<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="exp" docName="draft-song-oauth-ai-agent-collaborate-authz-02"
     ipr="trust200902">
  <front>
    <title abbrev="OAuth2.0 Ext. for Multi-Agent Collab">OAuth2.0 Extension
    for Multi-AI Agent Collaboration</title>

    <author fullname="Yurong Song" initials="Y" surname="Song">
      <organization>Huawei</organization>

      <address>
        <email>songyurong1@huawei.com</email>
      </address>
    </author>

    <author fullname="Lun Li" initials="L" surname="Li">
      <organization>Huawei</organization>

      <address>
        <email>lilun20@huawei.com</email>
      </address>
    </author>

    <author fullname="Yuning Jiang" initials="Y" surname="Jiang">
      <organization>Huawei Singapore</organization>

      <address>
        <email>jiangyuning2=40h-partners.com@dmarc.ietf.org</email>
      </address>
    </author>

    <author fullname="Faye Liu" initials="F" surname="Liu">
      <organization>Huawei Singapore</organization>

      <address>
        <email>liufei19@huawei.com</email>
      </address>
    </author>

    <date day="29" month="June" year="2026"/>

    <area>Security</area>

    <workgroup>Web Authorization Protocol</workgroup>

    <keyword>OAuth</keyword>

    <abstract>
      <t>This method extends OAuth 2.0 by adding fields to token and message
      flows, enabling sub-agents to act as a task group. It simplifies
      authorization for task groups, avoids repeated interactions between
      sub-agents and the authorization server, and bounds the authority
      delegated to the group and to each member while maintaining
      compatibility with existing OAuth 2.0 workflows.</t>
    </abstract>

    <note title="Requirements Language">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in <xref
      target="RFC2119">RFC2119</xref>.</t>
    </note>
  </front>

  <middle>
    <section title="Introduction">
      <t>AI agents are capable of handling tasks. They can integrate multiple
      technologies such as natural language understanding, data analysis, and
      logical reasoning to meet multi-step and cross-scenario requirements.
      However, a single AI agent has a limited knowledge scope and restricted
      functions, making it difficult to independently complete complex tasks
      that span multiple professional domains and require different
      capabilities.</t>

      <t>Collaboration among a group of AI agents is an essential approach for
      such complex tasks. Taking the demand for "real-time health advice" as
      an example, this intent can be split into three tasks: "collect the
      user's health data", "predict the user's health status" and "provide
      health advice based on health status". These tasks need to be
      accomplished by corresponding professional sub-AI agents: the data
      collection agent is responsible for privacy-compliant data collection,
      the health status prediction agent invokes medical models for analysis,
      and the advice generation agent outputs solutions based on health
      guidelines.</t>

      <t>What's more, according to some existing research<xref
      target="multi-agent-research-system"/>, a leading agent is necessary for
      coordination. In the above example, the leading agent can receive the
      intent "give me real-time health advice" from user, understand it and
      split it into tasks. Additionally, the leading agent selects sub-agents
      capable of fulfilling the tasks and distributes these tasks to them.
      These sub-agents can be referred to as a task group. Finally, the
      leading agent integrates the results returned by the sub-AI agents to
      form complete health advice. Without the leading agent, task execution
      is prone to confusion and final results are difficult to unify.</t>

      <t>There are two typical policies for the leading agent to select
      sub-agents and form a task group: 1) The static policy determines all
      tasks and sub-agents upfront before execution, enabling predictable
      scheduling and stable group composition; 2) The dynamic policy
      incrementally identifies tasks and selects sub-agents during execution,
      allowing real-time adjustment based on intermediate results and
      improving adaptability to changing conditions.</t>

      <t>In such collaborative scenarios, if each sub-AI agent in a task group
      applies for permissions from the authorization server individually, the
      authorization server must verify the identity and permissions of each
      sub-agent one by one and generate access tokens for them. This leads to
      problems such as frequent interactions, high computing resource
      consumption on the authorization server, and low efficiency in the token
      issuance process. In addition, when each sub-agent is authorized
      independently, there is no single point that bounds the total authority
      held by the task group, so the authority collectively exercised by the
      group can exceed what was intended for the task as a whole.</t>

