c/ietf-draft-analyzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ietf-draft-analyzer/workspace/act/draft-nennemann-act-00.md
Christian Nennemann 2506b6325a
Some checks failed
CI / test (3.11) (push) Failing after 1m37s
Details
CI / test (3.12) (push) Failing after 57s
Details
feat: add draft data, gap analysis report, and workspace config
2026-04-06 18:47:15 +02:00

49 KiB
Raw Permalink Blame History

Agent Compact Token (ACT)

Independent Submission                                    C. Nennemann
Internet-Draft                                             Independent
Intended status: Standards Track                            March 2026
Expires: September 2026

               Agent Compact Token (ACT)
          draft-nennemann-act-00

Abstract

This document defines the Agent Compact Token (ACT), a self-contained JWT-based format for autonomous AI agents that unifies authorization and execution accountability in a single token lifecycle. An ACT begins as a signed authorization mandate — encoding capabilities, constraints, delegation provenance, and oversight requirements — and transitions into a tamper-evident execution record once the agent completes its task, appending cryptographic hashes of inputs and outputs and linking to predecessor tasks via a directed acyclic graph (DAG). ACT requires no Authorization Server, no workload identity infrastructure, and no transparency service for basic operation. Trust is bootstrapped via pre-shared keys and is upgradeable to PKI or Decentralized Identifiers (DIDs). ACT is designed for cross- organizational agent federation in regulated and unregulated environments alike.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

This Internet-Draft will expire on 29 September 2026.

Copyright Notice

Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info).

Table of Contents

  1. Introduction
    • 1.1. Problem Statement
    • 1.2. Design Goals
    • 1.3. Non-Goals
    • 1.4. Relationship to Related Work
  2. Conventions and Definitions
  3. ACT Lifecycle
    • 3.1. Phase 1: Authorization Mandate
    • 3.2. Phase 2: Execution Record
    • 3.3. Lifecycle State Machine
  4. ACT Token Format
    • 4.1. JOSE Header
    • 4.2. JWT Claims: Authorization Phase
    • 4.3. JWT Claims: Execution Phase
    • 4.4. Complete Examples
  5. Trust Model
    • 5.1. Tier 0: Bootstrap (TOFU)
    • 5.2. Tier 1: Pre-Shared Keys (Mandatory-to-Implement)
    • 5.3. Tier 2: PKI / X.509
    • 5.4. Tier 3: Decentralized Identifiers (DID)
    • 5.5. Cross-Tier Interoperability
  6. Delegation Chain
    • 6.1. Peer-to-Peer Delegation
    • 6.2. Privilege Reduction Requirements
    • 6.3. Delegation Verification
  7. DAG Structure and Causal Ordering
    • 7.1. DAG Validation
    • 7.2. Root Tasks and Fan-in
  8. Verification Procedure
    • 8.1. Authorization Phase Verification
    • 8.2. Execution Phase Verification
  9. Transport
    • 9.1. HTTP Header Transport
    • 9.2. Non-HTTP Transports
  10. Audit Ledger Interface
  11. Security Considerations
    • 11.1. Threat Model
    • 11.2. Self-Assertion Limitation
    • 11.3. Key Compromise
    • 11.4. Replay Attack Prevention
    • 11.5. Equivocation
    • 11.6. Privilege Escalation
    • 11.7. Denial of Service
  12. Privacy Considerations
  13. IANA Considerations
    • 13.1. Media Type Registration
    • 13.2. HTTP Header Field Registration
    • 13.3. JWT Claims Registration
  14. References
    • 14.1. Normative References
    • 14.2. Informative References
  • Appendix A: Complete JSON Schema
  • Appendix B: Test Vectors
  • Appendix C: Deployment Scenarios

1. Introduction

Autonomous AI agents increasingly operate across organizational boundaries, executing multi-step workflows where individual tasks are delegated from one agent to another. These workflows create two distinct, inseparable compliance requirements:

  1. Authorization: was the agent permitted to perform the action, under what constraints, and by whose authority?

  2. Accountability: what did the agent actually do, with what inputs, producing what outputs, in what causal relationship to prior tasks?

Existing specifications address these requirements in isolation. The Agent Authorization Profile (AAP) [I-D.aap-oauth-profile] provides structured authorization via OAuth 2.0 but requires a central Authorization Server. The WIMSE Execution Context Token [I-D.nennemann-wimse-ect] provides execution accountability but requires WIMSE workload identity infrastructure (SPIFFE/SPIRE).

This document defines the Agent Compact Token (ACT), which addresses both requirements in a single, self-contained token that requires no shared infrastructure beyond the ability to verify asymmetric signatures. The word "Compact" in the name signals the core design principle: the smallest possible trust footprint that still provides cryptographically verifiable authorization and accountability.

1.1. Problem Statement

Cross-organizational agent federation today faces a bootstrapping problem: deploying shared OAuth infrastructure or a common SPIFFE trust domain requires organizational agreement before the first message is exchanged. In practice this means either:

(a) agents operate without cryptographic authorization or audit trails, relying on application-layer access control only; or

(b) organizations adopt one party's identity infrastructure, creating a hub-and-spoke dependency that contradicts the decentralized nature of agent networks.

ACT solves this by making pre-shared keys the mandatory-to-implement trust baseline — two agents can begin a secure, auditable interaction with nothing more than an out-of-band key exchange — while providing a clean upgrade path to PKI or DID-based trust without changing the token format.

1.2. Design Goals

  • G1 — Zero infrastructure baseline: ACT MUST be deployable with no shared servers, no common identity provider, and no transparency service.

