]> TaskHawk Systems LLC

Charlottesville VA United States of America j.mcgraw@taskhawktech.com

Web and Internet Transport HTTPAPI HTTP authentication delegated authority authority proof protected processing budget profile RateLimit COSE JOSE ML-DSA SLH-DSA CBOR Delegated software requesters increasingly make HTTP requests that spend, consume, disclose, mutate, invoke, or actuate on behalf of human or organizational principals. Existing HTTP authentication mechanisms indicate whether a requester holds a credential. RateLimit fields communicate server-advertised quota and current service-limit information. HTTP Message Signatures can protect selected components of an HTTP message. None of these mechanisms directly defines a common origin-server challenge for a requester to present verifiable, bounded authority from its principal before the server performs protected processing. This document defines the "Delegation" HTTP authentication scheme, response semantics for delegated-authority challenges using existing HTTP status codes and Problem Details, the Delegation-Proof HTTP field, and a COSE/CBOR proof carriage model for request-bound delegated authority. The initial authority profile is the Budget profile, which uses a CBOR/COSE Budget-Attestation envelope to prove bounded authority to spend, consume metered service units, or commit bounded resources. The mechanism is algorithm-agile; the initial cose-ml-dsa proof profile uses existing JOSE and COSE serializations for ML-DSA, with ML-DSA-65 as the baseline algorithm and ML-DSA-87 available as a high-assurance deployment policy option. A dedicated 4NN Delegated Authority Required status code remains an open design question for HTTP Working Group review; this revision does not depend on that status code and does not define payment semantics. About This Document Status information for this document may be found at . Discussion of this document takes place on the HTTPAPI Working Group mailing list (), which is archived at . Subscribe at .

Introduction Delegated software requesters acting on behalf of human or organizational principals increasingly make HTTP requests that may spend money, consume metered service units, disclose regulated data, mutate production state, invoke downstream services, or actuate external systems. HTTP authentication addresses whether a requester holds a usable credential. RateLimit fields communicate server-defined quota policies and current service-limit information. HTTP Message Signatures can provide integrity and authenticity for selected HTTP message components. OAuth Token Exchange and GNAP define ways to obtain or negotiate authorization artifacts. Delegated authority at the protected origin is a distinct HTTP requirement: before processing a consequential request, an origin server or gateway needs a common way to challenge for, receive, and verify a proof that the requester has bounded authority from its principal for that request. This document defines that challenge and proof-carriage layer. This document defines:

• The "Delegation" HTTP authentication scheme (), used in the WWW-Authenticate response field when delegated authority is required and in the Authorization request field of a subsequent request.
• Delegation challenge response semantics (), using 401 (Unauthorized) when a Delegation credential is absent, invalid, incomplete, or otherwise needs to be obtained, and 403 (Forbidden) when a Delegation credential is understood but is insufficient under local policy.
• The Delegation-Proof HTTP field (), used when delegated authority is additive to another origin-server authentication mechanism already carried in Authorization.
• A proof-profile model for request-bound authority. The initial Budget authority profile defines the Budget-Attestation envelope (), a CBOR-encoded , COSE-signed structure that carries semantic claims about issuer, requester, expiry, request binding, permitted rails, and amount.

The Delegation authentication scheme is algorithm-agile. The initial Budget cose-ml-dsa profile uses ML-DSA algorithm identifiers serialized for JOSE and COSE by , using the ML-DSA algorithm specified in . Implementations of this profile MUST support ML-DSA-65 and MAY support ML-DSA-87. A deployment MAY require ML-DSA-87 or another registered algorithm by local policy. A deployment MAY add an optional rail-keyed signature using SLH-DSA, aligned with the JOSE and COSE SLH-DSA work in and the SLH-DSA algorithm specified in . That optional signature is not a replacement for the primary signature. This document does not define a payment protocol. Settlement rails such as L402 , x402 , card payments, or other systems can use Delegation proofs or the Budget profile as input to their own policy and settlement flows; however, their settlement semantics are outside the scope of this document. In particular, this document does not depend on, redefine, or reserve any semantics for HTTP 402 (Payment Required). Scope and modularization: Sections 3 and 4 define the HTTP response semantics, authentication challenge, credential syntax, and HTTP field semantics for Delegation. Section 5 defines the initial Budget authority profile to demonstrate an interoperable cryptographic binding for one class of delegated authority. During standards progression, the Working Group can move one or more proof profiles into companion documents for review by the COSE, OAuth, or GNAP communities without changing the core HTTP semantics defined by the authentication scheme, Problem Details members, and field carriage.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Principal:

The human, organization, service, or other authority holder on whose behalf a delegated requester acts.

Issuer:

An entity that issues a Delegation proof on behalf of a principal. In the Budget authority profile, the Issuer is the entity that issues Budget-Attestations.

Delegated Requester:

A client, workload, device, job, agent, or other software component that presents a Delegation proof issued by an Issuer in order to make HTTP requests within delegated bounds.

