c/ietf-draft-analyzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e83491cb91623976150ca3b0d3a090993164e421
ietf-draft-analyzer/workspace/act/draft-nennemann-act-00.md
Christian Nennemann 2506b6325a
Some checks failed
CI / test (3.11) (push) Failing after 1m37s
Details
CI / test (3.12) (push) Failing after 57s
Details
feat: add draft data, gap analysis report, and workspace config
2026-04-06 18:47:15 +02:00

1428 lines
49 KiB
Markdown
Raw Blame History

# Agent Compact Token (ACT)
```
Independent Submission C. Nennemann
Internet-Draft Independent
Intended status: Standards Track March 2026
Expires: September 2026
Agent Compact Token (ACT)
draft-nennemann-act-00
```
## Abstract
This document defines the Agent Compact Token (ACT), a self-contained
JWT-based format for autonomous AI agents that unifies authorization
and execution accountability in a single token lifecycle. An ACT
begins as a signed authorization mandate — encoding capabilities,
constraints, delegation provenance, and oversight requirements — and
transitions into a tamper-evident execution record once the agent
completes its task, appending cryptographic hashes of inputs and
outputs and linking to predecessor tasks via a directed acyclic graph
(DAG). ACT requires no Authorization Server, no workload identity
infrastructure, and no transparency service for basic operation. Trust
is bootstrapped via pre-shared keys and is upgradeable to PKI or
Decentralized Identifiers (DIDs). ACT is designed for cross-
organizational agent federation in regulated and unregulated
environments alike.
---
## Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at https://datatracker.ietf.org/drafts/current/.
This Internet-Draft will expire on 29 September 2026.
---
## Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
---
## Table of Contents
1. Introduction
- 1.1. Problem Statement
- 1.2. Design Goals
- 1.3. Non-Goals
- 1.4. Relationship to Related Work
2. Conventions and Definitions
3. ACT Lifecycle
- 3.1. Phase 1: Authorization Mandate
- 3.2. Phase 2: Execution Record
- 3.3. Lifecycle State Machine
4. ACT Token Format
- 4.1. JOSE Header
- 4.2. JWT Claims: Authorization Phase
- 4.3. JWT Claims: Execution Phase
- 4.4. Complete Examples
5. Trust Model
- 5.1. Tier 0: Bootstrap (TOFU)
- 5.2. Tier 1: Pre-Shared Keys (Mandatory-to-Implement)
- 5.3. Tier 2: PKI / X.509
- 5.4. Tier 3: Decentralized Identifiers (DID)
- 5.5. Cross-Tier Interoperability
6. Delegation Chain
- 6.1. Peer-to-Peer Delegation
- 6.2. Privilege Reduction Requirements
- 6.3. Delegation Verification
7. DAG Structure and Causal Ordering
- 7.1. DAG Validation
- 7.2. Root Tasks and Fan-in
8. Verification Procedure
- 8.1. Authorization Phase Verification
- 8.2. Execution Phase Verification
9. Transport
- 9.1. HTTP Header Transport
- 9.2. Non-HTTP Transports
10. Audit Ledger Interface
11. Security Considerations
- 11.1. Threat Model
- 11.2. Self-Assertion Limitation
- 11.3. Key Compromise
- 11.4. Replay Attack Prevention
- 11.5. Equivocation
- 11.6. Privilege Escalation
- 11.7. Denial of Service
12. Privacy Considerations
13. IANA Considerations
- 13.1. Media Type Registration
- 13.2. HTTP Header Field Registration
- 13.3. JWT Claims Registration
14. References
- 14.1. Normative References
- 14.2. Informative References
- Appendix A: Complete JSON Schema
- Appendix B: Test Vectors
- Appendix C: Deployment Scenarios
---
## 1. Introduction
Autonomous AI agents increasingly operate across organizational
boundaries, executing multi-step workflows where individual tasks are
delegated from one agent to another. These workflows create two
distinct, inseparable compliance requirements:
1. **Authorization**: was the agent permitted to perform the action,
under what constraints, and by whose authority?
2. **Accountability**: what did the agent actually do, with what
inputs, producing what outputs, in what causal relationship to
prior tasks?
Existing specifications address these requirements in isolation.
The Agent Authorization Profile (AAP) [I-D.aap-oauth-profile]
provides structured authorization via OAuth 2.0 but requires a
central Authorization Server. The WIMSE Execution Context Token
[I-D.nennemann-wimse-ect] provides execution accountability but
requires WIMSE workload identity infrastructure (SPIFFE/SPIRE).
This document defines the Agent Compact Token (ACT), which addresses
both requirements in a single, self-contained token that requires no
shared infrastructure beyond the ability to verify asymmetric
signatures. The word "Compact" in the name signals the core design
principle: the smallest possible trust footprint that still provides
cryptographically verifiable authorization and accountability.