      <t>Therefore, this draft proposes authorization methods for static and
      dynamic task groups. For the static policy, the leading agent
      communicates with the authorization server centrally and applies for
      access tokens on behalf of all sub-agents in the task group before task
      execution begins. For the dynamic policy, the leading agent applies for
      an access token for a specific task and issues task credentials bound to
      the access token to the corresponding sub-agents. In addition, this
      draft describes an optional scope-bounded mode, where the authorization
      server issues a group authorization token and member authorization
      tokens; the authority of each member, and the aggregate authority of all
      members, is bounded by the authority granted to the group. These methods
      simplify the authorization process for sub-AI agents and avoid
      efficiency loss caused by repeated interactions.</t>
    </section>

    <section title="Terminology">
      <t>Applier: a role that requests the access token on behalf of
      client(s), e.g. a leading AI agent.</t>

      <t>Group Authorization Token: a token issued by the authorization server
      that authorizes the group permission scope, i.e. the maximum authority
      the whole task group may exercise while handling a task.</t>

      <t>Member Authorization Token: a token issued by the authorization
      server that authorizes the member permission scope of an individual
      sub-agent. The member permission scope is no broader than the group
      permission scope.</t>

      <t>Group Permission Scope: the set of resources, the set of service
      types, the set of permitted operations, and the maximum access count
      that the task group as a whole is permitted while handling a task.</t>

      <t>Member Permission Scope: the resources, service types, operations,
      and maximum access count permitted to a single sub-agent. It is no
      broader than the group permission scope.</t>

      <t>This draft uses the terms "authorization server", "client", "resource
      server" defined by OAuth 2.0 <xref target="RFC6749"/>.</t>
    </section>

    <section title="Procedure of Static Task Group Authorization">
      <t>This protocol flow is modeled after <xref target="RFC6749"/> and
      extends it with an *applier_id* field to enable authorization request by
      the applier.</t>

      <t><figure anchor="fig-static"
          title="Static Task Group Authorization Flow">
          <artwork><![CDATA[
    +--------+                              +----------------+
    |        |--(A) Authorization Request-->|    Resource    |
    |        |                              |      Owner     |
    |        |<--(B) Authorization Grant----|                |
    |        |                              +----------------+
    |Leading |                                                
    | Agent  |   (C) Authorization Grant    +----------------+
    |        |--------(applier_id)--------->|                |
    |        |                              | Authorization  |
    |        |      (D) Access Token        |    Server      |
    |        |<------(app=applier_id)-------|                |
    +--------+                              +----------------+
        |                                                     
        |                                                     
(E) Access Token*                                             
        |                                                     
        v                                                     
    +--------+                              +----------------+
    |        |-------(F) Access Token*----->|    Resource    |
    | Sub-   |                              |     Server     |
    | Agent  |<---(G) Protected Resource----|                |
    +--------+                              +----------------+]]></artwork>
        </figure></t>

      <section title="Extension for Client Registration">
        <t>Before initiating the protocol, the leading agent registers with
        the authorization server, as defined in <xref target="RFC6749"/>.</t>

        <t>In this draft, the leading agent's role or capability is
        incorporated into its registration process. For example, the leading
        agent's profile includes a "capability" parameter with the value
        "resolve intent and distribute tasks".</t>
      </section>

      <section title="Authorization Request &amp; Response">
        <t>This section refers to step (A) and (B).</t>

        <t>The leading agent receives a requirement from the user, resolves it
        and determines the task(s) and sub-agent(s) needed to fulfill the
        requirement. For example, when the user sends the intent "give me
        real-time health advice" to the leading agent, the leading agent
        resolves this intent and identifies three tasks: task 1 (collect the
        user's health data), task 2 (predict the user's health status) and
        task 3 (provide health advice based on health status). The leading
        agent then utilizes the agent discovery process to select sub-agent(s)
        capable of performing the respective tasks. For instance, task 1
        assigned to sub-agent 1, task 2 to sub-agent 2, and task 3 to
        sub-agent 3. In the subsequent authorization process proposed in this
        draft, the leading agent is designated as the applier, and the
        selected sub-agent(s) are designated as the client(s).</t>

