Attenuating Authorization Tokens for Agentic Delegation Chains

1.1. Limitations of Existing OAuth Mechanisms for Agentic Delegation

OAuth 2.0 Token Exchange [RFC8693] enables a principal to obtain a new token with reduced scope by contacting the authorization server. The server enforces the scope reduction. This requires a synchronous round-trip to the authorization server at each delegation hop. In multi-agent chains, this makes the authorization server a participant in every delegation decision, coupling the delegation topology to authorization server (AS) availability. [RFC8693] supports representing prior delegation actors via nested act claims, but those claims are informational for access control decisions rather than a cryptographically self-verifiable attenuation chain. The AS mediates each grant independently, and RFC 8693 does not define a token-local mechanism for proving that downstream delegation intent remains consistent with the original authorization scope.¶

Rich Authorization Requests (RAR) [RFC9396] extend OAuth tokens with structured authorization detail objects, enabling expressive capability descriptions. RAR addresses the expressiveness problem. It does not define how a token holder can produce a narrower token, or how a chain of such derivations can be verified.¶

Proposals to extend the authorization code flow with explicit agent consent, such as introducing a requested_actor parameter at the authorization endpoint, address who the agent is and whether the user approved the delegation. They do not constrain which tools the agent may invoke or with what argument values. AATs are complementary: they scope authority to specific tools and arguments after identity and consent have been established.¶

To the author's knowledge, no existing OAuth standard defines a delegation chain protocol with token-local chain authentication, deterministic attenuation checks, and offline chain verification.¶

1.2. Design Goals

1. Least privilege at the invocation boundary. An agent's authorization token encodes which tools it may call and with what argument constraints, scoped to the task, not to the full authority of the calling principal.¶

2. Offline derivation. A token holder can derive a more restrictive token without contacting the root issuer.¶

3. Independent chain verification. Any enforcement point holding the trust anchor can verify the complete delegation chain without network calls.¶

4. Verifiable attenuation. A derived token cannot grant broader authority than its parent, and this property can be verified from the signed chain.¶

5. JWT/JWS interoperability. The primary encoding specified in this document represents AATs as signed JWTs [RFC7519] using JWS [RFC7515], allowing deployments to verify chains using existing JSON Object Signing and Encryption (JOSE) infrastructure without new cryptographic dependencies.¶

1.3. Relationship to Prior Work

Macaroons [MACAROONS] introduced the concept of attenuating tokens with contextual caveats. Macaroons use HMAC chaining, which provides attenuation but not proof of possession, and express caveats as free-form predicates evaluated at the target service at runtime. This specification adds asymmetric proof of possession, structured tool-level capability claims, and a typed constraint vocabulary. It defines a normative subsumption relation, enabling any party holding the chain to verify monotonicity structurally, without predicate evaluation at a central service.¶

Biscuit [BISCUIT] extends the Macaroons model with public-key signatures and offline attenuation. Biscuit expresses authorization policies in a Datalog variant, requiring a logic engine at verification time. This specification uses structured constraint types decidable by structural analysis and defines an explicit delegation-chain model with holder-bound invocation-time proof of possession, chain-position claims, and attenuation invariants. A detailed comparison appears in Appendix A.¶

Recent OAuth work on transaction tokens [OAUTH-TXN-TOKENS] and identity and authorization chaining [OAUTH-ID-CHAINING] addresses the propagation of identity, actor, transaction, and authorization context across service and trust-domain boundaries. AATs are complementary: they define token-local, holder-derivable attenuation of concrete tool-and-argument authority within a delegation chain, with offline verification by the enforcement point.¶

The capability-based security model underlying AATs draws on [DENNIS66], which introduced capabilities as unforgeable tokens of authority, and [MILLER06], which formalized the principle of least authority (POLA) and the attenuation property in object-capability systems. AATs apply these principles at the protocol layer: each token is a capability scoped to specific tools and arguments, and derivation can only attenuate, never amplify, the authority it carries.¶

[DEEPMIND26] argues that safe multi-agent delegation requires explicit transfer of authority, responsibility, and trust at each delegation step, with bounded operational scope. [CAMEL25] shows that capability-based controls enforced at the tool boundary can provide provable security properties in an agentic framework. These results motivate a protocol-layer mechanism that encodes delegation scope in verifiable credential artifacts enforced independently of model behavior. AATs realize one protocol-layer approach to that goal.¶

3.1. Chain Position and Invocation Semantics

This specification does not define separate token types for delegation and execution. An AAT's role is determined by its position in the presented chain.¶

The root token establishes the authority ceiling. Intermediate tokens record attenuations made by holders along the delegation path. The leaf token is the token whose holder presents a PoP JWT and whose capability claims are evaluated against the requested tool invocation.¶

A holder of any AAT MAY derive a child token when del_depth is strictly less than del_max_depth. The derived token MUST carry authority equal to or narrower than the parent token, as enforced by the capability monotonicity invariant (I4, Section 4.5). A token MUST NOT be accepted for a tool invocation except as the leaf of a successfully verified chain.¶

3.2. Common Claims

The following claims appear in all AATs. All claims listed as REQUIRED MUST be present. Claims listed as OPTIONAL MAY be omitted; their absence carries the semantics described in the table.¶

Implementations MUST support Ed25519 [RFC8032] for token signing and verification. Implementations MAY support additional algorithms.¶

In both root and derived tokens, iss is a URI. For root tokens, iss is a URI identifying the root issuer, consistent with conventional OAuth usage. For derived tokens, iss is a JWK Thumbprint URI [RFC9278] of the form urn:ietf:params:oauth:jwk-thumbprint:sha-256:<thumbprint>, where <thumbprint> is the SHA-256 JWK thumbprint ([RFC7638]) of the signing key. This makes I1 verifiable offline: the enforcement point can confirm that the thumbprint embedded in derived.iss matches parent.cnf.jwk without any external lookup.¶

This specification intentionally omits the sub claim. In conventional OAuth tokens, sub identifies the resource owner or principal on whose behalf the token is issued. In an AAT chain, the holder's identity is fully determined by cnf.jwk: the entity presenting the token proves possession of the private key corresponding to cnf.jwk. Including a sub claim would introduce an additional identity binding that is not cryptographically enforced by this specification and could be set arbitrarily by any delegating party. Implementations that require a human-readable subject identifier MAY convey one in additional JWT claims outside this specification (see Appendix B.6).¶

3.3. Capability Claims via authorization_details

This specification profiles [RFC9396] for tool-level capability claims. An AAT capability entry is an authorization_details entry whose type is set to "attenuating_agent_token". Such an entry MUST include a tools member that maps tool names to argument constraint sets.¶

{
  "authorization_details": [
    {
      "type": "attenuating_agent_token",
      "tools": {
        "read_file": {
          "path": {
            "constraint_type": "one_of",
            "values": ["/data/q3-report.pdf", "/data/q4-report.pdf"]
          }
        },
        "search_index": {
          "query": {
            "constraint_type": "one_of",
            "values": ["public filings", "public releases"]
          },
          "limit": { "constraint_type": "range", "max": 100 }
        }
      }
    }
  ]
}

A tool entry with an empty constraint map {} is valid and indicates that the tool is authorized without argument restrictions.¶

When a tool entry contains one or more argument constraints, the enforcement point operates in closed-world mode for that tool invocation: any argument not named in the constraint map MUST be rejected. A constrained argument that is absent from the invocation MUST also be rejected. The presence of a constraint asserts that the issuer has reasoned about that argument. An invocation that omits it has not been validated against that reasoning. This is a security property, not a configuration option.¶