Agent:

A delegated requester. The term "agent" remains the motivating deployment case and appears in existing implementation field names; it is not a protocol requirement for any specific architecture.

Verifier:

An origin server, gateway, or intermediary that receives a Delegation proof, validates its signatures and claims, and decides whether to perform protected processing for the bearing request.

Protected Processing:

Application processing that the Verifier will not perform until the requester has presented a Delegation proof satisfying local policy. Examples include actions that spend, consume, disclose, mutate, invoke, or actuate.

Delegation Proof:

A verifiable object presented by a delegated requester to show bounded authority from a principal for a request or class of requests.

Authority Profile:

A profile that defines the claims, proof format, bounds, and verifier checks for a specific class of delegated authority. Budget is the initial authority profile in this document.

Budget Authority Profile:

The authority profile defined in for spending, consuming metered service units, or committing bounded resources.

Budget-Attestation:

The CBOR-encoded, COSE-signed Delegation proof defined for the Budget authority profile in .

Settlement Rail:

An out-of-band protocol or payment system used to transfer value or record resource consumption. Rail names can appear in field 7 of a Budget-Attestation. This document does not define how any settlement rail operates.

Rail-Keyed Signature:

An optional additional signature over the Budget-Attestation envelope, intended to bind a deployment's rail-specific policy to the same claims that the primary Issuer signature covers.

Applicability Delegation is a general HTTP mechanism for request-bound delegated authority. Autonomous software agents and paid-resource access are motivating deployment cases; however, the mechanism also applies to service workloads, CI/CD jobs, IoT or fleet devices, batch systems, scheduled data processors, delegated administration tools, and other requesters that need to prove bounded authority before protected processing occurs. The core mechanism is intentionally broader than budget. Authority profiles can define bounds for spending, service-unit consumption, compute allocation, data disclosure, infrastructure mutation, downstream invocation, procurement commitment, safety-relevant actuation, or other consequential actions. The Budget authority profile is the initial profile because it provides a concrete interoperable proof format and a clear deployment need. Budget-Claims field 3 carries the delegated requester identifier. Deployments MAY populate it with an agent identifier, service-account identifier, workload identity, device identifier, job identifier, or privacy-preserving alias. This field does not require the requester to be an AI system. Deployment APIs MAY continue using names such as agent_id at their local boundary, but that name is not encoded in the signed CBOR claims map.

Relationship to OAuth, GNAP, and Token Exchange OAuth Token Exchange defines an HTTP- and JSON-based Security Token Service pattern for obtaining security tokens, including delegation and impersonation cases. GNAP defines a grant negotiation and authorization protocol for delegating authorization to software and conveying the resulting artifacts. This document does not replace either protocol. Delegation defines the protected-resource challenge and presentation layer: an origin server or gateway can tell a requester which delegated authority proof is required before protected processing, and the requester can present a request-bound proof for verification. OAuth, GNAP, an STS, an issuer-managed key service, or another deployment-specific system can be used to obtain the proof. The issuance flow is outside the scope of this document. The delegation semantics in this document are closer to delegation than impersonation: the requester remains distinct from the principal, and the proof records that the requester is acting with bounded authority from the principal. The document does not define general identity authentication, user consent, account linking, or grant negotiation.

Relationship to Attribute Certificates X.509 attribute certificates define an older authorization mechanism separate from public-key identity certificates; describes authorization as the conveyance of privilege from one entity to another. Delegation follows the same broad separation between identity and authority, but does not define an X.509 attribute-certificate profile. It defines HTTP challenge semantics and HTTP proof carriage for request-bound delegated authority.

Relationship to RateLimit Fields RateLimit fields describe service limits from the server to the client. They tell the client what quota policy applies and what capacity is currently available under that server-defined policy. They are useful for throttling, backoff, and avoiding 429 responses. Delegation proofs travel in the opposite direction. They are client-presented credentials showing that an Issuer authorized a Delegated Requester to act within stated bounds on behalf of a principal. They are evaluated before the Verifier performs protected processing. This document defines a separate mechanism rather than extending RateLimit because a signed, bearer-presented authority proof has different issuer, freshness, replay, and verification semantics from server-advertised quota metadata. Extending RateLimit-Policy would change the issuer and trust model of RateLimit from server-authored quota advertisement into principal-authorized delegated authority, which is a different protocol semantic rather than a new quota parameter. The mechanisms are complementary:

• A server MAY return RateLimit fields on 200, 401, 403, 429, or other responses when it wants to communicate server-side quota state.
• A server MUST NOT treat RateLimit fields as a substitute for a Delegation proof, because RateLimit fields are not signed authority from the requester's principal.
• A Budget-Attestation MUST NOT be interpreted as a server quota promise. It only states the Delegated Requester's delegated authority under the Budget authority profile.

