1711000060, "host_id": "", "task_id": "", "task_hash": "" } ]]>

The assertion is placed in the Agent-Assertion HTTP header on the CIBA backchannel authorize request. binding_message is the OIDC CIBA Core 1.0 request parameter, defined there as a human-readable display value. PACT retains its human-visible role in the approval UI and additionally requires that a binding_message be present whenever an Agent-Assertion is present. The task_hash claim is defined as SHA-256(binding_message), giving the agent cryptographic commitment to the same string the human will see. An assertion whose task_hash does not match the CIBA request's binding_message MUST NOT produce agent-bound token semantics. Verification sequence: Decode payload without verification to extract iss (= sessionId). Load session from the database. Verify session status is active. Import session's stored public key. Verify JWT signature with algorithms: ["EdDSA"]. Verify typ header is agent-assertion+jwt. Compute session lifecycle state (). Reject if not active. Compute SHA-256(binding_message) and compare to task_hash. MUST match. Verify host ownership: the session's host MUST belong to the same user and OAuth client as the CIBA request. Binding to CIBA request. On successful verification, the server snapshots server-owned metadata onto the CIBA request record: Field Source agent_session_id Session record host_id Session's parent host display_name, runtime, model, version Session registration metadata task_id, task_hash Agent-Assertion claims assertion_verified true pairwise_act_sub Derived for the requesting OAuth client attestation_provider, attestation_tier Host attestation metadata This snapshot ties the later token to the actual registered runtime, not a free-form claim supplied by the client. CIBA request integrity. Three additional security properties apply to CIBA requests in PACT: Release handle binding. The CIBA release handle (used to exchange an approved request for tokens) MUST be cryptographically bound to (userId, authReqId, clientId). A handle obtained from one request MUST NOT redeem a different request. Atomic status transitions. The transition from approved to redeemed MUST use compare-and-swap semantics. Concurrent polling attempts that race the transition MUST fail rather than duplicate-issue tokens. Entropy. auth_req_id values MUST be generated with cryptographic entropy sufficient to prevent enumeration (e.g., UUID v4).

Biometric Approval Strength An agent with browser control (for example, Playwright or an MCP browser tool) can navigate to approval URLs and click buttons. The biometric approval strength defends against self-approval by requiring WebAuthn userVerification: required, a biometric or PIN gesture that the agent cannot produce. For biometric-strength capabilities: Push notifications show "Open to approve" link only; inline approve/deny actions are disabled because they cannot trigger WebAuthn. The approval endpoint returns a WebAuthn challenge that MUST be satisfied before the approval is accepted. Password-based session re-authentication is insufficient because the agent may know the password. The session strength accepts any in-session re-authentication an agent with browser access could automate (cookie presence, password re-entry). The biometric strength requires a WebAuthn user-verification ceremony that cannot be performed without the registered authenticator. Identity scope exception. When a CIBA request includes identity scopes, push notifications MUST NOT include inline approve actions, even for session-strength capabilities. Vault unlock (required by VEIL for identity claim delivery) cannot be triggered from a service worker or agent browser context, making identity-scoped requests functionally equivalent to biometric for inline approval purposes. The user MUST navigate to the approval page in a full browser context.

Capability Derivation The consent router derives a capability name from the CIBA request's authorization_details and scope: Condition Derived capability Any detail has type equal to "purchase" purchase Any scope is an identity scope read_profile Any scope is a proof scope (for example proof:age or proof:compliance) check_compliance Only openid scope, no typed details request_approval The first matching row wins. The precedence order is purchase details, then identity scopes, then proof scopes, then openid-only requests. A mixed request (for example, purchase details plus identity.* scopes) is routed to the most sensitive derived capability.

Delegation Evidence Approved delegations are encoded as JWT access tokens. The sub and act claims identify the user and agent principals. The capabilities, oversight, audit, and delegation claims describe the constraints and provenance.

The Delegation Token Profile Access tokens issued after agent-verified CIBA approval carry the delegation claim set defined below. The act claim is used as specified in Section 4.1. The remaining claims (agent, task, capabilities, oversight, audit, delegation) are defined normatively in this document. Approved authorization_details are retained on the CIBA request record and projected onto exchanged tokens (), not on the CIBA-issued access token.