        <t>The leading agent requests authorization from the resource owner,
        as defined in <xref target="RFC6749"/>.</t>
      </section>

      <section title="Access Token Request &amp; Response">
        <t>This section refers to step (C) and (D).</t>

        <t>The leading agent requests an access token by authenticating with
        the authorization server and presenting the authorization grant, as
        defined in <xref target="RFC6749"/>. The message may also include the
        following parameter:</t>

        <t><list style="hanging">
            <t hangText="applier_id">OPTIONAL. The identifier of the applier
            which is requesting access token on behalf of the client(s).</t>
          </list>The authorization server authenticates the leading agent and
        validates that the leading agent is capable of requesting access
        tokens on behalf of sub-agent(s). For example, it checks whether the
        leading agent's profile includes a "capability" parameter whose value
        includes "distribute tasks".</t>

        <t>If the validation is successful, the authorization server may
        verify grants as defined in <xref target="RFC6749"/>. Then the
        authorization server generates access token and send access token
        response message to the leading agent. The access token is similar to
        OAuth2.0, except that it consists of an additional claim to specify
        the applier.</t>

        <t><list style="hanging">
            <t hangText="app">OPTIONAL. The identifier of the applier which is
            requesting access token on behalf of the client(s).</t>
          </list></t>

        <t>The access token includes one *app* parameter and multiple
        *sbj*-*aud*-*scope* grants. Below is an example:</t>

        <t><list style="empty">
            <t>{</t>

            <t><list style="empty">
                <t>"iss": "authorization server ID",</t>

                <t>"app": "leading agent ID",</t>

                <t>"grants": [</t>

                <t>&nbsp;&nbsp;{ "sbj": "sub-agent 1 ID",</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"aud": ["resource server 1
                ID"],</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"scope": "..." },</t>

                <t>&nbsp;&nbsp;{ "sbj": "sub-agent 2 ID",</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"aud": ["resource server 1
                ID","resource server 2 ID"],</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"scope": "..." },</t>

                <t>&nbsp;&nbsp;{ "sbj": "sub-agent 3 ID",</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"aud": ["resource server 2
                ID","resource server 3 ID"],</t>

                <t>&nbsp;&nbsp;&nbsp;&nbsp;"scope": "..." }</t>

                <t>]</t>
              </list>}</t>
          </list>If the validation fails, the access token response message
        may include the reason for failure. <xref target="RFC6749"/> has
        defined types of error response. In this case, the authorization
        server may use a new error message "unauthorized_applier" to indicate
        that the leading agent is not capable of requesting access tokens on
        behalf of sub-agent(s).</t>
      </section>

      <section title="Access Token Transmit">
        <t>This section refers to step (E).</t>

        <t>The leading agent sends the task ID and access token* to the
        sub-agent(s). Based on local policies and regulations, the leading
        agent may use privacy protection mechanisms to process the access
        token. Thus, the access token* may be the same as the access token, or
        generated from the access token using privacy protection mechanisms.
        For example, the leading agent uses a selective disclosure algorithm
        to generate access token 1, access token 2, and access token 3 from
        the access token received in step (D). Access token 1 may include the
        leading agent ID and sub-agent 1 ID; access token 2 may include the
        leading agent ID and sub-agent 2 ID; access token 3 may include the
        leading agent ID and sub-agent 3 ID. The applier may then send access
        token 1 to sub-agent 1, access token 2 to sub-agent 2, and access
        token 3 to sub-agent 3.</t>

        <t>The sub-agent(s) validate the proof of the received access token*
        and check whether the applier ID refers to a trustworthy leading
        agent. For example, each AI agent is preconfigured with a list of
        trusted AI agents, and any one of the trusted AI agents that acts as a
        leading agent will pass the validation.</t>