Property	RateLimit fields	Delegation proof
Direction	Server to client	Client to verifier
Issuer	Resource server or gateway	Issuer acting for the principal
Integrity	HTTP field semantics	COSE/JOSE signature
Purpose	Advertise quota and current service limits	Prove bounded delegated authority
Failure mode	Client might be throttled	Request fails before protected processing

Relationship to HTTP Message Signatures defines signatures over components of individual HTTP messages. A Delegation proof signs a portable authority object whose claims can be evaluated independently of a single HTTP message and, when required, bound to a particular bearing request. The two mechanisms can be composed: a Delegated Requester can send an HTTP-message signature that covers the request as transmitted and a Delegation proof that covers delegated authority for the action.

Relationship to HTTP 402 HTTP 402 (Payment Required) is reserved by HTTP Semantics . Some deployed payment systems use 402 responses as part of their own settlement flows. This document neither depends on those deployments nor defines their semantics. An implementation MAY use a Delegation proof or the Budget authority profile before invoking a settlement rail. Whether that later settlement interaction uses HTTP 402, a 401 challenge, a signed request body, or another transport is out of scope for this document.

Overview of Operation A protected origin determines that a request requires delegated authority and that no acceptable Delegation credential is present: It returns: The Delegated Requester obtains a Delegation proof from its Issuer by means outside this document and retries using body carriage. In this example the proof uses the Budget authority profile: If the attestation is valid for the request and local policy, the Verifier performs protected processing. If Delegation validation fails, the Verifier returns either a 401 or 403 response as described in and SHOULD include a reason extension member in the Problem Details body.

Delegation Challenge Responses Delegation uses existing HTTP authentication semantics as its baseline response model. A Verifier that requires delegated authority and receives no Delegation credential, an invalid Delegation credential, or a partial Delegation credential SHOULD send a 401 (Unauthorized) response containing a WWW-Authenticate response field with at least one Delegation challenge. This follows the HTTP authentication model in : the response supplies a challenge that the client can answer by obtaining or presenting a Delegation credential. A Verifier that receives a syntactically valid and authenticated Delegation credential that is insufficient for the requested resource, exceeds local policy, names an unacceptable authority profile, or otherwise does not authorize the request SHOULD send a 403 (Forbidden) response. A 403 response MAY include a WWW-Authenticate response field with a Delegation challenge when a different Delegation credential might allow the request to succeed; it MUST NOT include that challenge when local policy forbids the request independent of Delegation credential contents. A Delegation challenge response SHOULD include Cache-Control: no-store as defined by HTTP caching . A Delegation challenge response that contains a nonce, requester-specific policy, or other policy-sensitive material MUST include Cache-Control: no-store. A Delegation challenge response SHOULD include an application/problem+json or application/problem+cbor body using . The Problem Details object SHOULD contain an authority_requirements extension member when the Verifier can describe the delegated authority needed for the protected request. A profile MAY define additional profile-specific members; for example, the Budget authority profile can describe amounts, units, or accepted settlement rails. This document does not redefine HTTP 402 (Payment Required), and a Delegation challenge response MUST NOT be interpreted as a settlement request. A 429 (Too Many Requests) response remains the appropriate signal for server-side quota exhaustion.

Dedicated Status Code Design Question Earlier revisions proposed a dedicated 427 (Budget Required) status code for Budget challenges. The broader design question is whether HTTP needs a dedicated status code for delegated authority challenges. A future revision can request registration of a 4NN Delegated Authority Required status code if the HTTP Working Group concludes that existing 401 and 403 semantics plus WWW-Authenticate: Delegation and Problem Details are insufficient for interoperable clients, intermediaries, and API gateways. This revision therefore uses 401 and 403 as the baseline and does not request an HTTP status-code registration. Implementations that experiment with an unregistered 4xx status code MUST also support the 401/403 behavior defined in for interoperability.

Delegation Error Tokens When a Verifier returns a Delegation challenge response because a presented Delegation credential failed validation or did not satisfy policy, the Problem Details object SHOULD contain a reason extension member. The value of this member is a token identifying the validation failure. This document defines the following initial tokens:

• token_expired: The presented Budget-Attestation expiry value is in the past relative to the Verifier's clock.
• nonce_stale: The nonce in the attestation does not match a valid, unexpired challenge window.
• nonce_replay: The nonce has already been accepted by the Verifier within its replay-tracking window.
• bad_signature: Cryptographic validation of the primary signature or a required rail-keyed signature failed.
• untrusted_issuer: The issuer identifier in Budget-Claims field 2 identifies an issuer for which the Verifier has no explicit trust relationship.
• authority_insufficient: The signed authority bounds do not satisfy the requirement advertised by the resource server.
• budget_insufficient: The signed budget bounds in Budget-Claims fields 4 and 5 do not satisfy the budget requirement advertised by the resource server.
• version_unsupported: The Budget-Claims field 1 value, Delegation-Version field, or version challenge parameter is not supported by the Verifier.
• binding_mismatch: The request target URI, method, origin, or body digest does not match the signed request-binding values.