Issuers who wish to permit an argument to be omitted MUST NOT include a constraint for it in the constraint map. There is no "optional constraint" mechanism; the constraint map is a closed specification of the required invocation shape. To authorize an argument without restricting its value, use a wildcard constraint (see below). Optional constrained arguments are outside the core constraint model; profiles or extension constraint types that require such behavior must define it explicitly.¶

A token issuer that wishes to allow unconstrained arguments alongside constrained ones MUST explicitly include a wildcard constraint for each argument that should be unrestricted. A wildcard constraint satisfies closed-world mode while permitting any value for that argument (see Section 3.4). Enforcement points MUST enforce closed-world mode and MUST NOT permit unconstrained arguments when any constraint is present for the tool (see Section 7, step 6b).¶

The authorization_details array MAY contain entries of other types alongside attenuating_agent_token entries, consistent with the extensibility model of [RFC9396]. Enforcement points implementing this specification process only entries with type set to attenuating_agent_token and MUST ignore entries of other types. An authorization_details array containing multiple entries with type: "attenuating_agent_token" is invalid; the tools map in a single entry provides sufficient structure for all tool-level capability claims.¶

Root tokens and leaf tokens MUST contain exactly one entry with type: "attenuating_agent_token". Non-leaf derived tokens MAY contain zero entries of this type, in which case they represent the empty capability set and can only derive further empty-capability tokens. Such a non-leaf derived token MAY carry an empty authorization_details array.¶

3.4. Argument Constraints

Each argument constraint is an object with a constraint_type member and type-specific members. The following constraint types are defined normatively. The check predicate and subsumes relation for each type are normative: two independent implementations MUST produce identical results when evaluating either predicate against the same inputs.¶

The core constraint set is intentionally limited to constraint types with simple, deterministic, format-independent check and subsumes rules. Domain-specific matchers and policy-language constraints, such as resource-identifier matchers, URI or path normalization rules, or authorization policy expressions, are not core constraint types. To be used interoperably in AAT authorization_details, they MUST be defined as registered extension constraint types (Section 3.5). The registration process confirms that the extension defines an unambiguous runtime check predicate and a decidable, sound, and deterministic subsumes procedure. Deployments requiring richer policy expressiveness SHOULD use a registered extension constraint type (see Appendix C).¶

Enforcement points MUST reject invocations where any argument violates its associated constraint. Enforcement points MUST deny authorization if they encounter a constraint_type they do not recognize (fail-closed behavior). This fail-closed rule applies only to constraint types within authorization_details. Enforcement points MUST ignore unrecognized top-level JWT claims; a token MUST NOT be rejected solely because it contains claims outside those defined in this specification.¶

Composite constraint types (all, any) are recursive. MAX_CONSTRAINT_DEPTH is an implementation-defined finite integer specifying the maximum nesting depth of a constraint tree. Implementations MUST enforce a finite MAX_CONSTRAINT_DEPTH to prevent resource exhaustion from pathologically deep constraint trees. A value of 32 is RECOMMENDED. Enforcement points MUST reject any constraint tree whose nesting depth exceeds MAX_CONSTRAINT_DEPTH.¶

3.5. Extension Constraint Registry

Implementations MAY define extension constraint types beyond those listed in Section 3.4. Extension constraint types MUST be registered in the IANA AAT Constraint Type Registry defined in Section 10.3. The registry exists to preserve security and interoperability in the presence of domain-specific constraints; it is not a requirement that all implementations support arbitrary extensions. An enforcement point that does not recognize a registered extension type MUST deny authorization (Section 3.5.2), but it is not required to implement that type.¶

3.6. Examples

{
  "jti": "01957a3f-4e23-7b01-a9d1-0050569c2e4f",
  "iss": "https://auth.example.com",
  "iat": 1741600000,
  "exp": 1741603600,
  "del_depth": 0,
  "del_max_depth": 3,
  "cnf": {
    "jwk": {
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"
    }
  },
  "authorization_details": [
    {
      "type": "attenuating_agent_token",
      "tools": {
        "read_file": {
          "path": {
            "constraint_type": "one_of",
            "values": ["/data/q3-report.pdf", "/data/q4-report.pdf"]
          }
        },
        "search_index": {}
      }
    }
  ]
}

{
  "jti": "01957a41-0081-7c20-bf3a-00a0c91e1234",
  "iss": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:KAKn...",
  "iat": 1741600120,
  "exp": 1741601920,
  "del_depth": 1,
  "del_max_depth": 3,
  "par_hash": "sha256_base64url_of_parent_token_signing_input",
  "cnf": {
    "jwk": {
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "rAl9xvTDAeUADPnIWlGpFHtGg4Y8OqcQE5N4XYNdLPs"
    }
  },
  "authorization_details": [
    {
      "type": "attenuating_agent_token",
      "tools": {
        "read_file": {
          "path": {
            "constraint_type": "exact",
            "value": "/data/q3-report.pdf"
          }
        }
      }
    }
  ]
}

3.7. Root Issuer Support and Root Token Issuance

The token endpoint is used only for root AAT issuance. Derived tokens are created locally by token holders as described in Section 6 and do not require token endpoint interaction. Enforcement points verify presented chains offline as described in Section 7.¶

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&authorization_details=%5B%7B%22type%22%3A%22attenuating_agent_
  token%22%2C...%7D%5D
&req_cnf=%7B%22jwk%22%3A%7B%22kty%22%3A%22OKP%22%2C...%7D%7D

{
  "access_token": "<compact-serialized AAT JWT>",
  "token_type": "aat",
  "expires_in": <seconds until exp>
}

4.1. Capability Lattice Model (Non-Normative)

The attenuation invariants in this section are instances of a single abstract structure: a capability lattice. This subsection states that structure informally to give readers a mental model for interpreting the normative rules that follow.¶

For a token T, define its capability set C(T) as the set of (tool, args) pairs that T authorizes (that is, the pairs for which T would permit invocation). The core security property of this protocol is:¶

C(child) ⊆ C(parent)

Every delegation step moves down or stays at the same position in this partial order. A derived token can only authorize a subset of what its parent authorized. It cannot add tools, loosen argument constraints, or extend the chain's authority in any dimension.¶

The ⊆ relation is not defined by enumerating (tool, args) pairs (argument spaces are typically infinite) but by the structural subsumption rules in Section 4.5. At the tool level, the derived token's tool set must be a subset of the parent's. At the argument level, when the parent's constraint map is non-empty, the derived token must preserve the parent's key set exactly (Section 4.5 explains why closed-world semantics require this).¶

When the parent's map is empty, the derived token may introduce keys, transitioning from open-world to closed-world. No per-key parent constraint exists in this case; the derived closed-world invocation set is a subset of the parent's unrestricted invocation set. When a parent constraint exists, a derived constraint c_child subsumes a parent constraint c_parent (written c_child ⊑ c_parent) if every argument value that satisfies c_child also satisfies c_parent.¶

Two boundary cases complete the structure. The empty capability set ∅ is the bottom element: a token with no tools authorized is a valid token that cannot authorize tool invocations. If it is not the leaf, it can only derive further empty-capability tokens. The root token's capability set is the ceiling for the entire chain: no derived token at any depth can exceed what the root authorized.¶