  • G2 — Single token lifecycle: Authorization and accountability MUST be expressed in the same token format to prevent authorization-accountability gaps.

  • G3 — Peer-to-peer delegation: Delegation chains MUST be verifiable without contacting an Authorization Server, using cryptographic chaining of agent signatures.

  • G4 — DAG-native causal ordering: Workflows with parallel branches and fan-in dependencies MUST be expressible natively, without flattening to a linear chain.

  • G5 — Cross-organizational interoperability: ACTs issued by agents in different trust domains MUST be verifiable by any participant holding the issuing agent's public key.

  • G6 — Regulatory applicability: ACT MUST provide sufficient evidence for audit requirements in DORA [DORA], EU AI Act Article 12 [EUAIA], and IEC 62304 [IEC62304] without requiring additional log formats.

  • G7 — Upgrade path: The trust model MUST support migration from pre-shared keys to PKI or DID without breaking existing ACT chains.

1.3. Non-Goals

The following are explicitly out of scope:

  • Defining internal AI model behavior or decision logic.
  • Replacing organizational security policies or procedures.
  • Defining storage formats for audit ledgers.
  • Specifying token revocation infrastructure (deployments MAY use existing mechanisms such as [RFC7009] for this purpose).
  • Providing non-equivocation guarantees in standalone mode (see Section 11.5 for the equivocation discussion and optional transparency anchoring).

1.4. Relationship to Related Work

AAP [I-D.aap-oauth-profile]: ACT addresses the same authorization problem as AAP but does not require an Authorization Server. ACT delegation is peer-to-peer via cryptographic signature chaining; AAP delegation requires OAuth Token Exchange [RFC8693] against a central AS. ACT is not a profile of AAP; it is an infrastructure- independent alternative for the same problem class.

WIMSE ECT [I-D.nennemann-wimse-ect]: ACT addresses the same execution accountability problem as the WIMSE Execution Context Token but does not require WIMSE workload identity infrastructure. ACT is not a profile of WIMSE; it is deployable in environments without SPIFFE/SPIRE. In environments where WIMSE is deployed, ACT MAY be carried alongside WIMSE tokens to augment accountability with authorization provenance.

SCITT [I-D.ietf-scitt-architecture]: For deployments requiring non-equivocation guarantees (see Section 11.5), ACT execution records MAY be anchored to a SCITT Transparency Service as a Layer 2 mechanism. This is OPTIONAL and not required for basic ACT operation.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Agent: An autonomous software entity that executes tasks, issues ACTs as mandates for sub-agents, and produces ACTs as execution records of its own actions.

Authorization Mandate: An ACT in Phase 1, encoding what an agent is permitted to do, under what constraints, and by whose authority.

Execution Record: An ACT in Phase 2, encoding what an agent actually did, including cryptographic hashes of inputs and outputs and causal links to predecessor tasks.

Directed Acyclic Graph (DAG): A graph structure representing task dependency ordering where edges are directed and no cycles exist. Used by ACT to model causal relationships between tasks in a workflow.

Delegation Chain: A cryptographically verifiable sequence of ACT issuances from a root authority through one or more agents, each signing a new ACT that reduces privileges relative to the one it received.

Trust Tier: A level of key management infrastructure used to establish the public key of an ACT issuer. Tiers range from pre-shared keys (Tier 1, mandatory) to PKI (Tier 2) and DIDs (Tier 3).

Workflow: A set of related tasks, identified by a shared wid claim, forming a single logical unit of work.

3. ACT Lifecycle

An ACT has a two-phase lifecycle. The same token format is used in both phases; the presence or absence of execution claims determines which phase a token represents.

A token is a Phase 2 Execution Record if and only if the claim exec_act is present. A token that does not contain exec_act is a Phase 1 Authorization Mandate. Verifiers MUST determine the phase before applying verification rules, and MUST reject a token that is presented in the wrong phase for the operation being performed.

3.1. Phase 1: Authorization Mandate

In Phase 1, an ACT is created by a delegating agent (or a human operator) to authorize a target agent to perform a specific task. The token carries:

  • The identity of the issuing agent and the target agent.
  • The capabilities granted, with associated constraints.
  • Human oversight requirements for high-impact actions.
  • The delegation provenance (who authorized the issuer to delegate).
  • A task identifier and declared purpose.

The Phase 1 ACT is signed by the issuing agent using its private key. The target agent receives the ACT and uses it as a bearer mandate — evidence that it is authorized to proceed.

Phase 1 ACTs are short-lived. Implementations SHOULD set expiration (exp) to no more than 15 minutes after issuance (iat) for automated agent-to-agent workflows. Longer lifetimes MAY be used for human-initiated mandates where the agent may not act immediately.

3.2. Phase 2: Execution Record

Upon completing the authorized task, the executing agent MUST transition the ACT to Phase 2 by:

  1. Adding the exec_act claim describing the action performed.
  2. Optionally adding inp_hash and/or out_hash SHA-256 hashes of task inputs and outputs (RECOMMENDED for regulated environments).
  3. Adding the par array referencing parent task identifiers (DAG dependencies).
  4. Adding exec_ts and status claims.
  5. Re-signing the complete token with its own private key.

The re-signing is critical: it produces a new signature over the combined authorization + execution claims, binding the executing agent's cryptographic identity to both the mandate it received and the execution it performed. This creates a single, non-repudiable record that answers both "was this agent authorized?" and "what did it do?"