The "Delegation" Authentication Scheme The Delegation authentication scheme is used in WWW-Authenticate and Authorization fields.

Challenge Syntax The Delegation authentication scheme challenge uses the auth-param syntax defined by , Section 11.2: The realm and nonce parameters are REQUIRED. The profile parameter identifies an acceptable authority profile, such as budget. The proof-format parameter identifies an acceptable proof serialization, such as cose-ml-dsa. The alg parameter identifies one acceptable primary signature algorithm for the indicated proof format. A Verifier that accepts multiple algorithms SHOULD send separate Delegation challenges rather than overloading a single alg parameter with a list syntax. A challenge MUST NOT contain more than one alg parameter. Authority profiles MAY define additional challenge parameters; for example, a Budget profile can define accepted settlement rails while leaving rail semantics out of scope for this document. The nonce parameter MUST contain at least 128 bits of unpredictable entropy and MUST be generated by the Verifier for the protection space identified by realm. A Verifier MUST accept a nonce at most once. Replay of a nonce, absence of nonce state, or loss of the replay cache MUST cause the Verifier to reject the request. To reduce outstanding-challenge state, Verifiers SHOULD support self-authenticating nonce constructions. A self-authenticating nonce contains unpredictable bytes and integrity-protected metadata such as protection space, issuance time, key identifier, and policy binding. The nonce is authenticated with a server-held secret, for example using an HMAC or AEAD construction, and MUST NOT reveal that secret to clients. This construction allows a Verifier to validate the origin and age of a returned nonce without storing every issued challenge. It does not remove the requirement to enforce at-most-once acceptance; Verifiers still need accepted-nonce replay tracking or an equivalent replay-detection mechanism until the challenge can no longer be accepted. The max-age parameter, when present, is the validity window in seconds for the challenge parameters and nonce. It does not extend the Delegation proof lifetime. A Verifier MUST reject a Delegation proof whose nonce is older than max-age for the corresponding challenge. If max-age is omitted, Verifiers SHOULD apply a local default and that default SHOULD NOT exceed 900 seconds.

Credentials Syntax The credential token carries a base64url-encoded Delegation proof. If the encoded proof would exceed practical HTTP field size limits, the requester MUST send the proof in a request body with media type application/delegation-proof+cose or a profile-defined media type. The Budget cose-ml-dsa profile MUST support request-body carriage. Requesters using that profile SHOULD use body carriage by default because ML-DSA-backed COSE envelopes are large before base64url expansion and can exceed field-size limits enforced by intermediaries. A deployment profile MAY permit field carriage with Authorization: Delegation only when it defines accepted field-size limits and failure behavior. A Verifier MAY reject oversized field-carried credentials before CBOR or COSE decoding. A deployment MAY bind the body-carried proof to the request using Budget-Claims field 12 or a profile-defined request-binding structure. When the protected operation also requires an application request body, body-carried proof creates a packaging question: the HTTP request has only one content stream. A deployment profile that needs both a large Delegation proof and an application representation in the same protected operation MUST define one of the following before claiming interoperability:

• a field-carried proof path with explicit field-size limits and failure behavior;
• a media type that packages the proof and the application representation together, for example a multipart/related or profile-specific envelope; or
• a preflight or two-request flow in which the proof authorizes a subsequent request bound by nonce, target, and representation digest.

In all cases, the Budget profile's request-binding rules in apply to the protected operation. A proof body by itself MUST NOT cause the Verifier to process an unrelated application body unless the packaging profile defines how the two are cryptographically bound.

Multi-Scheme Composition and the Delegation-Proof Field The Delegation-Proof field carries a Delegation proof when the request already uses Authorization for another origin-server credential or when a deployment wants delegated authority to be visibly additive to another authentication scheme. The field value is a Structured Field Item whose bare item is a Byte Sequence containing a COSE/CBOR Delegation proof. If both Authorization: Delegation and Delegation-Proof are present, the Verifier MUST reject the request unless a deployment profile explicitly defines how the two credentials compose. This avoids ambiguity about which signed authority object is authoritative. The Authorization field MUST NOT be used to concatenate a non-Delegation credential and a Delegation credential into a single field value unless a future HTTP authentication scheme explicitly defines such composition. When identity authentication uses Authorization, delegated authority SHOULD be carried in the request body for the cose-ml-dsa profile or, for bounded low-footprint deployments, in the Delegation-Proof field. When a request carries both an identity credential and a Delegation proof, the Verifier MUST evaluate the identity authentication layer and the delegated authority layer independently. Failure of the identity authentication layer is handled according to that authentication scheme, typically with 401 or 403. Failure of the delegated authority layer is handled with the 401/403 response semantics defined in . The Delegation-Proof field is not the general-purpose carriage path for multi-kilobyte post-quantum attestations. Implementations of the cose-ml-dsa profile MUST support body carriage with media type application/delegation-proof+cose or a profile-defined media type. A deployment profile MAY permit Delegation-Proof field carriage only when it defines accepted field-size limits and failure behavior. If the target request also needs an unrelated representation body, that packaging profile MUST define how the Delegation proof and application representation are bound to each other.