Token lifetime (I3) is a mandatory attenuation dimension orthogonal to the capability lattice. A derived token with C(child) == C(parent) is still strictly more constrained if its exp is earlier than its parent's. Time-to-live (TTL) bounds are enforced independently of capability monotonicity. Both must hold for a chain to be valid.¶

Invariants I1 through I6 are the normative enforcement mechanism for this property. I4 (Section 4.5) directly enforces C(child) ⊆ C(parent). The remaining invariants enforce the conditions under which that comparison is meaningful: that the chain is cryptographically linked (I1, I5), that depth and time bounds are respected (I2, I3), and that the presenter holds the key (I6).¶

4.2. I1: Delegation Authority

derived.iss == jwk_thumbprint_uri(parent.cnf.jwk)

where jwk_thumbprint_uri constructs the [RFC9278] URI from the key's SHA-256 thumbprint. The entity that signed the derived token MUST be the holder of the parent token. Authority flows from parent holder to derived token issuer. This invariant establishes a cryptographic holder-key trail: each link in the chain was signed by the party that held the preceding token. Attributing that key to a human, service, organization, or control plane is a deployment responsibility.¶

4.3. I2: Depth Monotonicity

derived.del_depth == parent.del_depth + 1
derived.del_depth <= parent.del_max_depth
derived.del_depth <= derived.del_max_depth
derived.del_depth <= MAX_DELEGATION_DEPTH
derived.del_max_depth <= parent.del_max_depth

Delegation depth increments exactly by one at each link. A presented chain is a single linear path: it cannot skip depths or contain the same token instance more than once. Broader delegation activity may form a graph across multiple derived tokens and chains, but each invocation is verified against one ordered root-to-leaf path. del_max_depth is an absolute ceiling, not a remaining count. A token is terminal (its holder cannot derive further tokens) when del_depth == del_max_depth. A root token with del_max_depth: 0 is therefore immediately terminal and cannot produce any derived tokens.¶

The del_max_depth claim is an issuer-imposed bound on chain growth. It limits resource exhaustion and bounds the number of offline trust extensions that can occur under one root grant. Issuers use this value to express the maximum delegation depth they are willing to authorize for the grant. Intermediate token holders can only lower del_max_depth, never raise it (I2), so the root issuer's depth bound is enforced by chain verification across the entire chain.¶

Issuers SHOULD set del_max_depth to accommodate the expected delegation topology, including subprocess delegation, operational handoffs, and holder-key handoff. A value that is too low can prevent downstream holders from expressing legitimate attenuation, increasing pressure to reuse broader tokens directly. Once a chain reaches del_max_depth, no descendant can extend it further; this specification defines no in-chain mechanism for increasing that ceiling.¶

MAX_DELEGATION_DEPTH is an implementation-defined finite integer specifying the maximum permitted delegation chain depth. Implementations MUST enforce a finite maximum delegation depth to prevent resource exhaustion from pathologically deep chains. The appropriate value depends on the deployment topology; swarm architectures with deep fan-out may require significantly larger values than linear delegation chains. See Appendix B.4 for guidance.¶

The del_max_depth claim in any token in the chain MUST NOT exceed the implementation's MAX_DELEGATION_DEPTH.¶

4.4. I3: TTL Monotonicity

derived.exp  <= parent.exp
derived.exp  >  now
derived.exp  >  derived.iat
derived.iat  >= parent.iat
derived.iat  <= now + MAX_IAT_SKEW
derived.exp  <= derived.iat + MAX_TOKEN_LIFETIME

MAX_IAT_SKEW is an implementation-defined finite integer specifying the maximum number of seconds a token's iat may be in the future relative to the enforcement point's clock. Implementations MUST enforce a finite MAX_IAT_SKEW. A value of 30 seconds is RECOMMENDED.¶

MAX_TOKEN_LIFETIME is an implementation-defined finite integer specifying the maximum permitted duration in seconds between a token's iat and exp. Implementations MUST enforce a finite MAX_TOKEN_LIFETIME. A value of 90 days is RECOMMENDED as an upper bound; deployments SHOULD use significantly shorter lifetimes in practice (see Appendix B.7).¶

A derived token cannot outlive its parent. Authority cannot extend beyond the lifetime of the token that granted it. A derived token's issuance time MUST NOT precede its parent's issuance time. A token with an earlier iat indicates clock manipulation or chain forgery. Tokens with iat more than MAX_IAT_SKEW in the future relative to the enforcement point's clock MUST be rejected. A token's lifetime MUST NOT exceed MAX_TOKEN_LIFETIME.¶

4.5. I4: Capability Monotonicity

tools(derived) ⊆ tools(parent)
∀ tool ∈ tools(derived):
  constraints(derived, tool) ⊑ constraints(parent, tool)

A derived token MUST NOT authorize tools that the parent did not authorize. For each tool that appears in both parent and derived token:¶

• If the parent's constraint map for that tool is non-empty, the derived token's constraint map MUST contain exactly the same set of argument keys. Under closed-world semantics (Section 3.3), the constraint map keys define the required invocation shape: any argument not named is forbidden, and any named argument must be present. Adding a key would produce invocations that the parent's closed-world check rejects (the extra argument is unknown). Dropping a key would produce invocations that omit a parent-required argument. In both cases the derived invocation set is disjoint from the parent's, not a subset.¶

• If the parent's constraint map is empty (open-world), the derived token MAY introduce constraint keys, transitioning to closed-world. Any closed-world constraint set is a subset of the unrestricted open-world set.¶

For each argument constraint key present in both parent and derived token, the derived constraint MUST be at least as restrictive as the parent's constraint.¶

Constraint subsumption is defined per constraint type. The normative rules are:¶

• exact: A derived exact constraint subsumes a parent constraint of the same or different type as follows: it subsumes a parent exact if the values are identical; it subsumes a parent range if the exact value is a number that falls within the parent range; it subsumes a parent one_of if the exact value is a member of the parent set; it subsumes a parent wildcard unconditionally. All other parent types are invalid cross-type targets for a derived exact constraint.¶

• range: A derived range constraint is valid only if its bounds are at least as restrictive as the parent's (derived min >= parent min, derived max <= parent max). A missing bound on the parent is treated as unbounded; a missing bound on the derived constraint is only valid if the parent bound is also missing. A derived bound's inclusivity may only become more restrictive: a derived min_inclusive: false is valid when the parent has min_inclusive: true at the same min value (exclusive is strictly tighter), but the reverse is not. The same applies to max_inclusive.¶

• one_of: A derived one_of constraint is valid only if its value set is a subset of the parent's value set. Cross-type pairs involving a derived not_one_of against a parent one_of are invalid: a not_one_of constraint accepts values outside the parent's permitted set and cannot be verified as subsuming a one_of without domain knowledge. Enforcement points MUST reject this cross-type pair.¶

• not_one_of: A derived not_one_of constraint is valid only if its excluded set is a superset of the parent's excluded set (can only add exclusions, never remove them).¶

• wildcard: A derived wildcard is valid only if the parent is also wildcard. Any other constraint type subsumes a parent wildcard.¶

• all: A derived all constraint is valid attenuation of a parent all if the derived constraint contains all clauses present in the parent (none may be dropped) and each corresponding clause satisfies the subsumption relation. The derived constraint MAY add additional clauses at any position, which only further restrict the accepted value set. Dropping any parent clause from the derived all would expand authority and MUST be rejected.¶