", "aud": "", "exp": 1711003600, "iat": 1711000000, "jti": "", "scope": "openid purchase", "act": { "sub": "" }, "agent": { "id": "", "type": "mcp-agent", "model": { "id": "claude-sonnet-4-20250514", "version": "1.0.0" }, "runtime": { "environment": "node", "attested": true } }, "task": { "id": "task-uuid", "purpose": "purchase" }, "capabilities": [ { "action": "purchase", "constraints": [ { "field": "amount.value", "op": "max", "value": 100 } ] } ], "oversight": { "approval_reference": "", "requires_human_approval_for": ["identity.*"] }, "audit": { "trace_id": "", "session_id": "" }, "cnf": { "jkt": "" } } ]]>

Claim semantics: Claim Semantics sub Pairwise user identifier for the target RP act.sub Pairwise agent session identifier for the target RP agent.id Same as act.sub, pairwise agent identifier agent.type Agent runtime type (e.g., mcp-agent) agent.model Model metadata (informational, not security-critical) agent.runtime.attested Whether the host passed vendor attestation task.id Task identifier from the Agent-Assertion task.purpose Category-level intent (not verbatim description) capabilities Approved capabilities with their constraint snapshot oversight.requires_human_approval_for Scopes that MUST route through human approval audit.trace_id CIBA auth_req_id for end-to-end correlation cnf.jkt DPoP proof-of-possession key thumbprint Conditional emission. If assertion_verified is false on the CIBA request, delegation claims MUST NOT be emitted; the token is issued as a standard CIBA token without agent semantics.

Chain Tracking When tokens are exchanged via Token Exchange , the delegation claim tracks the chain:

", ""], "parent_jti": "" } } ]]>

Rules enforced on token exchange: The server MUST maintain delegation lineage in canonical internal actor references (for example, raw session IDs), not only in the audience-projected identifiers emitted in tokens. depth incremented by 1 on each exchange. Current actor appended to the canonical lineage before projection. delegation.chain in the exchanged token MUST be projected for the current audience from the canonical lineage. Previous audience-specific pairwise values MUST NOT be copied verbatim into a new audience context. Implementations advertising delegation_chains: true MUST reject the exchange if depth >= max_depth. Implementations advertising delegation_chains: true MUST enforce mandatory privilege reduction: at least one of narrower capabilities, tighter constraints, shorter TTL, or lower max_depth. The first exchange from a CIBA access token to a non-agent audience satisfies privilege reduction by applying the claim-narrowing rules of : the issued token omits the delegation agent, task, capabilities, oversight, and audit sections, narrows authorization_details to the approved subset, and rebinds audience. If delegation_chains is false, the issued token MAY omit delegation as well; if delegation_chains is true, it MUST retain the projected delegation lineage needed for depth enforcement and family revocation. The issued token lifetime MUST NOT exceed the subject token's remaining lifetime. Family revocation. Revoking a parent token (by jti) revokes all descendants reachable via parent_jti graph traversal.

Claim Narrowing on Token Exchange When delegation evidence must cross an audience boundary, the AS uses Token Exchange to mint a downstream token for the new audience. This section specifies what the AS MUST strip, project, and attenuate on every such exchange. The rules apply regardless of the requested_token_type; PACT does not mint any profile-specific artifact type.

Dropping Agent Control-Plane Claims When the target audience is not itself an agent (the common case: a resource server or relying party consuming the delegated authorization), the issued token MUST omit the delegation agent, task, capabilities, oversight, and audit sections. These sections describe the agent control plane and leak agent-identifying context that a non-agent audience does not need for access decisions. If the deployment does not advertise delegation_chains, the issued token MAY omit delegation entirely. If the deployment advertises delegation_chains: true, the issued token MUST retain a projected delegation claim containing only the lineage needed for depth enforcement and family revocation (depth, max_depth, chain, parent_jti, root_jti; see ). Previous audience-specific pairwise values MUST NOT be copied verbatim into the new audience context and MUST be recomputed per . Claims that the downstream audience does need (iss, aud, sub, act.sub, scope, authorization_details, cnf, jti, iat, exp) are copied or recomputed from the subject token: pairwise identifiers are recomputed for the target audience (), DPoP binding is taken from the token exchange request's proof, and authorization_details is narrowed per the rules below.

Privilege Reduction Every token exchange MUST enforce privilege reduction on the issued token: scope MUST be a subset of the subject token's scope. authorization_details MUST be a subset of the subject token's authorization_details. Lifetime MUST NOT exceed the subject token's remaining lifetime.