Note on issuer signature preservation: re-signing replaces the Phase 1 signature produced by the issuing agent (iss). The integrity of the original mandate is preserved through the del.chain mechanism: the chain entry's sig field is the iss agent's signature over the Phase 1 ACT, and this signature remains intact and verifiable in the Phase 2 token. For root mandates where del.chain is empty, the issuer's signature is not independently preserved in Phase 2. Deployments requiring independent verifiability of the original mandate SHOULD retain the Phase 1 ACT separately alongside the Phase 2 record.

The resulting Phase 2 ACT SHOULD be submitted to an audit ledger (Section 10) and MAY be sent to the next agent in the workflow as evidence of completed prerequisites.

3.3. Lifecycle State Machine

  [Issuer creates Phase 1 ACT]
           |
           | sign(issuer_key)
           v
    +------------------+
    |  MANDATE         |  Phase 1: Authorization Mandate
    |  (unsigned by    |  Carried as bearer token by target agent
    |   target agent)  |
    +------------------+
           |
           | Target agent executes task
           | adds exec_act, inp_hash, out_hash, par
           | re-signs with target_agent_key
           v
    +------------------+
    |  RECORD          |  Phase 2: Execution Record
    |  (signed by      |  Submitted to ledger, passed to next agent
    |   target agent)  |
    +------------------+
           |
           | (optional) anchor to SCITT Transparency Service
           v
    +------------------+
    |  ANCHORED        |  Phase 2 + external non-equivocation
    +------------------+

4. ACT Token Format

An ACT is a JSON Web Token [RFC7519] signed as a JSON Web Signature [RFC7515] using JWS Compact Serialization. All ACTs MUST use JWS Compact Serialization to ensure they can be carried in a single HTTP header value.

4.1. JOSE Header

The ACT JOSE header MUST contain:

{
  "alg": "ES256",
  "typ": "act+jwt",
  "kid": "agent-a-key-2026-03"
}

alg (REQUIRED): The digital signature algorithm. Implementations MUST support ES256 [RFC7518]. EdDSA (Ed25519) [RFC8037] is RECOMMENDED for new deployments due to smaller signatures and resistance to side-channel attacks. Symmetric algorithms (HS256, HS384, HS512) MUST NOT be used. The "alg" value MUST NOT be "none".

typ (REQUIRED): MUST be "act+jwt" to distinguish ACTs from other JWT types.

kid (REQUIRED): An identifier for the signing key. In Tier 1 deployments (pre-shared keys), this is an opaque string agreed out-of-band. In Tier 2 deployments (PKI), this is the X.509 certificate thumbprint. In Tier 3 deployments (DID), this is the DID key fragment (e.g., did:key:z6Mk...#key-1).

x5c (OPTIONAL): In Tier 2 deployments, the X.509 certificate chain MAY be included to enable verification without out-of-band key distribution.

did (OPTIONAL): In Tier 3 deployments, the full DID of the issuing agent MAY be included for resolution.

4.2. JWT Claims: Authorization Phase

4.2.1. Standard JWT Claims

iss (REQUIRED): The identifier of the agent issuing the mandate. Format depends on trust tier: an opaque string (Tier 1), an X.509 Subject DN (Tier 2), or a DID (Tier 3).

sub (REQUIRED): The identifier of the agent authorized to act. MUST use the same format convention as iss.

aud (REQUIRED): The intended recipient(s). MUST include the identifier of the target agent (sub). When an audit ledger is deployed, MUST also include the ledger's identifier. When multiple recipients are present, MUST be an array. Verifiers that are audit ledgers MUST verify that their own identifier appears in aud.

iat (REQUIRED): Issuance time as a NumericDate [RFC7519].

exp (REQUIRED): Expiration time. Implementations SHOULD set to no more than 15 minutes after iat for automated workflows.

jti (REQUIRED): A UUID [RFC9562] uniquely identifying this ACT and, in Phase 2, the task it records. Used as the task identifier for DAG parent references in par.

4.2.2. ACT Authorization Claims

wid (OPTIONAL): A UUID identifying the workflow to which this task belongs. When present, groups related ACTs and scopes jti uniqueness to the workflow.

task (REQUIRED): An object describing the authorized task:

{
  "task": {
    "purpose": "validate_patient_dosage",
    "data_sensitivity": "restricted",
    "created_by": "operator:clinical-admin-01",
    "expires_at": 1772064750
  }
}
  • purpose (REQUIRED): A string describing the intended task. Implementations SHOULD use a controlled vocabulary or reverse- domain notation (e.g., "com.example.validate_dosage") to enable semantic consistency checking by the receiving agent.
  • data_sensitivity (OPTIONAL): One of "public", "internal", "confidential", "restricted". Receiving agents MUST NOT perform actions that would expose data above this classification.
  • created_by (OPTIONAL): An identifier for the human or system that initiated the workflow. SHOULD be pseudonymous (see Section 12).
  • expires_at (OPTIONAL): A NumericDate after which the task mandate is no longer valid, independent of exp.

cap (REQUIRED): An array of capability objects, each specifying an action the agent is authorized to perform and the constraints under which it may do so:

{
  "cap": [
    {
      "action": "read.patient_record",
      "constraints": {
        "patient_id_scope": "current_task_only",
        "max_records": 1,
        "data_classification_max": "restricted"
      }
    },
    {
      "action": "write.dosage_recommendation",
      "constraints": {
        "status": "draft_only"
      }
    }
  ]
}

Action names MUST conform to the ABNF grammar:

action-name = component *( "." component )
component   = ALPHA *( ALPHA / DIGIT / "-" / "_" )

Receiving agents MUST perform exact string matching on action names. Wildcard matching is NOT part of this specification.