        <t>If the validation fails, the client(s) may send a response message
        to the applier with a failure indication of "unknown_applier".</t>
      </section>

      <section title="Access Token Verify">
        <t>This section refers to step (F) and (G).</t>

        <t>The sub-agent(s) execute the task according to message received in
        step (E). When resources are needed, the sub-agent(s) request the
        protected resource from the resource server and present the access
        token*, as defined in <xref target="RFC6749"/>. The resource server
        validates the access token*, as defined in <xref target="RFC6749"/>.
        If the access token* includes multiple *sbj*-*aud* pairs, the resource
        server may verify that its own ID and the sub-agent's ID are in the
        same pair. In the previous example of the access token, "sub-agent 1
        ID" and "resource server 1 ID" are in the same pair.</t>

        <t>If the validation succeeds, the resource server may provide the
        resource to the client(s).</t>
      </section>
    </section>

    <section title="Procedure of Dynamic Task Group Authorization">
      <t>This protocol flow is modeled after <xref target="RFC6749"/> and
      extends it with task credentials bound with the access token.</t>

      <t><figure anchor="fig-dynamic"
          title="Dynamic Task Group Authorization Flow">
          <artwork><![CDATA[
  +-------+                              +-------------+
  |       |  (A) Authorization Request   |             |
  |       |----------------------------->|  Resource   |
  |       |  (B) Authorization Grant     |    Owner    |
  |       |<-----------------------------|             |
  |Leading|                              +-------------+
  | Agent |   (C) Authorization Grant    +-------------+
  |       |--------(task, key)---------->|             |
  |       |                              |Authorization|
  |       |      (D) Access Token        |   Server    |
  |       |<-------(task, key)-----------|             |
  +-------+                              +-------------+
      |
  (E) Access Token* & Task Credential
      |
  +---v---+                              +-------------+
  |       |      (F) Access Token*       |             |
  | Sub-  |----------------------------->|  Resource   |
  | Agent |     (G) Protected Resource   |   Server    |
  |       |<-----------------------------|             |
  +-------+                              +-------------+]]></artwork>
        </figure></t>

      <section title="Extension for Client Registration">
        <t>Before initiating the protocol, the leading agent registers with
        the authorization server.</t>
      </section>

      <section title="Authorization Request &amp; Response">
        <t>This section refers to step (A) and (B).</t>

        <t>The leading agent receives a requirement from the user, resolves it
        and determines the task(s) and client(s) needed to fulfill the
        requirement. The leading agent requests authorization from the
        resource owner. Detailed procedures are similar to Section 3.2.</t>
      </section>

      <section title="Access Token Request &amp; Response">
        <t>This section refers to step (C) and (D).</t>

        <t>The leading agent requests an access token by authenticating with
        the authorization server and presenting the authorization grant, as
        defined in <xref target="RFC6749"/>. The message may also include the
        following parameter:</t>

        <t><list style="hanging">
            <t hangText="task">OPTIONAL. The identifier or description of the
            task which is resolved from intent.</t>

            <t hangText="key">OPTIONAL. The index that point to the public key
            of the leading agent that is used to issue task credentials.</t>
          </list>The authorization server authenticates the leading agent and
        validates that the leading agent is capable of executing specific
        task. What's more, the authorization server validates that the leading
        agent holds the private key related to the *key* received in the
        request message.</t>

        <t>If the validation is successful, the authorization server may
        verify grants as defined in <xref target="RFC6749"/>. Then the
        authorization server generates access token and send access token
        response message to the applier. The access token is similar to
        OAuth2.0 and OAuth2.0 DPoP, reuse the *subject* parameter to describe
        the access token is issued to agents that can execute specific task,
        and add a new parameter to point to the task credential (e.g. the
        public key used to issue task credentials).</t>