Request and Response A downstream audience MAY negotiate a specialized requested_token_type (for example, a deployment-specific signed artifact type). The specific types are out of scope for this profile; the rules above apply regardless of the chosen type. Request:

grant_type=urn:ietf:params:oauth:grant-type:token-exchange subject_token= subject_token_type=urn:ietf:params:oauth:token-type:access_token requested_token_type= urn:ietf:params:oauth:token-type:access_token audience= ]]>

Issued token (illustrative):

", "sub": "", "act": { "sub": "" }, "scope": "", "authorization_details": [ { "type": "purchase", "merchant": "Acme", "item": "Widget", "amount": { "value": "29.99", "currency": "USD" } } ], "cnf": { "jkt": "" }, "jti": "", "iat": 1711000000, "exp": 1711003600 } ]]>

The target RP validates the JWT signature against the AS's JWKS, verifies a matching DPoP proof against cnf.jkt, and enforces the authorization_details constraints. It does not need to understand the agent capability model; it only needs to trust the signature and proof-of-possession binding.

Temporal Boundaries Agent sessions have bounded lifetimes. Expired or terminated sessions MUST NOT be reactivated.

Two Independent Clocks Each agent session has two independent lifetime clocks: one tracks inactivity, the other tracks total elapsed time since session creation. Clock Measured from Default Purpose Idle TTL Last activity (last_seen_at) 1800s (30 min) Inactivity timeout Max lifetime Session creation (created_at) 86400s (24 h) Total session cap Lifecycle computation: If persisted status is revoked or expired: keep it (terminal). Compute idle_expires_at = last_seen_at + idle_ttl_sec * 1000. Compute max_expires_at = created_at + max_lifetime_sec * 1000. If now >= idle_expires_at OR now >= max_expires_at: status is expired. Otherwise: status is active. Expiry is not only inferred at read time. It MUST be persisted to the database once observed.

No Reactivation

| expired | +----+-----+ +----------+ | v +----------+ | revoked | +----------+ ]]>

There is no reactivation path for sessions. If a session expires, the client creates a new session under the same host. This is simpler and more auditable than hidden reactivation logic, and it ensures that escalated session grants do not survive across activation boundaries.

Renewal Through Use Session activity (last_seen_at) is updated after successful authenticated operations, specifically after successful Agent-Assertion binding during CIBA requests. The idle boundary is renewed by successful use, not by mere existence.

Revocation Cascade An agent session can be revoked by the user (via dashboard or API), the client (via POST {revocation_endpoint} with the bootstrap token carrying agent:session.revoke), or the server (policy-based). Revoking a session also revokes all its session grants (status = "revoked", revoked_at = now). Revoking a host revokes all sessions under it, cascading to all session grants. Logout coordination. The authorization server MUST revoke all pending CIBA requests for a user at the time of user logout (per VEIL ). A CIBA token MUST NOT be issuable after the user's session has been terminated. Without this, an agent polling after user logout could obtain tokens for a session the user intended to end.

Machine-Readable Surfaces PACT exposes its agent authorization model through four machine-readable surfaces: an agent configuration document, a capability registry, token introspection, and an optional A2A agent card.

Agent Configuration Document GET /.well-known/agent-configuration is the profile discovery endpoint. No authentication required.

The document SHOULD be served with Cache-Control: public, max-age=3600.

Capability Discovery GET {capabilities_endpoint} returns the full capability registry. GET {capabilities_endpoint}/{name} returns a single capability with full input/output schemas. No authentication required for either endpoint.

Introspection with Lifecycle POST {introspection_endpoint} follows the model for agent token validation. Authentication. Requires a client_credentials access token with agent:introspect scope. Request: application/x-www-form-urlencoded or application/json with a token field. Key behaviors: Session lifecycle is re-evaluated at query time. A session that expired between token issuance and introspection returns active: false. sub and agent.id MUST come from a consistent caller-relative pairwise view. If the server cannot safely re-project sub for the introspecting client, it MUST omit sub rather than leak another client's pairwise identifier. client_id and aud continue to identify the token that was issued, not the introspector's own client registration. If assertion_verified is false on the token snapshot, delegation claims are omitted.