When multiple capabilities match the same action, OR semantics apply: if ANY capability grants the action, the request is authorized subject to that capability's constraints. When multiple constraints exist within a single capability, AND semantics apply: ALL constraints MUST be satisfied. When the same constraint key appears in both a capability-level and a policy-level context, the more restrictive value applies: lower numeric limits, narrower allow-lists (intersection), broader block-lists (union), and narrower time windows.

oversight (OPTIONAL): Human oversight requirements:

{
  "oversight": {
    "requires_approval_for": ["write.publish", "execute.payment"],
    "approval_ref": "https://approval.example.com/workflow/w-123"
  }
}

When requires_approval_for lists an action, the receiving agent MUST NOT execute that action autonomously. The approval mechanism is out of scope for this specification.

del (OPTIONAL): Delegation provenance, establishing the chain of authority from the root mandate to this ACT. If del is absent, the ACT MUST be treated as a root mandate with depth = 0 and further delegation is not permitted (i.e., the receiving agent MUST NOT issue sub-mandates based on this ACT).

{
  "del": {
    "depth": 1,
    "max_depth": 3,
    "chain": [
      {
        "delegator": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
        "jti": "550e8400-e29b-41d4-a716-446655440000",
        "sig": "base64url-encoded-signature-of-parent-act-hash"
      }
    ]
  }
}
  • depth: The current delegation depth. 0 means this is a root mandate issued by a human or root authority.
  • max_depth: The maximum permitted delegation depth. Receiving agents MUST NOT issue sub-mandates that would exceed this depth.
  • chain: An array of delegation provenance records ordered from root to immediate parent (chain[0] is the root authority, chain[depth-1] is the direct parent of this ACT). Each entry contains:
    • delegator: The identifier of the agent that authorized this delegation step (i.e., the iss of the parent ACT at that depth).
    • jti: The jti of the parent ACT that authorized this delegation step.
    • sig: The delegating agent's signature over the SHA-256 hash of that parent ACT, providing cryptographic linkage without requiring the full parent ACT to be transmitted.

The sig field in each chain entry is the critical departure from AAP's delegation model: rather than requiring a central AS to validate the chain, any verifier holding the delegating agent's public key can independently verify each step by recomputing the hash and checking the signature.

4.3. JWT Claims: Execution Phase

The following claims are added by the executing agent when transitioning to Phase 2. Their presence distinguishes an Execution Record from an Authorization Mandate.

exec_act (REQUIRED in Phase 2): A string identifying the action actually performed. MUST conform to the same ABNF grammar as capability action names. MUST match one of the action values in the cap array of the Phase 1 claims.

par (REQUIRED in Phase 2): An array of jti values of parent tasks in the DAG. An empty array indicates a root task. Each value MUST be the jti of a previously verified ACT (Phase 2) within the same workflow (same wid) or the global ACT store if wid is absent.

inp_hash (OPTIONAL): The base64url encoding (without padding) of the SHA-256 hash of the task's input data, computed over the raw octets of the serialized input. Provides cryptographic evidence of what data the agent processed.

out_hash (OPTIONAL): The base64url encoding (without padding) of the SHA-256 hash of the task's output data, using the same format as inp_hash. Provides cryptographic evidence of what data the agent produced.

exec_ts (REQUIRED in Phase 2): A NumericDate recording the actual time of task execution. MAY differ from iat when the agent queued the mandate before execution. MUST be greater than or equal to iat. SHOULD be less than or equal to exp; execution after mandate expiry is possible when tasks are long-running and MUST NOT cause automatic rejection, but implementors SHOULD log a warning.

status (REQUIRED in Phase 2): One of "completed", "failed", "partial". Allows audit systems to distinguish successful execution from partial or failed attempts, which is essential for regulated environments where failed attempts must be recorded.

err (OPTIONAL, present when status is "failed" or "partial"): An object providing error context:

{
  "err": {
    "code": "constraint_violation",
    "detail": "data_classification_max exceeded"
  }
}

Error detail SHOULD NOT reveal internal system state beyond what is necessary for audit purposes.

4.4. Complete Examples

Phase 1 — Authorization Mandate

{
  "alg": "ES256",
  "typ": "act+jwt",
  "kid": "agent-clinical-key-2026-03"
}
.
{
  "iss": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
  "sub": "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
  "aud": [
    "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
    "https://ledger.hospital.example.com"
  ],
  "iat": 1772064000,
  "exp": 1772064900,
  "jti": "550e8400-e29b-41d4-a716-446655440001",

  "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",

  "task": {
    "purpose": "validate_treatment_recommendation",
    "data_sensitivity": "restricted",
    "created_by": "operator:clinical-admin-01"
  },

  "cap": [
    {
      "action": "read.patient_record",
      "constraints": {
        "patient_id_scope": "current_task_only",
        "max_records": 1
      }
    },
    {
      "action": "write.safety_assessment",
      "constraints": {
        "status": "draft_only"
      }
    }
  ],

  "oversight": {
    "requires_approval_for": ["write.publish_assessment"]
  },

  "del": {
    "depth": 0,
    "max_depth": 2,
    "chain": []
  }
}

Phase 2 — Execution Record (same token, re-signed by target agent)

{
  "alg": "EdDSA",
  "typ": "act+jwt",
  "kid": "agent-safety-key-2026-03"
}
.
{
  "iss": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
  "sub": "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
  "aud": [
    "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
    "https://ledger.hospital.example.com"
  ],
  "iat": 1772064000,
  "exp": 1772064900,
  "jti": "550e8400-e29b-41d4-a716-446655440001",

  "wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",

  "task": {
    "purpose": "validate_treatment_recommendation",
    "data_sensitivity": "restricted",
    "created_by": "operator:clinical-admin-01"
  },