  Clause matching for all is subsumption-based: for each clause C_p in the parent array, the enforcement point MUST find at least one clause C_d in the derived array such that C_d subsumes C_p per this section. Each parent clause MUST be matched to a distinct derived clause (one-to-one assignment); a single derived clause MUST NOT be used to satisfy more than one parent clause. If any parent clause cannot be matched, the check MUST fail. Unmatched additional clauses in the derived array are permitted.¶

  The following pseudocode describes the matching algorithm. Because a greedy match can lead to a dead end, the algorithm backtracks until it finds a one-to-one assignment or exhausts the search space.¶

  function check_all_subsumption(parent_clauses, derived_clauses):
    used = set()
    return match(parent_clauses, 0, derived_clauses, used)
  
  function match(parents, idx, derived, used):
    if idx == len(parents):
      return PASS
    C_p = parents[idx]
    for i, C_d in enumerate(derived):
      if i not in used and subsumes(C_d, C_p):
        used.add(i)
        if match(parents, idx + 1, derived, used) == PASS:
          return PASS
        used.remove(i)    // backtrack
    return FAIL
  

  ¶

  The search space is bounded by the number of parent and derived clauses. Implementations MAY employ Hopcroft-Karp or similar maximum matching algorithms for the general case.¶

• any: A derived any constraint subsumes a parent any constraint if every clause in the derived constraint is subsumed by at least one clause in the parent constraint, using the per-type subsumption rules defined in this section. Formally: for each clause_d in derived.any.constraints, there MUST exist a clause_p in parent.any.constraints such that clause_d ⊑ clause_p. Removing clauses is valid (it narrows the accepted set). Adding clauses is invalid (it widens it). The derived any MUST contain at least one clause. Cross-type subsumption between clauses is permitted: for example, a derived clause of exact("pdf") is subsumed by a parent clause of one_of(["pdf", "csv"]) under the cross-type rules in this section.¶

  Example: a parent token carries any([exact("pdf"), exact("csv"), exact("xlsx")]). A derived token MAY carry any([exact("pdf"), exact("csv")]) because each derived clause is subsumed by a parent clause. A derived token MUST NOT carry any([exact("pdf"), exact("docx")]) because exact("docx") is not subsumed by any parent clause.¶

• contains: A derived contains constraint is valid attenuation of a parent contains if the derived required set is a superset of the parent's required set. Requiring additional elements is a restriction; removing required elements would expand the set of accepted argument arrays and MUST be rejected.¶

• subset: A derived subset constraint is valid attenuation of a parent subset if the derived allowed set is a subset of the parent's allowed set. Shrinking the allowed set is a restriction; adding allowed elements would expand the set of accepted argument arrays and MUST be rejected.¶

Any (parent constraint type, derived constraint type) pair not explicitly permitted by the above rules, or by a registered extension constraint's cross-type subsumption declaration (Section 3.5.1), MUST be rejected.¶

4.6. I5: Cryptographic Linkage

derived.par_hash ==
  base64url-nopad(SHA-256(parent token signing input))

Token signatures and par_hash serve distinct security roles. Signature verification authenticates each token under the verification key selected for that token: a trust anchor for a root token, or the parent token's cnf.jwk for a derived token. Delegation authority (I1) then checks that the child issuer corresponds to the parent holder key. However, these checks do not by themselves bind the child to a unique parent token instance when the same holder key has multiple compatible parent tokens. The par_hash claim provides that token-instance binding by committing the child to exactly one parent token's signing input.¶

Each derived token is cryptographically bound to its parent by including the SHA-256 digest of the parent token's signing input in the par_hash claim. For JWT/JWS AATs, the parent token signing input is the JWS Signing Input: the ASCII string BASE64URL(JWS Protected Header) || '.' || BASE64URL(JWS Payload) as defined in [RFC7515] Section 5.1.¶

This binding prevents grant-context substitution: a child token signed by a key that holds multiple compatible parent tokens cannot be re-associated with a different parent task grant. The capability set may still be attenuated, but the task/session lineage, revocation ancestry, approval context, or policy snapshot would change.¶

4.7. I6: Proof of Possession

pop_signature verifies under leaf.cnf.jwk

The presenter of a token chain MUST demonstrate control of the private key corresponding to the leaf token's cnf.jwk. Proof of Possession is defined in Section 5.¶

5.1. Rationale

A token without proof of possession can be replayed by any party that obtains a copy of the token. In agent systems, tokens flow through model context, tool invocation results, and inter-agent message channels, all of which are observable by other components. PoP binds a specific invocation to the private key of the leaf token's holder.¶

5.2. PoP Token Structure

The holder of the leaf token produces a PoP JWT for each tool invocation. The PoP JWT is a compact serialization signed with the holder's private key. It MUST contain the required claims listed below.¶

The PoP JWT payload MUST be serialized as JCS-canonical JSON ([RFC8785]) before JWS signing. This is a whole-payload requirement, not specific to the hta member. The JWS signing input is therefore BASE64URL(JWS Protected Header) || '.' || BASE64URL(JCS(PoP claims)). Whole-payload JCS canonicalization ensures a deterministic byte representation; in particular, it gives hta stable equality semantics so that argument map comparison is unambiguous across implementations and languages regardless of JSON serialization choices.¶

The PoP JWT MUST be signed using the private key corresponding to the leaf token's cnf.jwk. The enforcement point verifies the PoP JWT signature against the leaf token's cnf.jwk.¶

{
  "jti": "c980f2a1-4a37-4e88-bb3c-9defd37c1a45",
  "iat": 1741600300,
  "aat_id": "01957a41-0081-7c20-bf3a-00a0c91e1234",
  "aat_tool": "read_file",
  "aat_aud": "https://tools.example.com",
  "hta": { "path": "/data/q3-report.pdf" }
}

5.3. Verification

PoP verification is only meaningful against a leaf token whose chain has been fully verified per Section 7. An enforcement point MUST complete chain verification (Section 7, steps 1-6) before evaluating the PoP JWT. A valid PoP JWT against an unverified or invalid chain MUST NOT result in authorization.¶

The enforcement point MUST reject a PoP JWT that:¶

1. Has a signature that does not verify under the leaf token's cnf.jwk.¶

2. References an aat_id that does not match the jti of the presented leaf token.¶

3. When deployment policy requires PoP audience binding, omits aat_aud or contains an aat_aud claim that does not identify the enforcement point or resource accepting the invocation.¶

4. Names a tool in aat_tool that is not authorized by the leaf token.¶

5. Presents arguments in hta that violate constraints in the leaf token, per the verification algorithm in Section 7 (step 6b).¶

6. Has iat that is outside the enforcement point's accepted clock tolerance window (RECOMMENDED: ±30 seconds).¶

The PoP JWT iat timestamp and clock tolerance window bound the replay surface to a short interval. Implementations that wish to avoid shared state MAY use fixed-width time buckets (for example, accepting PoP JWTs whose iat falls within the current or immediately preceding 30-second bucket) to simplify enforcement point implementation.¶

Note: The time bucket approach is stateless but probabilistic: a PoP JWT captured early in a bucket remains usable until the end of the following bucket. This approach MUST NOT be used for tool invocations that have side effects or are not idempotent. For any tool invocation where duplicate execution causes unintended side effects, stateful jti tracking MUST be used.¶

Full replay prevention, which guarantees that a given PoP JWT is accepted at most once, requires stateful tracking of presented jti values across all enforcement points in a deployment. The mechanism for that state (shared cache, database, token-binding infrastructure) is deployment-specific and outside the scope of this specification. Deployments with strong replay prevention requirements SHOULD consult the security considerations in Section 8.5.¶