Budget Authority Profile: Budget-Attestation Envelope The Budget authority profile defines a Budget-Attestation envelope as a COSE object carrying a CBOR claims set. The claims set is encoded using deterministic CBOR . The notation below uses CDDL . Encoders MUST follow the core deterministic encoding requirements of , Section 4.2.1. Verifiers MUST reject non-deterministic encodings and MUST verify signatures over the exact received deterministic encoding, not over a locally reserialized variant. This document defines the cose-ml-dsa Budget profile using integer-labeled CBOR claims to avoid a drift-prone translation between text claim names and signed bytes. The text names in comments below are descriptive only and are not encoded. uint, ; version 2 => tstr, ; issuer identifier 3 => tstr, ; delegated requester identifier 4 => tstr, ; authorized budget total or limit 5 => tstr, ; remaining budget 6 => tstr, ; currency or metered-unit identifier 7 => [+ tstr], ; permitted rails/actions/classes 8 => uint, ; issued-at ms since Unix epoch 9 => uint, ; expires-at ms since Unix epoch 10 => bstr .size (16..64), ; nonce from the Delegation challenge 11 => bstr, ; authorization chain or caveat proof 12 => bstr .size 32, ; representation/envelope/body digest 13 => tstr ; verifier or merchant binding } Request-Binding = { "method" => tstr, "uri-h" => bstr .size 32, "origin" => tstr, ? "body-h" => bstr .size 32 } Channel-Binding = { "type" => tstr, "value" => bstr } ]]> Fields 4 and 5 carry decimal string values rather than binary floating-point numbers. A Verifier MUST interpret them according to the authority profile's currency or metered-unit policy and MUST reject values it cannot parse unambiguously. A Delegation challenge response using the Budget profile can advertise a minimum budget, unit requirement, or action requirement in its Problem Details body; that response member is an input to client policy and does not become authoritative unless it is reflected in the signed claims. Field 11 is a profile-defined authorization chain or caveat proof. Deployments MUST specify the syntax and verification rules for this field before using it for interoperability. Field 12 is a SHA-256 digest slot used by deployments to bind an application representation, envelope, or body-digest object. A Verifier MUST NOT infer that field 12 protects an application body unless the deployment profile specifies exactly what bytes were hashed. The Request-Binding and Channel-Binding structures above are logical structures for profile extensions. They are not part of the integer-labeled Budget-Claims map unless a future revision assigns claim labels for them. They are included here to define the semantics that field 12 or a companion profile can bind to without changing the core Delegation challenge model.

Request-Binding Canonicalization When a Budget-Attestation is bound to a bearing HTTP request, the Issuer and Verifier MUST use the same canonical request components:

• method is the HTTP method token as received by the origin server. HTTP method tokens are case-sensitive; Verifiers MUST NOT case-normalize this value before comparison.
• origin is scheme "://" authority for the effective request URI as reconstructed by the Verifier after applying only trusted reverse-proxy configuration. The scheme and host are serialized in lowercase. A default port for the scheme is omitted; a non-default port is included.
• uri-h is SHA-256 over the UTF-8 serialization of the origin-form target: the path-abempty component followed by "?" and the query component when a query is present. Verifiers MUST NOT reorder query parameters, percent-decode and re-encode octets, remove dot segments, or otherwise transform the target before hashing.
• body-h, when used, is SHA-256 over the HTTP request content bytes after transfer-coding removal and before application parsing or content-coding transformation. If a request has no content, body-h SHOULD be omitted; if it is present, it MUST be the SHA-256 digest of the empty octet string.

If the Verifier cannot reconstruct these components deterministically, it MUST reject the Delegation proof rather than process the request under an ambiguous binding. A future profile extension can bind an attestation to an external channel-binding value such as a TLS exporter using a structure with the semantics of Channel-Binding above. This document defines the channel-binding semantics but does not assign a Budget-Claims label or define mandatory channel-binding types. A Verifier that implements such an extension MUST reject a channel-binding value whose type it does not understand or whose value does not match the locally computed channel-binding value for that type.

Primary Signature Every Budget-Attestation MUST contain exactly one primary Issuer signature. The primary signature MUST use an ML-DSA algorithm identifier registered for JOSE or COSE by . The Delegation authentication scheme is algorithm-agile. The Budget cose-ml-dsa profile defined by this document has the following interoperability requirements:

• Implementations of this profile MUST support ML-DSA-65.
• Implementations MAY support ML-DSA-87.
• Deployments MAY require ML-DSA-87 or another registered algorithm by local policy.
• Verifiers MUST validate that the signed protected-header algorithm matches local policy and MUST reject algorithm downgrades.