        <t><list style="hanging">
            <t hangText="key">OPTIONAL. The indication of public key of the
            leading agent that is used to issue task credentials. Any agent
            that holds the credential issued by this public key is authorized
            to request resources defined in the access token.</t>
          </list></t>

        <t>Below is an example:</t>

        <t><list style="empty">
            <t>{</t>

            <t><list style="empty">
                <t>"iss": authorization server ID,</t>

                <t>"sbj": task ID,</t>

                <t>"aud": resource server 1 ID,</t>

                <t>"key": public key for specific task</t>

                <t>...</t>
              </list>}</t>
          </list>If the validation fails, the access token response message
        may include the reason for failure. In this case, the authorization
        server may use a new error message "unrecognized_pk" to indicate that
        the validation of *key* sent by the leading agent is wrong.</t>
      </section>

      <section title="Access Token Transmit">
        <t>This section refers to step (E).</t>

        <t>After the leading agent selects sub-agent to execute task, it
        generates task credential and sends the credential with access token*
        to the sub-agent(s). The task credential is used to prove that the
        subject of the credential is selected by the leading agent to execute
        specific task. Optionally it includes the information of the related
        access token. The credential is signed by the leading agent using the
        private key related to the public key indicated by the *key* parameter
        in the access token. This credential can have multiple formats. Below
        is an example:</t>

        <t><list style="empty">
            <t>{</t>

            <t><list style="empty">
                <t>"issuer": leading agent ID,</t>

                <t>"subject": sub-agent ID,</t>

                <t>"claim": task ID</t>

                <t>"related token": hash of the access token</t>

                <t>...</t>

                <t>"proof": signature of leading agent</t>
              </list>}</t>
          </list></t>

        <t>The leading agent may resolve a list of multiple tasks based on one
        intent from the user. In this case, the *sbj* in the access token may
        involve several tasks. Based on local policies and regulations, the
        leading agent may use privacy protection mechanisms to process the
        access token. For example, the leading agent uses a selective
        disclosure algorithm to generate access token 1, access token 2, and
        access token 3 from the access token received in step (D). Access
        token 1 may include task ID 1; access token 2 may include task ID 2;
        access token 3 may include task ID 3. The leading agent may then send
        access token 1 to sub-agent 1, access token 2 to sub-agent 2, and
        access token 3 to sub-agent 3.</t>

        <t>The sub-agent(s) validate the received access token* and task
        credential, and validate the relationship of them. For example, to
        validate the task credential, the sub-agent(s) check whether the
        *subject* indicates a trusted leading agent, and whether the *proof*
        value is right; to validate the relationship, the sub-agent(s) check
        whether the task ID in the access token* is the same as the task
        credential, whether the key indicated by the access token* can be used
        to validate the proof of the task credential, and whether the token
        hash in the task credential is same as the hash of the access
        token*.</t>

        <t>If the task credential validation fails, the sub-agent(s) may send
        a response message to the applier with a failure indication of
        "invalid_credential". If the relationship validation fails, the
        sub-agent(s) may send a response message to the applier with a failure
        indication of "unknown_credential".</t>
      </section>

      <section title="Access Token Verify">
        <t>This section refers to step (F) and (G).</t>

        <t>The sub-agent(s) execute the task according to message received in
        step (E). When resources are needed, the sub-agent(s) request the
        protected resource from the resource server and present the access
        token*, as defined in <xref target="RFC6749"/>. Meanwhile, the
        sub-agent(s) send the task credential to the resource server. The
        resource server validates the access token*, as defined in <xref
        target="RFC6749"/>, and validates the task credential and the
        relationship between the access token* and the task credential.</t>

        <t>If the validation succeeds, the resource server may provide the
        resource to the client(s).</t>
      </section>
    </section>

    <section title="Scope-Bounded Task Group Authorization">
      <t>This section describes an optional enhancement to the static and
      dynamic task group authorization in Section 3 and Section 4. It is not a
      third task group formation policy; rather, it strengthens either policy
      by bounding the authority delegated to the task group as a whole and to
      each member. The authorization server issues a group authorization token
      that caps the authority of the whole group, and a member authorization
      token for each sub-agent whose authority is no broader than, and in
      aggregate does not exceed, the group's authority. This realizes least
      privilege at both the group and the member level and limits the impact
      if a single sub-agent is compromised.</t>