8.1. Threat Model

This section characterizes the threats that AATs mitigate and the threats that are outside the scope of this mechanism. Implementations SHOULD use this characterization to identify required complementary controls for their threat environment.¶

8.2. Attenuation as the Security Invariant

The capability-containment guarantee of this specification rests on the enforcement of the capability monotonicity invariant (I4). An enforcement point that fails to check I4, or that checks it incorrectly, provides no blast radius containment. The broader chain security properties also depend on the remaining invariants: delegation authority (I1), depth bounds (I2), lifetime bounds (I3), parent-token linkage (I5), and proof of possession (I6). Implementers MUST test I4 enforcement against the full constraint attenuation matrix in Section 4.5, including all (parent type, child type) pairs, and MUST reject all pairs not explicitly permitted.¶

Those other invariants rely on well-established cryptographic primitives and validation patterns with substantial prior art in deployed systems. I4 is novel. Formal verification of the I4 subsumption rules is in progress, using bounded model checking ([ALLOY]) for set-theoretic constraint types and SMT solving ([Z3]) for numeric and structural constraint types. Implementers are encouraged to publish independent analyses of both the core subsumption rules and any extension constraint types they deploy.¶

The Tenuo reference implementation includes a test suite covering monotonicity of the attenuation invariants under arbitrary sequences, normalization idempotence across encode/decode round-trips, and enforcement agreement between in-memory and deserialized constraint evaluation. See Appendix E for implementation status.¶

8.3. Root Key Compromise

A compromised trust anchor key allows an attacker to issue arbitrary root tokens. This breaks the security guarantees of all chains anchored to that key.¶

In the base chain verification algorithm, configured trust anchors are used to verify root tokens. Establishing, rotating, or revoking those trust anchors is outside the scope of this specification. Remote attestation mechanisms, such as the RATS architecture [RFC9334], can complement AAT deployments by providing evidence about root issuer or enforcement point environments.¶

Deployments SHOULD implement key rotation procedures and revocation mechanisms appropriate to their risk model. The specific mechanism for root key revocation, including revocation list formats, distribution protocols, and enforcement point update procedures, is outside the scope of this specification.¶

8.4. Holder Key Compromise

A compromised holder key allows an attacker to present existing tokens issued to that holder. The attacker cannot derive tokens with broader scope than the compromised token grants. Mitigation is revocation of tokens bound to the compromised key, or expiry-based recovery for short-lived tokens.¶

8.5. Replay Attacks

The PoP JWT binds a specific invocation to a fresh PoP jti, a timestamp, the target tool, the presented arguments, and, when required by deployment policy, the enforcement point or resource audience. The timestamp window limits the interval during which a captured PoP JWT remains usable to approximately twice the clock tolerance (RECOMMENDED: ±30 seconds, giving a window of roughly 60 seconds). This provides probabilistic replay resistance and is appropriate only for idempotent, read-only tool invocations where duplicate execution is harmless.¶

For tool invocations that are irreversible or have significant side effects, including financial transactions, data deletion, writes to external systems, and any operation that cannot be undone: enforcement points MUST implement stateful jti tracking for PoP JWTs and MUST NOT rely solely on the timestamp window for replay protection.¶

PoP JWTs are scoped to the invocation data they contain. Deployments with multiple enforcement points, resource servers, tenants, or resource contexts that could accept the same AAT chain SHOULD require the aat_aud claim and reject PoP JWTs whose audience does not identify the accepting enforcement point or resource. Without audience binding, a PoP JWT captured at one enforcement point may be replayable at another enforcement point that accepts the same chain, tool name, and argument map within the timestamp window, unless stateful jti tracking is shared across those contexts.¶

This specification requires stateful jti tracking for irreversible operations but does not define the storage backend, consistency model, or distribution protocol for that state. The required consistency properties depend on the deployment topology and the risk tolerance of the application. Deployments SHOULD treat the time-windowed PoP as a probabilistic control and layer additional idempotency mechanisms at the application level for high-value operations.¶

8.6. Constraint Evaluation

The core constraint types are intended to have predictable evaluation cost. Extension constraint types can introduce parser complexity, algorithmic cost, normalization requirements, or external policy-engine dependencies. Extension constraint types defined in Section 3.5 and registered in the IANA AAT Constraint Type Registry (Section 10.3) MUST document their computational complexity and any resource limits implementations SHOULD enforce. Enforcement points SHOULD impose evaluation timeouts on any extension constraint type whose check predicate is not O(n) in the length of the argument value.¶

8.7. Depth Limit

Enforcement points MUST enforce a finite MAX_DELEGATION_DEPTH to prevent resource exhaustion from artificially deep chains. The appropriate value is deployment-specific: linear orchestration chains require far fewer hops than swarm architectures with deep fan-out delegation. Implementations SHOULD choose a value that reflects the maximum chain depth their deployment topology requires, without imposing an artificial ceiling on legitimate use cases. See Appendix B.4 for guidance on selecting an appropriate value.¶

The security rationale for depth limiting goes beyond resource exhaustion. Each delegation hop introduces an additional agent into the trust chain: the enforcement point necessarily trusts not only that the leaf token holder is honest, but that every intermediate holder made sound attenuation decisions. A compromised or misdirected intermediate agent can narrow constraints in ways that serve an attacker's goals while remaining within the invariants. The depth limit bounds the number of such trust extensions that a single root grant can produce.¶

The del_max_depth claim in the root token is the root issuer's explicit policy on chain topology. An implementation that ignores del_max_depth or enforces only a global implementation limit without checking per-token values violates this policy. Enforcement points MUST check the per-token depth ceilings (child.del_depth <= parent.del_max_depth in step 4e, child.del_max_depth <= parent.del_max_depth in step 4g, and child.del_depth <= child.del_max_depth in step 4m of Section 7) and the global MAX_DELEGATION_DEPTH limit (step 4f of Section 7). Neither the per-token policy checks nor the global implementation limit is sufficient alone.¶

8.8. Unknown Constraint Types

Enforcement points MUST deny authorization when they encounter an unknown constraint type. Permitting invocation in the presence of an unrecognized constraint would silently remove a restriction the issuer intended to enforce.¶

8.9. Token Revocation

Revocation of individual AATs, including derived tokens, is outside the scope of this specification. The offline delegation model trades per-token revocation granularity for verifiability without authorization server availability. This tradeoff is inherent in the verification model.¶

Deployments SHOULD use short token lifetimes to bound exposure after key compromise, token theft, or scope misconfiguration. A short-lived leaf token provides a bounded damage window even when no revocation mechanism is deployed. Root tokens SHOULD be issued with the shortest lifetime compatible with the intended delegation chain depth.¶

Root trust anchor rotation (replacing the trust anchor signing key and re-issuing root tokens) is the appropriate response to a root key compromise. Enforcement points SHOULD support configurable trust anchor sets to enable rotation without downtime.¶

A companion document may define lineage-scoped cascading revocation. In such a model, revocation is enforced by the enforcement point that accepts the affected chain, not by requiring the root AS to track derived tokens. Revoking a token invalidates that token and its descendants in the same lineage, but does not invalidate unrelated tokens or independent delegations held by the same agent, subject, or holder key. Revocation transport, storage, distribution, consistency, token-status, and introspection mechanisms are deployment and control-plane concerns outside the scope of this document.¶