  "cap": [
    {
      "action": "read.patient_record",
      "constraints": {
        "patient_id_scope": "current_task_only",
        "max_records": 1
      }
    },
    {
      "action": "write.safety_assessment",
      "constraints": {
        "status": "draft_only"
      }
    }
  ],

  "oversight": {
    "requires_approval_for": ["write.publish_assessment"]
  },

  "del": {
    "depth": 0,
    "max_depth": 2,
    "chain": []
  },

  "exec_act": "write.safety_assessment",
  "par": ["550e8400-e29b-41d4-a716-446655440000"],
  "inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
  "out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
  "exec_ts": 1772064300,
  "status": "completed"
}

5. Trust Model

ACT defines four trust tiers. Tier 1 is mandatory-to-implement; all others are optional upgrades. An ACT verifier MUST be able to process ACTs from any tier it has configured. The trust tier in use is determined by the kid format and the presence of x5c or did header parameters.

5.1. Tier 0: Bootstrap (TOFU — Trust On First Use)

Tier 0 is NOT part of the normative trust model and MUST NOT be used in regulated environments. It is defined here for documentation purposes only, to describe the common bootstrapping scenario.

In Tier 0, the first ACT received from an agent establishes its public key. This is equivalent to SSH TOFU behavior: an attacker who intercepts the first message can substitute their own key. Tier 0 deployments MUST transition to Tier 1 or higher before exchanging ACTs that carry sensitive capabilities.

5.2. Tier 1: Pre-Shared Keys (Mandatory-to-Implement)

In Tier 1, both parties exchange public keys out-of-band prior to the first ACT exchange. The kid is an opaque string agreed during the key exchange. Implementations MUST support Tier 1.

Key exchange MAY occur via any out-of-band mechanism: manual configuration, a configuration management system, or a prior authenticated channel. This specification does not mandate a specific key exchange protocol.

Tier 1 public keys MUST be Ed25519 [RFC8037] or P-256 (ES256) [RFC7518] keys. RSA keys SHOULD NOT be used in Tier 1 deployments due to key size. Key rotation MUST be performed out-of-band using the same mechanism as the initial exchange.

5.3. Tier 2: PKI / X.509

In Tier 2, agent identity is bound to an X.509 certificate issued by a mutually trusted Certificate Authority (CA). The kid is the certificate thumbprint (SHA-256 of the DER-encoded certificate).

Cross-organizational ACT exchange in Tier 2 requires either:

(a) a mutually trusted root CA, or (b) cross-certification between the organizations' CAs, or (c) explicit trust anchoring (one organization's CA is added to the other's trust store).

The x5c JOSE header parameter [RFC7515] MAY carry the full certificate chain to enable verification without out-of-band trust store configuration.

5.4. Tier 3: Decentralized Identifiers (DID)

In Tier 3, agent identity is expressed as a DID [W3C-DID]. The kid is a DID key fragment. The did JOSE header parameter carries the full DID for resolution.

Implementations SHOULD support at minimum did:key [DID-KEY] for self-contained key distribution without external resolution, and did:web [DID-WEB] for organizations that prefer DNS-anchored identity.

DID resolution latency introduces a dependency on external infrastructure. To preserve the zero-infrastructure baseline, implementations using Tier 3 MAY cache DID Documents and MUST specify a maximum cache TTL in their configuration.

5.5. Cross-Tier Interoperability

A delegation chain MAY include agents operating at different trust tiers. Each step in the chain is verified using the trust tier of the signing agent at that step. Verifiers MUST NOT reject a chain solely because it mixes trust tiers, but MAY apply stricter policy for chains that include Tier 0 or Tier 1 steps when exchanging sensitive capabilities.

6. Delegation Chain

ACT delegation is peer-to-peer: no Authorization Server is involved. Delegation is expressed as a cryptographically verifiable chain of ACT issuances, where each step reduces privileges relative to the previous step.

6.1. Peer-to-Peer Delegation

When Agent A authorizes Agent B to perform a sub-task, Agent A:

  1. Creates a new ACT with sub set to Agent B's identifier.

  2. Sets cap to a subset of A's own authorized capabilities, with constraints at least as restrictive as those in A's mandate.

  3. Sets del.depth to A's own del.depth + 1.

  4. Sets del.max_depth to no more than the del.max_depth value in A's own mandate.

  5. Adds a chain entry containing A's identifier as delegator, the jti of A's own mandate, and a sig value computed as:

    sig = Sign(A.private_key, SHA-256(canonical_ACT_phase1_bytes))

    where canonical_ACT_phase1_bytes is the UTF-8 encoded bytes of the JWS Compact Serialization of A's Phase 1 ACT.

  6. Signs the new ACT with A's private key.

6.2. Privilege Reduction Requirements

When issuing a delegated ACT, the issuing agent MUST reduce privileges by one or more of:

  • Removing capabilities (sub-set of parent capabilities only).
  • Adding stricter constraints (lower rate limits, narrower domains, shorter time windows, lower data classification ceiling).
  • Reducing token lifetime (exp closer to iat).
  • Reducing del.max_depth.

The issuing agent MUST NOT grant capabilities not present in its own mandate. Capability escalation via delegation is prohibited and MUST be detected and rejected by verifiers.

For well-known numeric constraints (e.g., max_records, max_requests_per_hour), "more restrictive" means a numerically lower or equal value. For well-known enumerated constraints (e.g., data_sensitivity), "more restrictive" means a value that is equal or higher in the defined ordering ("public" < "internal" < "confidential" < "restricted"). For unknown or domain-specific constraint keys, verifiers MUST treat the constraint as non-comparable and MUST reject the delegation unless the delegated constraint value is byte-for-byte identical to the parent constraint value.