Future documents can define additional authority profiles or proof formats using other COSE or JOSE algorithm identifiers without changing the semantics of the Delegation authentication scheme.

Issuer Key Discovery and Trust A Verifier MUST establish trust in an Issuer public key before accepting a Budget-Attestation signed by that key. Trust can be established through local configuration, an authenticated out-of-band agreement, or an issuer-controlled HTTPS key-set endpoint. A Verifier MUST NOT treat an untrusted issuer identifier in Budget-Claims field 2 or arbitrary key URL in an attestation as sufficient authority to trust a key. One interoperable deployment profile is an issuer-controlled HTTPS key-set URI, for example https://example.com/.well-known/budget-issuer-keys, returning a COSE_KeySet with media type application/cose-key-set. A Verifier using this profile MUST authenticate the HTTPS origin, MUST require each accepted key to carry a key identifier usable as kid, MUST bind each key to the expected issuer and algorithm policy, and MUST reject the request if the key set is unavailable or omits the referenced key. Cached key material MUST NOT be used beyond its authenticated freshness lifetime. Key rotation SHOULD provide overlap between old and new keys for already-issued attestations. Implementation-specific JSON key-set formats MAY be used by deployments during migration, but such formats are not the interoperable key-discovery profile defined by this document unless a future revision specifies their media type, schema, and security processing rules. Deployments that publish JSON transition metadata SHOULD include enough information to map each public key to the corresponding RFC 9964 JOSE or COSE algorithm identifier and MUST NOT publish private AKP priv seed material.

Optional Rail-Keyed Signature A Budget-Attestation MAY contain an additional rail-keyed signature. A rail-keyed signature MUST NOT replace the primary Issuer signature and MUST NOT be accepted when the primary signature fails. When a deployment uses SLH-DSA for rail-keyed signatures, it SHOULD use the JOSE or COSE serializations defined by once those registrations are available. Until then, private-use algorithm identifiers MUST be treated as deployment-specific and MUST NOT be advertised as interoperable. Because SLH-DSA signatures can be tens of kilobytes, an attestation that contains a rail-keyed SLH-DSA signature MUST be carried in a request body using application/delegation-proof+cose or a profile-defined media type rather than in an HTTP field.

Verification A Verifier processing a Budget-Attestation MUST:

1. Decode the CBOR envelope and reject non-deterministic or malformed encodings.
2. Verify that Budget-Claims field 1 is supported.
3. Verify the primary signature against an Issuer key authorized for the issuer and kid.
4. Verify Budget-Claims fields 8 and 9, clock skew, and maximum lifetime. Verifiers MUST reject attestations where field 9 minus field 8 exceeds 900 seconds and SHOULD apply no more than 60 seconds of clock-skew tolerance unless local policy is stricter. Issuers and Verifiers SHOULD synchronize clocks using an authenticated time source suitable for the deployment.
5. Verify that Budget-Claims field 10 matches a live challenge and has not been used before.
6. Verify request binding against the bearing request, including method, origin, target URI hash, and body hash when present.
7. Verify rail, action, or resource-class policy when Budget-Claims field 7 is present.
8. Verify any rail-keyed signature required by local policy.

Failure at any step MUST cause the Verifier to reject the request.

Versioning This document defines version 1 of the Delegation authentication scheme and the initial Budget authority profile. A Delegation challenge response MUST include a Delegation-Version response field containing a Structured Field Integer . A Delegation challenge SHOULD also include a version auth-param when the Verifier supports more than one version or expects clients to use a specific version. A client that receives an unknown Delegation-Version value or version challenge parameter MUST NOT guess at wire compatibility. It MAY retry using a version it supports only when the server advertises that version through local policy or a future version-negotiation mechanism. A server that receives a Delegation credential or Delegation-Version request value for an unsupported version MUST reject the request using and a version_unsupported reason code, unless a future revision defines a different upgrade response.

IANA Considerations This section follows the guidance in and . The requested registrations use the existing HTTP and media-type registries.

HTTP Status Code This revision does not request a new HTTP status-code registration. The dedicated 4NN Delegated Authority Required design question is tracked in .