8.10. Approval Gates

Deployments may require signed approvals before accepting particular tool invocations. Such approvals are outside the base chain verification algorithm unless defined by a profile or extension. A profile that defines approval gates should specify how approval requirements are encoded, how they are preserved or attenuated during derivation, what request data an approval signs, how approval freshness is checked, and which approval identities or keys are trusted, including any threshold or quorum requirements.¶

8.11. Clock Skew

This specification uses clock-based checks in two distinct contexts with different semantics. MAX_IAT_SKEW (Section 4.4, RECOMMENDED: 30 seconds) is a one-sided future-dating tolerance applied to token iat values: it prevents a token issued slightly in the future from being rejected due to minor clock drift between issuer and enforcement point. The PoP JWT timestamp window (Section 5.3, RECOMMENDED: ±30 seconds) is a bilateral replay window applied to PoP JWT iat values: it bounds how long a captured PoP JWT remains usable. These are independent parameters enforced at different points in the verification algorithm and SHOULD be configured separately.¶

PoP JWT timestamp verification requires synchronized clocks. The RECOMMENDED tolerance window is ±30 seconds, which accommodates typical Network Time Protocol (NTP) synchronized deployments with generous margin. Deployments running on cloud infrastructure with guaranteed NTP synchronization SHOULD target ±5 to ±10 seconds. Deployments with stricter security requirements MAY reduce this window further.¶

Implementations MUST enforce a finite maximum tolerance window. Values beyond ±60 seconds provide negligible additional clock skew tolerance while meaningfully expanding the PoP replay window and are NOT RECOMMENDED. A value of ±30 seconds is the conservative baseline; the ±60 second ceiling is intended only for heterogeneous environments such as embedded systems or degraded connectivity scenarios.¶

8.12. Role-Based Key Separation

Deployments that distinguish planning agents from tool-invoking agents SHOULD use distinct holder keys for those runtime roles and SHOULD derive across that boundary with a fresh cnf.jwk. This limits the blast radius of a compromised planning component and preserves operational accountability between components that decide what work should be done and components that invoke tools.¶

Role-based key separation is deployment guidance, not a base protocol invariant. Enforcement points implementing this specification verify the holder-key chain, attenuation invariants, parent-token linkage, and leaf PoP proof; they do not infer agent runtime roles from token claims unless a deployment-specific profile defines such claims and verification rules.¶

8.13. Algorithm Confusion

JWT/JWS AATs are signed JWTs. Implementations are subject to the full class of JWT algorithm confusion attacks, including alg: "none" acceptance, symmetric/asymmetric key confusion (RS256/HS256 key reuse), and algorithm substitution across tokens in the same chain.¶

Enforcement points MUST maintain an explicit allowlist of permitted signature algorithms and MUST reject any token whose alg header value is not on that list. Implementations MUST reject tokens with alg: "none" unconditionally and MUST NOT treat the absence of an alg header as equivalent to any permitted algorithm.¶

Implementations MUST apply the algorithm allowlist independently to each AAT in the chain and to the PoP JWT. Accepting a weaker algorithm on an intermediate token because the leaf token used a strong algorithm is a verification failure.¶

The RECOMMENDED algorithm set is the same as for DPoP [RFC9449]: ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, EdDSA. Symmetric algorithms (HS256, HS384, HS512) MUST NOT be used for AAT signatures; symmetric keys cannot provide the per-holder key binding that PoP requires.¶

10.1. JWT Claims Registry

This document requests registration of the following claims in the IANA JSON Web Token Claims Registry [RFC7519].¶

AAT claims:¶

The tools map is not a top-level JWT claim; it is a member nested inside the authorization_details array entry with type: "attenuating_agent_token", as defined in Section 3.3. Its structure and semantics are governed by the AAT Constraint Type Registry (Section 10.3) and the RAR profile defined in this document, not by the JWT Claims Registry.¶

PoP JWT claims:¶

10.2. OAuth Authorization Details Types Registry

This document requests registration of the following type in the IANA OAuth Authorization Details Types Registry established by [RFC9396].¶

10.3. AAT Constraint Type Registry

This document requests IANA create the "Attenuating Authorization Token Constraint Types" registry. The registration policy for this registry is Specification Required [RFC8126].¶

Type name:
  (A lowercase string. Example: "path_containment")

Additional members:
  (List each JSON member name, its JSON type, whether it is required
  or optional, its default value if optional, and its semantics.
  Example: "root (string, required): An absolute path root.")

check predicate:
  (A complete, unambiguous specification of the boolean predicate
  evaluated against an argument value at invocation time. Must
  cover all edge cases including null, empty, and out-of-range
  inputs.)

subsumes verification procedure:
  (A complete formal definition of what it means for one instance
  of this constraint type to be at least as restrictive as another.
  Must state whether the procedure is conservative and, if so, which
  semantically subsuming pairs it rejects. Must include a soundness
  argument: if the procedure returns true for (C_parent, C_child),
  then for all values v: C_child.check(v) implies C_parent.check(v).)

cross-type subsumption rules:
  (An explicit enumeration of every (parent type, child type) pair
  involving this type that is a valid attenuation, and the conditions
  under which it is valid. List both directions: this type as parent
  and this type as child. All unlisted pairs are implicitly invalid.
  Example:
    - (exact, this_type): valid if the exact value satisfies this
      type's check predicate.
    - (this_type, exact): invalid.
    - (this_type, this_type): valid if [condition].)

security considerations:
  (Any security properties, limitations, or attack surfaces specific
  to this constraint type, including known cases where the check
  predicate or subsumption procedure can be bypassed or confused.)

reference:
  (A stable, publicly accessible document defining all of the above.)

10.4. OAuth Authorization Server Metadata Registry

This document requests registration of the following parameter in the IANA OAuth Authorization Server Metadata registry established by [RFC8414].¶

aat_issuer is a boolean value. When present and true, it indicates that the root issuer supports issuance of AAT root tokens as described in Section 3.7. When absent, the AS is assumed not to support AAT issuance.¶

10.5. OAuth Token Type Registration

This document requests registration of the following token type in the OAuth Token Type Registry ([RFC6749] Section 11.1):¶

• Type name: aat¶

• Additional Token Endpoint Response Parameters: (none)¶

• HTTP Authentication Scheme(s): (none; not a bearer token)¶

• Change controller: IETF¶

• Specification document(s): This document¶

10.6. OAuth Parameters Registry

This document makes no request to the OAuth Parameters Registry. Root token issuance uses the existing req_cnf token request parameter.¶

12.1. Normative References

[RFC3986]

Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>.

[RFC7515]

Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <https://www.rfc-editor.org/info/rfc7515>.

[RFC7517]

Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, <https://www.rfc-editor.org/info/rfc7517>.

[RFC7519]

Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, <https://www.rfc-editor.org/info/rfc7519>.

[RFC7638]

Jones, M. and N. Sakimura, "JSON Web Key (JWK) Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September 2015, <https://www.rfc-editor.org/info/rfc7638>.

[RFC7800]

Jones, M., Bradley, J., and H. Tschofenig, "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)", RFC 7800, DOI 10.17487/RFC7800, April 2016, <https://www.rfc-editor.org/info/rfc7800>.

[RFC8032]

Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>.

[RFC8785]

Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, June 2020, <https://www.rfc-editor.org/info/rfc8785>.

[RFC9278]

Jones, M. and K. Yasuda, "JWK Thumbprint URI", RFC 9278, DOI 10.17487/RFC9278, August 2022, <https://www.rfc-editor.org/info/rfc9278>.