6.3. Delegation Verification

A verifier receiving a delegated ACT MUST:

  1. Verify the ACT's own signature (Section 8.1).
  2. For each entry in del.chain, in order from index 0 to del.depth - 1: a. Retrieve the public key for entry.delegator. b. Verify that entry.sig is a valid signature over the SHA-256 hash of the referenced parent ACT (identified by entry.jti). c. Verify that the capabilities in the current ACT are a subset of the capabilities in the parent ACT, per the constraint comparison rules in Section 6.2.
  3. Verify that del.depth does not exceed del.max_depth.
  4. Verify that del.chain length equals del.depth.

If any step fails, the ACT MUST be rejected.

7. DAG Structure and Causal Ordering

ACTs in Phase 2 form a DAG over the par (parent) claim. The DAG encodes causal dependencies: a task MAY NOT begin before all its parent tasks are completed.

7.1. DAG Validation

When processing a Phase 2 ACT, implementations MUST:

  1. Uniqueness: Verify the jti is unique within the workflow (wid) or globally if wid is absent.

  2. Parent Existence: Verify every jti in par corresponds to a Phase 2 ACT available in the ACT store or audit ledger.

  3. Temporal Ordering: Verify that for each parent: parent.exec_ts < child.exec_ts + clock_skew_tolerance (RECOMMENDED tolerance: 30 seconds). Causal ordering is primarily enforced by DAG structure, not timestamps.

  4. Acyclicity: Following parent references MUST NOT lead back to the current ACT's jti. Implementations MUST enforce a maximum ancestor traversal limit (RECOMMENDED: 10,000 nodes).

  5. Capability Consistency: Verify that exec_act matches one of the action values in the cap array from Phase 1.

7.2. Root Tasks and Fan-in

A root task has par = []. A workflow MAY have multiple root tasks representing parallel branches with no shared predecessor.

Fan-in — a task with multiple parents — is expressed naturally:

{
  "par": [
    "550e8400-e29b-41d4-a716-446655440001",
    "550e8400-e29b-41d4-a716-446655440002"
  ]
}

This indicates the current task depends on the completion of both referenced parent tasks, which MAY have been executed in parallel by different agents.

8. Verification Procedure

8.1. Authorization Phase Verification

A receiving agent MUST verify a Phase 1 ACT as follows:

  1. Parse JWS Compact Serialization per [RFC7515].
  2. Verify typ is "act+jwt".
  3. Verify alg is in the verifier's algorithm allowlist. The allowlist MUST NOT include "none" or any symmetric algorithm.
  4. Retrieve the public key for kid per the applicable trust tier (Section 5).
  5. Verify the JWS signature.
  6. Verify exp has not passed (with clock skew tolerance: RECOMMENDED maximum 5 minutes).
  7. Verify iat is not unreasonably in the future (RECOMMENDED: no more than 30 seconds ahead).
  8. Verify aud contains the verifier's own identifier.
  9. Verify iss is a trusted agent identity per local policy.
  10. Verify sub matches the verifier's own identifier (the agent is the intended recipient of this mandate).
  11. Verify all required claims are present and well-formed.
  12. Verify delegation chain (Section 6.3) if del.chain is non-empty.
  13. Verify capabilities are within policy limits.

8.2. Execution Phase Verification

In addition to all Phase 1 verification steps, a verifier processing a Phase 2 ACT MUST:

  1. Verify exec_act is present and matches an action in cap.
  2. Verify par is present and perform DAG validation (Section 7.1).
  3. Verify exec_ts is present and is greater than or equal to iat. If exec_ts is after exp, implementations SHOULD log a warning but MUST NOT reject the record solely on this basis.
  4. Verify status is present and has a valid value.
  5. Verify the re-signature was produced by the sub agent (the executing agent), not the iss agent (the mandating agent). This is verified by checking that the kid in the Phase 2 JOSE header corresponds to the sub agent's public key.
  6. If inp_hash or out_hash are present, verify them against locally available input/output data when possible.

9. Transport

9.1. HTTP Header Transport

This specification defines two HTTP header fields for ACT transport:

ACT-Mandate: Carries a Phase 1 ACT issued by an upstream agent or operator. Value is the JWS Compact Serialization of the ACT.

GET /api/safety-check HTTP/1.1
Host: safety-agent.example.com
ACT-Mandate: eyJhbGci...Phase1ACT...

ACT-Record: Carries a Phase 2 ACT from a predecessor agent, serving as evidence of completed prerequisites.

POST /api/downstream HTTP/1.1
Host: downstream-agent.example.com
ACT-Mandate: eyJhbGci...Phase1ACT...
ACT-Record: eyJhbGci...Phase2ACT...

Multiple ACT-Record header lines MAY be included when a task has multiple completed predecessors (DAG fan-in). If any single ACT-Record fails verification, the receiver MUST reject the entire request.

9.2. Non-HTTP Transports

For non-HTTP transports (MCP stdio, A2A message queues, AMQP, etc.), ACTs SHOULD be carried as a dedicated field in the transport's metadata envelope. The field name SHOULD be act_mandate for Phase 1 ACTs and act_record for Phase 2 ACTs. Implementations MUST use the JWS Compact Serialization form in all transports.

10. Audit Ledger Interface

Phase 2 ACTs SHOULD be submitted to an immutable audit ledger. A ledger is RECOMMENDED for regulated environments but is not required for basic ACT operation. This specification does not mandate a specific storage technology.