      <t><figure anchor="fig-scoped"
          title="Scope-Bounded Task Group Authorization Flow">
          <artwork><![CDATA[
  +--------+                               +----------------+
  |        |--(A) Authorization Request--->|    Resource    |
  |        |<-(B) Authorization Grant------|      Owner     |
  |        |                               +----------------+
  |        |
  |Leading |  (C) Token Request            +----------------+
  | Agent  |--(group req + member req(s))-->|                |
  |        |                               | Authorization  |
  |        |  (D) Group Token +            |    Server      |
  |        |<----Member Token(s)-----------|                |
  |        |                               |                |
  |        |  (H) Revocation Request       |                |
  |        |--(group / member token)------>|                |
  +--------+                               +----------------+
      |
  (E) Member Token (+ group token info)
      |
      v
  +--------+                               +----------------+
  |  Sub-  |--(F) Member Token------------>|    Resource    |
  | Agent  |<-(G) Protected Resource-------|     Server     |
  +--------+                               +----------------+]]></artwork>
        </figure></t>

      <t>Step (H) is performed when a sub-task or the whole task is completed,
      or when policy requires token revocation; it is not part of the initial
      token issuance.</t>

      <section title="Token Request and Issuance">
        <t>This section refers to steps (A) through (E).</t>

        <t>Before requesting tokens, the leading agent registers with the
        authorization server as in Section 3.1. The leading agent's profile
        may indicate whether it is authorized to manage a task group (e.g. a
        "capability" value "manage task group"). The leading agent resolves
        the user's requirement into one or more sub-tasks and selects the
        sub-agent(s) for them. The selection of sub-agents for sub-tasks is
        out of scope of this document; the leading agent may determine the
        sub-agents locally or use an external discovery or management
        function. The leading agent then obtains an authorization grant from
        the resource owner as in Section 3.2.</t>

        <t>When scope-bounded task group authorization is used, the token
        request to the authorization server includes the following
        parameters:</t>

        <t><list style="hanging">
            <t hangText="group_req">Information used to request the group
            authorization token. It includes the task information, and may
            include the group information and the leading agent
            information.</t>

            <t hangText="member_req">One or more entries, each used to request
            a member authorization token. Each entry includes the sub-agent
            information, and may include the group information.</t>
          </list></t>

        <t>The authorization server authenticates the leading agent and
        validates that it is capable of requesting tokens on behalf of a task
        group, as in Section 3.3. If validation succeeds, the authorization
        server generates a group authorization token based on the task
        information, and a member authorization token for each sub-agent based
        on the sub-agent information and the group permission scope.</t>

        <t>The authorization server ensures that each member permission scope
        is within the group permission scope: the member resource set,
        service-type set, and operation set are each no broader than the
        corresponding group set. For quantitative limits, such as access count
        or quota, the sum of the limits assigned to all member tokens does not
        exceed the corresponding limit of the group token.</t>

        <t>The group permission scope and member permission scope are each
        expressed in terms of one or more of: the set of resources, the set of
        service types, the set of permitted operations (e.g. read, query,
        update, subscribe), and a maximum access count. A minimal example, in
        which the member token is bounded by the group token, is:</t>

        <t><list style="empty">
            <t>group token:&nbsp; "grp":"G1",</t>

            <t>&nbsp;&nbsp;"scope": { "resources":["r1","r2"],</t>

            <t>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operations":["read","update"],</t>

            <t>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"max_calls":100
            }</t>

            <t>member token: "grp":"G1", "sbj":"A1",</t>

            <t>&nbsp;&nbsp;"scope": { "resources":["r1"],</t>

            <t>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operations":["read"],</t>

            <t>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"max_calls":20
            }</t>
          </list></t>