HTTP Authentication Scheme IANA is asked to register the following entry in the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" defined by :

Authentication Scheme Name	Reference	Notes
Delegation	This document,	Origin-server authentication using WWW-Authenticate and Authorization; not defined for proxy authentication

HTTP Field Name IANA is asked to register the following entry in the "Hypertext Transfer Protocol (HTTP) Field Name Registry":

Field Name	Status	Structured Type	Reference	Comments
Delegation-Version	permanent	Integer	This document,	Version of the Delegation authentication scheme and authority-proof profile
Delegation-Proof	permanent	Byte Sequence	This document,	Additive carriage of a Delegation proof when Authorization is used by another origin-server scheme

Delegation Error Token Registry IANA is asked to create a "Delegation Error Tokens" registry for tokens used in the Problem Details reason extension member defined by . The registration policy is Specification Required . Initial registrations are:

Token	Description	Reference
token_expired	The proof expired.
nonce_stale	The nonce is outside the accepted challenge window.
nonce_replay	The nonce was already accepted in the replay-tracking window.
bad_signature	A required signature failed validation.
untrusted_issuer	The issuer is not trusted by the Verifier.
authority_insufficient	The signed authority bounds do not satisfy the resource requirement.
budget_insufficient	The signed budget bounds do not satisfy the Budget profile requirement.
version_unsupported	The protocol or proof version is unsupported.
binding_mismatch	The signed request binding does not match the bearing request.

Media Type IANA is asked to register the following media type in the "Media Types" registry using the template from :

Type name:

application

Subtype name:

delegation-proof+cose

Required parameters:

N/A

Optional parameters:

cose-type, with the same semantics as the cose-type parameter for application/cose in .

Encoding considerations:

binary

Security considerations:

See .

Interoperability considerations:

Implementations need to support COSE processing, deterministic CBOR, and the algorithm identifiers profiled by this document.

Published specification:

This document.

Applications that use this media type:

HTTP clients, gateways, and origin servers that exchange Delegation proofs, including Budget-Attestation envelopes under the Budget authority profile.

Fragment identifier considerations:

This media type does not support fragment identifiers.

Additional information:

Deprecated alias names for this type: N/A; Magic number(s): N/A; File extension(s): N/A; Macintosh file type code(s): N/A.

Person & email address to contact for further information:

John McGraw, j.mcgraw@taskhawktech.com

Intended usage:

COMMON

Restrictions on usage:

N/A

Author:

John McGraw

Change controller:

IESG

Provisional registration?

No

Security Considerations Delegation proofs are bearer credentials until verified. HTTP exchanges carrying them MUST use TLS. Servers SHOULD scrub Authorization field values, Delegation-Proof field values, and body-carried Delegation credential values from logs. Verifiers MUST validate every check in before processing the protected request. Missing keys, unavailable verification dependencies, malformed CBOR, non-deterministic CBOR, expired proofs, signature failures, nonce replay, unsupported versions, and loss of nonce state all require request rejection. The COSE or JOSE algorithm identifier is part of the signed protected metadata. Verifiers MUST compare it against configured policy and MUST NOT let a challenge parameter or client preference downgrade the algorithm. Rail-keyed signatures are additive. They do not create authority without a valid primary Issuer signature. Key lifecycle is security-critical. Issuers SHOULD rotate signing keys on a predictable schedule, publish revocation information through the same trust channel used for key distribution, and avoid issuing attestations whose lifetime extends beyond the authenticated lifetime of the signing key. Verifiers MUST reject attestations signed by revoked, expired, or unexpected keys. Large post-quantum signatures can create denial-of-service pressure on HTTP parsers, HTTP field-section processing, and COSE libraries. ML-DSA-backed COSE envelopes are commonly too large to assume safe carriage through general-purpose HTTP fields after base64url expansion. Implementations MUST apply size limits before decoding, MUST bound CBOR nesting depth and map sizes, and SHOULD reject duplicate or unknown critical protected parameters before expensive signature verification. Verifier nonce state can itself become a resource-exhaustion target. Verifiers MUST bound the number of outstanding nonces per issuer, protection space, and client identity signal available to the deployment, and MUST expire unused nonces no later than their challenge max-age. When nonce state reaches a configured limit, the Verifier MUST reject requests that depend on an untracked nonce or shed unauthenticated challenge issuance rather than accept a request with an untracked nonce. At high scale, deployments SHOULD use self-authenticating nonces as described in so challenge issuance does not require allocating distributed state for every unauthenticated request. Such constructions reduce outstanding-challenge state but do not remove the need for bounded accepted-nonce replay tracking when at-most-once acceptance is required. The Budget authority profile describes channel-binding extension semantics for deployments that need binding to a particular TLS session or exporter value. Specific channel-binding types are not mandatory-to-implement in this revision and need profiling before they can be assumed interoperable. In the absence of channel binding, short lifetimes, single-use nonces, request binding, and replay-cache enforcement are mandatory replay controls.

Privacy Considerations These considerations are informed by the privacy guidance in . Delegation proofs can reveal delegated requester identifiers, principal or issuer identifiers, requested actions, authority bounds, rail preferences, and amount limits. Implementations SHOULD use short lifetimes, random nonces, data minimization in requester identifiers, and body carriage when field logging by intermediaries would create avoidable privacy risk.