When an audit ledger is deployed, the implementation MUST provide:

  1. Append-only semantics: Once an ACT is recorded, it MUST NOT be modified or deleted.

  2. Ordering: A monotonically increasing sequence number per recorded ACT.

  3. Lookup: Efficient retrieval by jti value.

  4. Integrity: A cryptographic commitment scheme over recorded ACTs (e.g., hash-chaining, Merkle tree anchoring, or SCITT registration per [I-D.ietf-scitt-architecture]).

11. Security Considerations

11.1. Threat Model

ACT assumes an adversarial environment where:

  • Individual agents may be compromised.
  • Network paths may be intercepted (mitigated by transport security).
  • Attackers may attempt to replay valid ACTs from prior interactions.
  • Colluding agents may attempt to fabricate execution records.
  • Agents may attempt privilege escalation via manipulated delegation chains.

ACT does NOT assume:

  • A trusted central authority (by design).
  • Synchronized clocks beyond the stated skew tolerance.
  • Availability of external network services during verification.

11.2. Self-Assertion Limitation

Phase 2 ACTs are self-asserted: an executing agent signs its own execution record. A compromised agent with an intact private key can produce Phase 2 ACTs claiming arbitrary inputs, outputs, and action types, as long as the claimed exec_act matches an authorized capability.

This is a fundamental limitation of self-sovereign attestation. It is the same limitation affecting WIMSE ECT [I-D.nennemann-wimse-ect] Section 8.2.

Mitigations:

  • Cross-agent corroboration: A receiving agent that processes an ACT-Record as a prerequisite independently verifies that the claimed out_hash matches the data it actually received.
  • Ledger sequencing: An append-only ledger with monotonic sequence numbers prevents retroactive insertion of fabricated records.
  • SCITT anchoring: For high-assurance deployments, Phase 2 ACTs SHOULD be anchored to a SCITT Transparency Service, providing external witness that the record was submitted at a claimed time.

11.3. Key Compromise

If an agent's private key is compromised, an attacker can issue arbitrary Phase 1 mandates (impersonating the agent as an issuer) and fabricate Phase 2 records (impersonating the agent as an executor).

Key compromise response:

  1. The compromised agent's identifier MUST be added to all verifiers' deny lists.
  2. In Tier 2 (PKI) deployments, the certificate MUST be revoked via CRL or OCSP.
  3. In Tier 3 (DID) deployments, the DID Document MUST be updated to revoke the compromised key.
  4. In Tier 1 (pre-shared key) deployments, both parties MUST perform an out-of-band key rotation.

ACT chains that include records signed by a compromised key MUST be treated as potentially tainted from the point of compromise. Audit systems MUST flag all ACTs signed after the estimated compromise time.

11.4. Replay Attack Prevention

jti uniqueness within the applicable scope (workflow or global) provides replay detection. Verifiers MUST reject ACTs whose jti has already been seen and processed.

exp provides a time-bounded replay window. Verifiers MUST reject expired ACTs. The combination of jti and exp means that replay detection state only needs to be maintained for the duration of token lifetimes.

11.5. Equivocation

In standalone deployment (no audit ledger, no SCITT anchoring), ACT does NOT provide non-equivocation guarantees. A compromised agent can maintain two valid ACT chains — presenting Phase 2 records with different out_hash values to different verifiers — and both will pass independent verification.

Deployments claiming DORA [DORA] Article 10/11 compliance or EU AI Act [EUAIA] Article 12 compliance MUST use one of:

(a) A shared append-only audit ledger visible to all relevant parties, with cryptographic integrity (hash chaining or Merkle trees).

(b) SCITT anchoring [I-D.ietf-scitt-architecture] providing external Transparency Service receipts.

Standalone ACT provides tamper detection (a verifier can detect modification of a record it has seen) but not split-view prevention (a verifier cannot detect a different record shown to another verifier).

11.6. Privilege Escalation

Verifiers MUST check that each step in del.chain reduces or maintains (never increases) the capabilities relative to the preceding step. Implementations MUST reject ACTs where:

  • del.depth exceeds del.max_depth.
  • cap contains actions not present in any referenced parent ACT.
  • Constraints in cap are less restrictive than those in the parent.

11.7. Denial of Service

ACT verification is more computationally expensive than standard JWT validation due to delegation chain verification and DAG traversal.

Mitigations:

  • Reject ACTs larger than 64KB before parsing.
  • Enforce maximum del.chain length (RECOMMENDED: 10 entries).
  • Enforce maximum DAG ancestor traversal depth (RECOMMENDED: 10,000 nodes, Section 7.1).
  • Cache verification results for recently seen jti values within the token lifetime window.

12. Privacy Considerations

ACT tokens and audit ledger records may contain information that identifies agents, organizations, or individuals. Implementations SHOULD apply data minimization principles:

  • task.created_by SHOULD use a pseudonymous identifier rather than a personal email address or real name.
  • task.purpose SHOULD use a controlled vocabulary code rather than free-text descriptions that may contain personal data.
  • del.chain entries reveal organizational structure. Cross- organizational delegation chains SHOULD use Tier 3 (DID) identifiers that do not reveal organizational affiliation.
  • inp_hash and out_hash are hashes of data, not the data itself, and do not constitute personal data under GDPR Article 4(1) provided the underlying data is not trivially reversible (e.g., hashes of very short strings).

For GDPR Article 17 (right to erasure) compliance, audit ledgers SHOULD store only ACT tokens (which contain hashes, not raw data) and SHOULD implement crypto-shredding for any associated encrypted payloads.