[RFC9396]

Lodderstedt, T., Richer, J., and B. Campbell, "OAuth 2.0 Rich Authorization Requests", RFC 9396, DOI 10.17487/RFC9396, May 2023, <https://www.rfc-editor.org/info/rfc9396>.

[RFC9562]

Davis, K., Peabody, B., and P. Leach, "Universally Unique IDentifiers (UUIDs)", RFC 9562, DOI 10.17487/RFC9562, May 2024, <https://www.rfc-editor.org/info/rfc9562>.

[RFC6749]

Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <https://www.rfc-editor.org/info/rfc6749>.

[RFC9201]

Seitz, L., "Additional OAuth Parameters for Authentication and Authorization for Constrained Environments (ACE)", RFC 9201, DOI 10.17487/RFC9201, August 2022, <https://www.rfc-editor.org/info/rfc9201>.

[RFC8414]

Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, June 2018, <https://www.rfc-editor.org/info/rfc8414>.

[RFC8126]

Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>.

[RFC2119]

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC8174]

Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

12.2. Informative References

[RFC7942]

Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, <https://www.rfc-editor.org/info/rfc7942>.

[RFC8949]

Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, <https://www.rfc-editor.org/info/rfc8949>.

[RFC8392]

Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, <https://www.rfc-editor.org/info/rfc8392>.

[RFC8693]

Jones, M., Nadalin, A., Campbell, B., Ed., Bradley, J., and C. Mortimore, "OAuth 2.0 Token Exchange", RFC 8693, DOI 10.17487/RFC8693, January 2020, <https://www.rfc-editor.org/info/rfc8693>.

[RFC9052]

Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, <https://www.rfc-editor.org/info/rfc9052>.

[RFC9334]

Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", RFC 9334, DOI 10.17487/RFC9334, January 2023, <https://www.rfc-editor.org/info/rfc9334>.

[RFC9449]

Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, September 2023, <https://www.rfc-editor.org/info/rfc9449>.

[OAUTH-TXN-TOKENS]

Tulshibagwale, A., Fletcher, G., and P. Kasselman, "Transaction Tokens", March 2026, <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>.

[OAUTH-ID-CHAINING]

Schwenkschuster, A., Kasselman, P., Burgin, D., Jenkins, M., Campbell, B., and A. Parecki, "OAuth Identity and Authorization Chaining Across Domains", May 2026, <https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/>.

[BISCUIT]

Eclipse Foundation, "Biscuit: Distributed Authorization Tokens", n.d., <https://doc.biscuitsec.org/reference/specifications.html>.

[CEDAR]

Cedar Policy, "Cedar Policy Language Reference Guide", n.d., <https://docs.cedarpolicy.com/>.

[MACAROONS]

Birgisson, A., Politz, J. G., Erlingsson, U., Taly, A., Vrable, M., and M. Lentczner, "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud", NDSS 2014, 2014, <https://research.google/pubs/pub41892/>.

[SALTZER75]

Saltzer, J. H. and M. D. Schroeder, "The Protection of Information in Computer Systems", Proceedings of the IEEE Vol. 63, No. 9, 1975, <https://doi.org/10.1109/PROC.1975.9939>.

[HARDY88]

Hardy, N., "The Confused Deputy (or why capabilities might have been invented)", ACM SIGOPS Operating Systems Review Vol. 22, No. 4, 1988, <https://dl.acm.org/doi/10.1145/54289.871709>.

[CAMEL25]

Debenedetti, E., Shumailov, I., Fan, T., Hayes, J., Carlini, N., Fabian, D., Kern, C., Shi, C., Terzis, A., and F. Tramèr, "Defeating Prompt Injections by Design", 2025, <https://arxiv.org/abs/2503.18813>.

[DEEPMIND26]

Tomašev, N., Franklin, M., and S. Osindero, "Intelligent AI Delegation", 2026, <https://arxiv.org/abs/2602.11865>.

[WIMSE-ARCH]

Salowey, J., Rosomakho, Y., and H. Tschofenig, "Workload Identity in a Multi System Environment (WIMSE) Architecture", March 2026, <https://datatracker.ietf.org/doc/draft-ietf-wimse-arch/>.

[WIMSE-S2S]

Campbell, B., Salowey, J. A., Schwenkschuster, A., and Y. Sheffer, "WIMSE Workload-to-Workload Authentication", October 2025, <https://datatracker.ietf.org/doc/draft-ietf-wimse-s2s-protocol/>.

[DENNIS66]

Dennis, J. B. and E. C. Van Horn, "Programming Semantics for Multiprogrammed Computations", Communications of the ACM Vol. 9, No. 3, 1966, <https://doi.org/10.1145/365230.365252>.

[MILLER06]

Miller, M. S., "Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control", PhD Dissertation Johns Hopkins University, 2006, <http://www.erights.org/talks/thesis/>.

[ALLOY]

Jackson, D., "Alloy: A Lightweight Object Modelling Notation", ACM Transactions on Software Engineering and Methodology Vol. 11, No. 2, 2002, <https://doi.org/10.1145/505145.505149>.

[Z3]

de Moura, L. and N. Bjørner, "Z3: An Efficient SMT Solver", TACAS 2008, LNCS 4963, 2008, <https://github.com/Z3Prover/z3>.

A.1. Token Exchange (RFC 8693)

RFC 8693 allows a client to exchange one token for another, potentially with reduced scope, by contacting the authorization server. The server enforces scope reduction. This requires network connectivity to the authorization server at each delegation hop and cannot be performed offline.¶

This specification allows a token holder to derive a new token locally, without contacting the authorization server. The attenuation invariant is enforced by the chain verification algorithm, not by a server-side policy check.¶

A.2. Rich Authorization Requests (RFC 9396)

RFC 9396 defines a structured format for expressing fine-grained authorization details in OAuth tokens. This specification uses the authorization_details claim format from RFC 9396 and extends it with: (1) a delegation chain model that links tokens via cryptographic hashes, (2) monotonic attenuation invariants that constrain what derived tokens may express, and (3) proof-of-possession binding that ties invocations to specific key holders.¶

A.3. DPoP (RFC 9449)

DPoP ([RFC9449]) is a token theft prevention mechanism that binds an existing OAuth access token to a holder key, ensuring that a stolen token cannot be presented without the corresponding private key. DPoP does not change what the access token authorizes; the token's authorization claims are unchanged. The resource server grants whatever the access token permits; DPoP adds a cryptographic proof that the presenter holds the bound key.¶

AATs encode the authorization itself. The token specifies which tools may be invoked, with what argument constraints, and by which key holder. Holders can derive tokens with authority equal to or narrower than their own, without contacting the authorization server. The PoP JWT in Section 5 serves a similar cryptographic role to a DPoP proof, binding a specific invocation to the leaf token's holder key, but operates in a different context. Everything else in this specification (the chain model, the attenuation invariants, the constraint type registry, the subsumption matrix) addresses questions outside DPoP's scope.¶

Structurally, DPoP is a two-party protocol between a client and a resource server. There is no delegation model, no parent-child chain, and no attenuation invariant. The chain model of this specification (del_depth, par_hash, del_max_depth, and the six attenuation invariants) is not defined by DPoP.¶

At the proof level, DPoP binds to an HTTP method (htm) and URI (htu). AAT PoP JWTs bind to a tool name (aat_tool) and a structured argument map (hta). Tool invocations are function calls, not HTTP requests, and a URI alone carries insufficient information for argument-level constraint evaluation. This is why aat_tool and hta differ structurally from htm and htu: (1) hta carries the full argument map required for constraint evaluation at the enforcement point; (2) aat_id binds the proof to a specific leaf token jti and chain position, which DPoP does not define.¶