References

References Normative References Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages. This document obsoletes RFC 7234. Applications often use HTTP as a substrate to create HTTP-based APIs. This document specifies best practices for writing specifications that use HTTP to define new application protocols. It is written primarily to guide IETF efforts to define application protocols using HTTP for deployment on the Internet but might be applicable in other situations. This document obsoletes RFC 3205. This document defines a "problem detail" to carry machine-readable details of errors in HTTP response content to avoid the need to define new error response formats for HTTP APIs. This document obsoletes RFC 7807. This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields. This document obsoletes RFC 8941. This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for the Module-Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204. National Institute of Standards and Technology (NIST) In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content. This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice. This specification defines a profile for the use of X.509 Attribute Certificates in Internet Protocols. Attribute certificates may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and a broader spectrum of operational and assurance requirements. The goal of this document is to establish a common baseline for generic applications requiring broad interoperability as well as limited special purpose requirements. The profile places emphasis on attribute certificate support for Internet electronic mail, IPsec, and WWW security applications. This document obsoletes RFC 3281. [STANDARDS-TRACK] This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange. The Grant Negotiation and Authorization Protocol (GNAP) defines a mechanism for delegating authorization to a piece of software and conveying the results and artifacts of that delegation to the software. This delegation can include access to a set of APIs as well as subject information passed directly to the software. Team Digitale, Italian Government Red Hat Microsoft This document defines the RateLimit-Policy and RateLimit HTTP header fields for servers to advertise their quota policies and the current service limits, thereby allowing clients to avoid being throttled. mesur.io Tradeverifyd University of the Bundeswehr Munich This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for Stateless Hash-Based Digital Signature Standard (SLH-DSA), a Post- Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 205. National Institute of Standards and Technology (NIST) Coinbase, Inc. Lightning Labs

Implementation Status This appendix follows and is to be removed before publication as an RFC.

Kevros TaskHawk Systems operates a Kevros implementation that publishes public Delegation discovery and health metadata for a draft-02 compatibility surface, records reason-coded audit events, and reports proof-verification and rail-observation counters separately. Earlier Kevros releases experimentally emitted 427 Budget challenges; that behavior is implementation experience for the Budget authority profile only. It is not a request for status-code registration and is not required for interoperability with the 401/403 response semantics defined by this document. The Kevros compatibility surface exposes a 401/403 Delegation response mode, Delegation-Version metadata, Authorization: Delegation, Delegation-Proof, JSON delegation_proof, and application/delegation-proof+cose carriage for the same Budget profile proof bytes. It also advertises RFC 9964 ML-DSA algorithm identifiers in public metadata while keeping private key material out of issuer-key discovery. Private no-spend proof workflows exist for Budget-Attestation verification, but each run is evidence only for the specific commit and deployment state under test. Public challenge/discovery metadata, Delegation proof verification, Budget-Attestation verification, rail observation, settlement, and revenue are separate evidence lanes and are not equivalent. This document makes no live verified-use, settlement, or revenue claim. This implementation is provided as implementation experience only.

Changes Since -01

• Refactored the core mechanism from Budget-specific language to the Delegation HTTP authentication scheme for request-bound delegated authority.
• Made Budget the initial authority profile rather than the protocol boundary.
• Replaced core Budget challenge examples with WWW-Authenticate: Delegation, Delegation-Version, Delegation-Proof, and authority_requirements.
• Made 401 and 403 with WWW-Authenticate: Delegation and Problem Details the baseline response model for delegated-authority challenges.
• Moved the dedicated status-code question to 4NN Delegated Authority Required instead of requesting status-code registration in this revision.
• Tightened the alg challenge parameter to one algorithm per challenge.
• Kept the COSE/CBOR Budget-Attestation profile separable from the core HTTP authentication and Problem Details semantics.
• Replaced explanatory text-claim CDDL with the integer-labeled Budget claims map used by the initial cose-ml-dsa Budget profile.
• Added request-binding canonicalization rules and called out the packaging question for large proof bodies plus application request bodies.
• Clarified that JSON issuer-key discovery formats are transition metadata, not the interoperable COSE_KeySet profile.

Changes Since -00

• Removed language implying HTTP 402 semantics are controlled by deployed payment protocols.
• Added and .
• Updated ML-DSA serialization references to and changed the initial cose-ml-dsa interoperability baseline to ML-DSA-65, with ML-DSA-87 available as a high-assurance deployment policy option.
• Kept rail-keyed SLH-DSA optional and body-carried.
• Made body carriage mandatory to implement for the cose-ml-dsa profile and recommended by default for post-quantum Budget-Attestation envelopes.
• Kept Authorization: Delegation and Delegation-Proof as explicitly bounded field-carriage options for deployment profiles that define accepted field sizes and failure behavior.
• Added nonce replay, key-distribution, IANA, deterministic-CBOR, and expanded security text based on review feedback.
• Aligned the attestation lifetime rule with implementation behavior: exp - iat greater than 900 seconds is a verifier rejection condition.
• Tightened Implementation Status to separate challenge emission, Budget-Attestation verification, rail observation, settlement, and revenue.