13. IANA Considerations

13.1. Media Type Registration

This document requests registration of the following media type:

  • Type name: application
  • Subtype name: act+jwt
  • Required parameters: none
  • Encoding considerations: binary (base64url-encoded JWT)
  • Security considerations: See Section 11.
  • Interoperability considerations: See Section 8.
  • Specification: This document.

13.2. HTTP Header Field Registration

This document requests registration of the following HTTP header fields in the "Hypertext Transfer Protocol (HTTP) Field Name Registry":

  • Header field name: ACT-Mandate

  • Applicable protocol: HTTP

  • Status: permanent

  • Specification: This document, Section 9.1.

  • Header field name: ACT-Record

  • Applicable protocol: HTTP

  • Status: permanent

  • Specification: This document, Section 9.1.

13.3. JWT Claims Registration

This document requests registration of the following claims in the IANA "JSON Web Token Claims" registry:

Claim Name Description Reference
wid Workflow identifier This document
task Task authorization context This document
cap Capabilities with constraints This document
oversight Human oversight requirements This document
del Delegation provenance chain This document
exec_act Executed action identifier This document
par Parent task identifiers (DAG) This document
inp_hash SHA-256 hash of task input This document
out_hash SHA-256 hash of task output This document
exec_ts Actual execution timestamp This document
status Execution status This document
err Execution error context This document

14. References

14.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, May 2015.

[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, May 2015.

[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, May 2015.

[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, May 2015.

[RFC8037] Liusvaara, I., "CFRG Elliptic Curves for JOSE", RFC 8037, January 2017.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017.

[RFC9110] Fielding, R., et al., "HTTP Semantics", RFC 9110, June 2022.

[RFC9562] Davis, K., et al., "Universally Unique IDentifiers (UUIDs)", RFC 9562, May 2024.

14.2. Informative References

[DORA] European Parliament, "Digital Operational Resilience Act (DORA)", Regulation (EU) 2022/2554, 2022.

[EUAIA] European Parliament, "EU Artificial Intelligence Act", Regulation (EU) 2024/1689, 2024.

[IEC62304] IEC, "Medical device software — Software life cycle processes", IEC 62304:2006+AMD1:2015.

[I-D.aap-oauth-profile] Cruz, A., "Agent Authorization Profile (AAP) for OAuth 2.0", draft-aap-oauth-profile-01, February 2026.

[I-D.nennemann-wimse-ect] Nennemann, C., "Execution Context Tokens for Distributed Agentic Workflows", draft-nennemann-wimse-ect-00, February 2026.

[I-D.ietf-scitt-architecture] Birkholz, H., et al., "An Architecture for Trustworthy and Transparent Digital Supply Chains", draft-ietf-scitt-architecture-22, October 2025.

[RFC8693] Jones, M., et al., "OAuth 2.0 Token Exchange", RFC 8693, January 2020.

[W3C-DID] Sporny, M., et al., "Decentralized Identifiers (DIDs) v1.0", W3C Recommendation, July 2022.

[DID-KEY] Longley, D., et al., "The did:key Method v0.7", 2021.

[DID-WEB] Steele, O., et al., "did:web Method Specification", 2022.

Appendix A: Complete JSON Schema

The normative JSON Schema for ACT Phase 1 and Phase 2 tokens is available at [TODO: reference implementation repository].

Appendix B: Test Vectors

B.1. Valid Phase 1 ACT — Root Mandate (Tier 1, Pre-Shared Key)

[TODO: include encoded test vector with signing key, payload,
and expected JWS Compact Serialization]

B.2. Valid Phase 2 ACT — Completed Execution

[TODO: include encoded test vector demonstrating Phase 1 → Phase 2
transition with re-signature by target agent]

B.3. Valid Phase 2 ACT — Fan-in (Multiple Parents)

[TODO: demonstrate par with two parent jti values from parallel
workflow branches]

B.4. Invalid ACT — Delegation Depth Exceeded

[TODO: demonstrate del.depth > del.max_depth rejection]

B.5. Invalid ACT — Capability Escalation

[TODO: demonstrate rejection when delegated cap contains action
not present in parent ACT]

B.6. Invalid ACT — exec_act Mismatch

[TODO: demonstrate rejection when exec_act does not match any
cap.action in the Phase 1 claims]

Appendix C: Deployment Scenarios

C.1. Minimal Deployment (Zero Infrastructure)

Two organizations exchange pre-shared public keys via secure email. Each agent signs Phase 1 mandates and Phase 2 records with its Ed25519 key. No ledger, no external services. Suitable for development and low-risk workflows.

Limitation: No non-equivocation (Section 11.5).

C.2. Regulated Deployment with Hash-Chained Ledger

Phase 2 ACTs are submitted to a shared append-only ledger with hash-chaining. Each recorded ACT extends a cryptographic chain, providing tamper evidence for each ACT and the chain as a whole. The ledger is shared between all regulated parties participating in the workflow. Suitable for DORA compliance.

C.3. High-Assurance Cross-Organizational Deployment

Phase 2 ACTs are anchored to a SCITT Transparency Service. SCITT receipts are attached to the audit record as non-equivocation proofs. DID-based agent identities (Tier 3) enable self-sovereign key management without shared CA infrastructure.

C.4. WIMSE Environment Integration

In environments where WIMSE is already deployed, ACT-Mandate and ACT-Record headers are carried alongside the WIMSE Workload-Identity header. The ECT and ACT serve different purposes: the ECT records workload-level execution in WIMSE terms; the ACT records the authorization provenance and capability constraints that governed the action.

Author's Address

Christian Nennemann Independent Email: [TODO]

Reference in New Issue View Git Blame Copy Permalink