        <t>The authorization server returns the group authorization token and
        the member authorization token(s) to the leading agent. If a requested
        member permission scope cannot be bounded by the group permission
        scope, the authorization server may return a new error
        "scope_exceeds_group". The leading agent then delivers each member
        authorization token to the corresponding sub-agent, together with the
        sub-task identifier. The leading agent may also provide a reference to
        the group token when the sub-agent needs to verify that the member
        token is associated with a valid task group.</t>
      </section>

      <section title="Member Token Use">
        <t>This section refers to steps (F) and (G).</t>

        <t>The sub-agent executes its sub-task. When resources are needed, the
        sub-agent requests the protected resource from the resource server and
        presents its member authorization token, as defined in <xref
        target="RFC6749"/>. The resource server validates the member
        authorization token and verifies that the requested resource, service
        type, and operation are within the member permission scope, and that
        the member's access count has not been exceeded. The resource server
        may additionally verify, from the "grp" claim, that the member belongs
        to the expected task group. If the requested access is outside the
        member permission scope, the resource server denies the request.</t>
      </section>

      <section title="Token Revocation">
        <t>This section refers to step (H).</t>

        <t>When the whole task is completed, the leading agent sends a
        revocation request to the authorization server to revoke the group
        authorization token, optionally together with the member authorization
        token(s). When a sub-task is completed, the leading agent sends a
        revocation request to revoke the member authorization token of the
        sub-agent that executed the sub-task.</t>

        <t>Upon receiving a revocation request, the authorization server
        verifies that the leading agent has the permission to manage the task
        group (see Section 5.1) before revoking the token(s). After revoking a
        member authorization token, the authorization server may release the
        corresponding sub-agent instance. The group authorization token and
        member authorization token may be configured with a validity period,
        based on which the authorization server maintains token state. The
        leading agent may also send sub-task execution information that the
        authorization server uses to maintain the member authorization
        token(s).</t>
      </section>
    </section>

    <section title="Security Considerations">
      <t>This section discusses security considerations specific to
      multi-agent task group authorization.</t>

      <section title="Least Privilege and Permission Attenuation">
        <t>The two-tier token model in Section 5 enforces least privilege at
        two levels. The group authorization token bounds the total authority
        delegated to a task group, and each member authorization token is no
        broader than the group permission scope. Because the authorization
        server ensures that the member scopes are within the group scope and
        that quantitative limits sum to no more than the group's, a leading
        agent cannot, by partitioning work across many sub-agents, cause the
        group to collectively exercise more authority than was granted to the
        group as a whole.</t>
      </section>

      <section title="Containment of Compromised Sub-Agents">
        <t>A compromised sub-agent can only act within its member permission
        scope, which is typically much narrower than the group permission
        scope. This limits the impact of a single compromised member.
        Per-sub-task member token revocation (Section 5.3) further reduces
        exposure by removing a member's authority as soon as its sub-task
        completes, rather than waiting for the whole task to finish.</t>
      </section>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement
          Levels</title>

          <author fullname="S. Bradner" initials="S." surname="Bradner"/>

          <date month="March" year="1997"/>
        </front>

        <seriesInfo name="BCP" value="14"/>

        <seriesInfo name="RFC" value="2119"/>

        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>

      <reference anchor="RFC6749">
        <front>
          <title>The OAuth 2.0 Authorization Framework</title>

          <author fullname="D. Hardt, Ed." initials="D." surname="Hardt"/>

          <date month="October" year="2012"/>
        </front>

        <seriesInfo name="RFC" value="6749"/>

        <seriesInfo name="DOI" value="10.17487/RFC6749"/>
      </reference>
    </references>

    <references title="Informative References">
      <reference anchor="multi-agent-research-system">
        <front>
          <title>How we built our multi-agent research system</title>

          <author fullname="">
            <organization>Anthropic</organization>
          </author>

          <date day="13" month="June" year="2025"/>
        </front>
      </reference>
    </references>
  </back>
</rfc>