A2A Agent Card (Informational) Deployments MAY additionally publish an A2A Protocol agent card at GET /.well-known/agent-card.json that references the agent configuration document, to support agent-to-agent capability discovery ecosystems that rely on that surface. This integration is informational: the A2A Protocol is not a normative dependency of this profile, and conforming implementations are not required to emit the A2A card.

Cryptographic Continuity Each phase of the profile produces cryptographic evidence consumed by the next. A relying party verifies the delegation chain by inspecting the resulting OAuth messages; each step requires proof that only the legitimate caller can produce.

The Full Chain

Session Binding The client authenticates with a user-bound OAuth access token, typically sender-constrained through DPoP. This binds delegated setup work to the caller's proof-of-possession key.

Host Binding Host registration binds a durable Ed25519 public key to one user, one OAuth client, and one installation thumbprint. The signed host-attestation+jwt used during session registration proves that the caller still possesses the durable host private key.

Runtime Binding Session registration binds a fresh Ed25519 public key to one host, one runtime process, and one display metadata snapshot. The Agent-Assertion proves possession of that runtime key on each CIBA request.

Consent Binding CIBA binds human approval to one auth_req_id, one binding message, one scope set, and one optional authorization_details payload. If the runtime proof is present and valid, the server snapshots runtime metadata into the CIBA request before the approval result is finalized.

Disclosure Binding Identity release follows VEIL : PII is staged in an ephemeral single-consume store and delivered via the userinfo endpoint, never embedded in id_token or access-token claims. PACT sets the CIBA TTL to 10 minutes; the OAuth2 TTL of 5 minutes is inherited unchanged.

Delegation Binding The delegated access token carries sub for the human principal, act.sub for the acting agent session, and the full PACT delegation claim set (). Tokens issued by token exchange to a non-agent audience carry pairwise sub, pairwise act.sub, cnf.jkt, and the approved authorization_details, all re-derived or rebound for the target audience per .

Security Considerations Implementations MUST satisfy the security considerations of OAuth 2.1 , CIBA , OAuth Token Exchange , and VEIL .

JTI Replay Protection All Agent-Assertion JWTs require a jti claim. The server MUST reject duplicates for the same session and retain seen values until the assertion's exp plus a clock-skew allowance (SHOULD default to 30 seconds). Cache entries are partitioned by session ID.

Algorithm Confusion Prevention JWT verification MUST derive the algorithm from the public key's curve (Ed25519 -> EdDSA, P-256 -> ES256), never from the JWT alg header.

JWKS Fetch Hardening Remote JWKS URL fetches (for attestation verification) MUST block private and loopback IP addresses, enforce HTTPS in production, limit redirects (max 3), cap response size, enforce timeouts, and cache responses.

Host Key Security Host private keys MUST be stored with filesystem permissions restricting access to the owning user only (mode 0600). The directory MUST be mode 0700.

Session Key Ephemerality Session private keys MUST exist only in process memory. They MUST NOT be written to disk, environment variables, or any persistent store.

Task Description Sensitivity Task descriptions may contain user-specific context. They appear as task.purpose in tokens (category-level, not verbatim). The verbatim description is available only via introspection by authorized machine clients, not in the JWT body.

DPoP Binding Delegated access tokens issued by this profile SHOULD be DPoP-bound . When token exchange mints a downstream token from a CIBA access token, the issued token MUST carry cnf.jkt from the validated DPoP proof and the target RP MUST require a matching DPoP proof at presentation time. A leaked exchanged token is useless without the caller's proof-of-possession key.

Privacy Considerations The privacy considerations of VEIL apply in addition to those below. Participants are the user, the agent session, the durable host installation, the authorization server, and the relying parties receiving delegated tokens. Cross-RP correlation through agent identifiers requires explicit opt-in at registration.

Cross-RP Agent Correlation Without pairwise agent identifiers, act.sub in delegated tokens is a stable correlator across all RPs. Two colluding RPs can link agent activity across services, correlate the frequency and timing of operations, and infer usage patterns that may deanonymize the human. PACT mitigates this by deriving act.sub per-RP using the same sector-identifier mechanism as OIDC Core pairwise subjects.

PII in Tokens Identity PII MUST NOT be embedded in access tokens or purchase authorization artifacts. PII delivery uses the ephemeral in-memory store with single-consume semantics. This ensures that long-lived tokens contain only cryptographic identifiers, not personal data.