The cryptographic mechanism is the same: an asymmetric key in cnf.jwk, compact JWT serialization, verified against the leaf token's bound key. DPoP could in principle be layered alongside AATs as a transport-level binding for chain delivery, but that combination is outside the scope of this specification.¶

A.4. Biscuit

Biscuit [BISCUIT] and AATs both support offline attenuation and decentralized verification. Biscuit is a compact authorization token with Datalog-based policy checks and is commonly used as a bearer credential. AAT is an OAuth-shaped, holder-bound delegation-chain protocol with tool-and-argument constraints, cryptographic chain invariants, and invocation-time proof of possession.¶

Biscuit is a general-purpose authorization token format. It does not natively encode OAuth-oriented delegation-chain claims such as depth limits, parent-token linkage, or explicit chain position declarations. This specification defines those properties in the token model itself, making the chain independently verifiable as a delegation protocol rather than as a sequence of policy blocks.¶

B.1. Algorithm Recommendations

• Signing algorithm: Ed25519 [RFC8032]. The normative requirement is in Section 3.2. EdDSA provides compact 64-byte signatures suitable for constrained agent environments. The JWS alg header value for Ed25519 is "EdDSA".¶

• Key representation: JWK [RFC7517] with "kty": "OKP" and "crv": "Ed25519".¶

• Token identifier: UUIDv7 is recommended for jti values, providing time-ordered identifiers without central coordination.¶

The algorithm allowlist requirement is normatively defined in Section 7 (steps 3a, 4a, and 7a) and discussed in Section 8.13.¶

The cnf.jwk key type is not hardcoded to Ed25519. Implementations should be designed to support algorithm migration without requiring changes to token structure.¶

B.2. Recognizing Derived Token iss Values in Middleware

In both root and derived AATs, iss is a URI. For root tokens it is a conventional issuer URI. For derived tokens it is a JWK Thumbprint URI ([RFC9278]) with the urn:ietf:params:oauth:jwk-thumbprint:sha-256: prefix. Middleware that routes or policy-evaluates based on iss should recognize the JWK Thumbprint URI scheme and apply chain-aware processing rather than attempting to resolve the URI as an issuer endpoint. The verification key for derived tokens is parent.cnf.jwk, resolved from the preceding chain link.¶

B.3. Relationship to WIMSE

The WIMSE architecture [WIMSE-ARCH] and service-to-service protocol [WIMSE-S2S] address workload identity and authentication for entities that hold and present AATs. A WIMSE workload credential identifies an agent; the iss claim in a root AAT issued to that agent may reference the agent's WIMSE workload identifier. The two specifications are complementary: WIMSE establishes workload identity and authentication; this specification defines a holder-derivable, invocation-scoped delegation and attenuation mechanism that WIMSE does not standardize.¶

B.4. Delegation Depth Guidance

The normative requirement is only that implementations enforce a finite MAX_DELEGATION_DEPTH. This appendix provides non-normative guidance for selecting an appropriate value.¶

The appropriate MAX_DELEGATION_DEPTH depends on the deployment topology. Linear orchestration chains (root issuer, one or two planning layers, leaf executor) require few hops. Swarm architectures with dynamic fan-out, sub-task delegation, or hierarchical agent groups may require significantly deeper chains. The implementation ceiling should reflect the maximum depth the deployment actually needs, not an arbitrary conservative default.¶

Regardless of the implementation ceiling, issuers should set del_max_depth to the depth required by the expected workflow, with margin for subprocess delegation, operational handoffs, and holder-key handoff. Lower values reduce the number of offline delegation steps under a grant, but overly tight values can suppress attenuation and encourage broader token reuse. The security value comes from deliberate per-chain policy, not from an arbitrarily low ceiling.¶

B.5. Implementation Size Limits

The normative requirement is only that implementations enforce finite limits on token size, chain size, constraint nesting depth, and tool count to prevent resource exhaustion. This appendix provides non-normative recommended defaults for implementations with no specific deployment constraints:¶

Deployments should document their enforced limits. Interoperating parties should verify that their respective limits are compatible before deployment.¶

Implementations should prefer core structural constraints where the policy permits, as these types produce compact tokens and simple subsumption checks.¶

Implementations concerned about parser exposure on unverified payloads in step 2c of the chain verification algorithm (Section 7) may extract jti using a length-limited byte scan rather than a full JSON parser, provided the extraction correctly handles JSON whitespace and string escaping.¶

A single AAT is typically 1-4 KB when base64url-encoded. Chains of two or more tokens will commonly exceed the 4-8 KB header size limits enforced by common reverse proxies and load balancers, resulting in 431 errors. Deployments should transmit AAT chains in a request body field rather than an HTTP header. For size-constrained environments, Appendix D notes considerations for a future CBOR/CWT profile.¶

B.6. Signed Passthrough Metadata

Implementations may include additional JWT claims in AATs beyond those defined in Section 3, using collision-resistant names for passthrough metadata such as request trace identifiers or tenant context. Such claims are integrity-protected within each token, but the base chain verification algorithm does not preserve or interpret them across derivation steps. Deployments that require chain-wide preservation of passthrough metadata must define their own derivation and verification rules, either through deployment-specific policy or a companion profile.¶

B.7. TTL Guidance

The normative requirement is only that derived tokens cannot outlive their parents and that token lifetime does not exceed MAX_TOKEN_LIFETIME (Section 4.4). This appendix provides non-normative guidance for selecting appropriate TTL values.¶

Expiration is the base specification's built-in limit on token lifetime. A token that has expired cannot be used regardless of whether a revocation mechanism is deployed. Short lifetimes reduce the window of exposure from key compromise, token theft, or scope misconfiguration. The operational cost of short TTLs is re-issuance frequency; this cost is low when the root issuer is available and derivation is offline.¶

The appropriate TTL depends on the token's position in the chain and the deployment context. Root tokens should be long enough to cover the full orchestration and execution window for the task, but no longer. Leaf tokens should be scoped to the expected duration of a single tool invocation. Deployments with intermittent connectivity (edge, embedded, or air-gapped) may need longer lifetimes, with the awareness that longer lifetimes expand the compromise window.¶

Deployments should treat TTL as a policy expression rather than a convenience parameter. A root token with a 24-hour TTL effectively grants the holder 24 hours of authority regardless of how narrowly the capability scope is defined.¶

E.1. Reference Implementation

Tenuo provides a reference implementation of this protocol. The chain verification algorithm (Section 7) and token derivation procedure (Section 6) are both implemented. Tenuo also includes an implementation-specific CBOR/COSE wire representation, with Ed25519 signatures carried in COSE_Sign1 structures. That implementation experience supports the format independence of the core protocol model, but does not define a fully interoperable CWT profile; the CWT profile is deferred as described in Appendix D.¶

RFC Editor Note: This section will be updated or removed before publication.¶

E.2. Formal Verification

Formal verification of the attenuation algebra is in progress, using three complementary techniques: bounded model checking ([ALLOY]) for set-theoretic constraint types, SMT solving ([Z3]) for numeric and structural constraint types, and property-based testing against the Rust implementation for implemented constraint types. Bounded model checking has found no counterexamples for scopes up to 8 constraints and 8 values. The combination is intended to provide evidence toward monotonicity of the I4 invariant across the full constraint attenuation matrix.¶

RFC Editor Note: This section will be updated or removed before publication.¶