Metadata Minimization Agent display metadata (model, runtime, version) is informational and self-declared. It SHOULD NOT be relied upon for security decisions. Trust decisions MUST be based on cryptographic verification (key signatures, attestation) rather than declared metadata.

Pairwise Opt-Out RPs that require stable agent identifiers (for example, for regulatory audit trails) opt in through an agent-specific signal distinct from VEIL's user-facing subject_type. The default is pairwise.

IANA Considerations This document requests the registrations listed below. Media types under application/*+jwt are registered per .

Media Type Registrations This document requests two registrations in the "Media Types" registry under the application/ tree: application/agent-assertion+jwt: JWT typ defined in ; used in the Agent-Assertion HTTP header to prove runtime session identity on CIBA requests. application/host-attestation+jwt: JWT typ defined in ; host-signed assertion consumed by the session registration endpoint. Each registration specifies this document as its reference and references for the +jwt structured syntax suffix semantics.

Well-Known URI Registration This document requests one registration in the "Well-Known URIs" registry : URI suffix: agent-configuration Change Controller: IETF Reference: This document, Status: Permanent

HTTP Field Name Registrations This document requests three registrations in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" : Field Name: Agent-Assertion. Status: permanent. Reference: this document . Field Name: OAuth-Client-Attestation. Status: permanent. Reference: . Field Name: OAuth-Client-Attestation-PoP. Status: permanent. Reference: . The latter two fields are registered by their originating draft; PACT references them without redefinition.

JWT Claim Registrations This document requests registrations in the "JSON Web Token Claims" registry for the delegation claim vocabulary defined in : agent: Object describing the acting agent runtime and attestation posture. task: Object describing the task category under which delegation was authorized. capabilities: Array of approved named actions with typed constraint snapshots. oversight: Object carrying human-approval requirements and the originating approval reference. audit: Object carrying a CIBA trace identifier and session reference. delegation: Object tracking the delegation chain. The act, authorization_details, cnf, jti, iat, exp, iss, aud, sub, and scope claims are referenced as already registered and are used per their originating specifications ( Section 4.1 for act, for authorization_details, for cnf, for the common set).

OAuth Extensions Error Registry PACT does not currently request new OAuth error codes; it uses the step-up error contract inherited from VEIL (interaction_required) and standard CIBA and token-exchange errors defined in their respective specifications.

ACR Values ACR URNs in acr_values_supported are deployment-local (see VEIL ). PACT does not register ACR values or reserve an ACR namespace.

Conformance

Server Requirements A conforming authorization server MUST: Implement the identity model. Compute pairwise agent identifiers by default. Implement the capability registry and grant model. Route consent based on approval strength. Verify Agent-Assertions and bind them to CIBA requests. Issue tokens with PACT delegation claims only when assertions are verified. Publish the agent configuration document. Enforce JTI replay protection. Derive JWT algorithms from public keys, not headers. A conforming authorization server SHOULD: Support vendor attestation. Enforce usage limits atomically. Support token exchange with claim narrowing for downstream audiences. Provide introspection with lifecycle evaluation. Bind tokens with DPoP.

Client Requirements A conforming client MUST: Generate and persist Ed25519 host keys. Generate ephemeral Ed25519 session keys in memory only. Sign host-attestation+jwt for session registration. Sign Agent-Assertion JWTs before CIBA requests. Include jti in all signed JWTs. A conforming client SHOULD: Present vendor attestation headers when available. Request only the capabilities it needs. Propose constraints that reflect its actual intended usage.

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). This specification defines a method for computing a hash value over a JSON Web Key (JWK). It defines which fields in a JWK are used in the hash computation, the method of creating a canonical form for those fields, and how to convert the resulting Unicode string into a byte sequence to be hashed. The resulting hash value can be used for identifying or selecting the key represented by the JWK that is the subject of the thumbprint. This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This document defines how to use the Diffie-Hellman algorithms "X25519" and "X448" as well as the signature algorithms "Ed25519" and "Ed448" from the IRTF CFRG elliptic curves work in JSON Object Signing and Encryption (JOSE). This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry. This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document defines the pushed authorization request (PAR) endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. Hellō Okta SPRIND The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. OpenID Foundation OpenID Foundation

Acknowledgments The author thanks the OAuth working group and the OpenID Foundation CIBA editors for ongoing work that this profile composes with, and the authors of related individual submissions cited in the Relation to Other Work section for claim-name alignment and shared concepts.