### 1.1. Problem Statement
Cross-organizational agent federation today faces a bootstrapping
problem: deploying shared OAuth infrastructure or a common SPIFFE
trust domain requires organizational agreement before the first
message is exchanged. In practice this means either:
(a) agents operate without cryptographic authorization or audit
trails, relying on application-layer access control only; or
(b) organizations adopt one party's identity infrastructure, creating
a hub-and-spoke dependency that contradicts the decentralized
nature of agent networks.
ACT solves this by making pre-shared keys the mandatory-to-implement
trust baseline — two agents can begin a secure, auditable interaction
with nothing more than an out-of-band key exchange — while providing
a clean upgrade path to PKI or DID-based trust without changing the
token format.
### 1.2. Design Goals
- **G1 — Zero infrastructure baseline**: ACT MUST be deployable with
no shared servers, no common identity provider, and no transparency
service.
- **G2 — Single token lifecycle**: Authorization and accountability
MUST be expressed in the same token format to prevent
authorization-accountability gaps.
- **G3 — Peer-to-peer delegation**: Delegation chains MUST be
verifiable without contacting an Authorization Server, using
cryptographic chaining of agent signatures.
- **G4 — DAG-native causal ordering**: Workflows with parallel
branches and fan-in dependencies MUST be expressible natively,
without flattening to a linear chain.
- **G5 — Cross-organizational interoperability**: ACTs issued by
agents in different trust domains MUST be verifiable by any
participant holding the issuing agent's public key.
- **G6 — Regulatory applicability**: ACT MUST provide sufficient
evidence for audit requirements in DORA [DORA], EU AI Act
Article 12 [EUAIA], and IEC 62304 [IEC62304] without requiring
additional log formats.
- **G7 — Upgrade path**: The trust model MUST support migration from
pre-shared keys to PKI or DID without breaking existing ACT chains.
### 1.3. Non-Goals
The following are explicitly out of scope:
- Defining internal AI model behavior or decision logic.
- Replacing organizational security policies or procedures.
- Defining storage formats for audit ledgers.
- Specifying token revocation infrastructure (deployments MAY use
existing mechanisms such as [RFC7009] for this purpose).
- Providing non-equivocation guarantees in standalone mode (see
Section 11.5 for the equivocation discussion and optional
transparency anchoring).
### 1.4. Relationship to Related Work
**AAP [I-D.aap-oauth-profile]**: ACT addresses the same authorization
problem as AAP but does not require an Authorization Server. ACT
delegation is peer-to-peer via cryptographic signature chaining;
AAP delegation requires OAuth Token Exchange [RFC8693] against a
central AS. ACT is not a profile of AAP; it is an infrastructure-
independent alternative for the same problem class.
**WIMSE ECT [I-D.nennemann-wimse-ect]**: ACT addresses the same
execution accountability problem as the WIMSE Execution Context Token
but does not require WIMSE workload identity infrastructure. ACT is
not a profile of WIMSE; it is deployable in environments without
SPIFFE/SPIRE. In environments where WIMSE is deployed, ACT MAY be
carried alongside WIMSE tokens to augment accountability with
authorization provenance.
**SCITT [I-D.ietf-scitt-architecture]**: For deployments requiring
non-equivocation guarantees (see Section 11.5), ACT execution records
MAY be anchored to a SCITT Transparency Service as a Layer 2
mechanism. This is OPTIONAL and not required for basic ACT operation.
---
## 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
**Agent**: An autonomous software entity that executes tasks, issues
ACTs as mandates for sub-agents, and produces ACTs as execution
records of its own actions.
**Authorization Mandate**: An ACT in Phase 1, encoding what an agent
is permitted to do, under what constraints, and by whose authority.
**Execution Record**: An ACT in Phase 2, encoding what an agent
actually did, including cryptographic hashes of inputs and outputs
and causal links to predecessor tasks.
**Directed Acyclic Graph (DAG)**: A graph structure representing task
dependency ordering where edges are directed and no cycles exist. Used
by ACT to model causal relationships between tasks in a workflow.
**Delegation Chain**: A cryptographically verifiable sequence of ACT
issuances from a root authority through one or more agents, each
signing a new ACT that reduces privileges relative to the one it
received.
**Trust Tier**: A level of key management infrastructure used to
establish the public key of an ACT issuer. Tiers range from
pre-shared keys (Tier 1, mandatory) to PKI (Tier 2) and DIDs
(Tier 3).
**Workflow**: A set of related tasks, identified by a shared `wid`
claim, forming a single logical unit of work.
---
## 3. ACT Lifecycle
An ACT has a two-phase lifecycle. The same token format is used in
both phases; the presence or absence of execution claims determines
which phase a token represents.
A token is a **Phase 2 Execution Record** if and only if the claim
`exec_act` is present. A token that does not contain `exec_act` is
a **Phase 1 Authorization Mandate**. Verifiers MUST determine the
phase before applying verification rules, and MUST reject a token
that is presented in the wrong phase for the operation being
performed.
### 3.1. Phase 1: Authorization Mandate
In Phase 1, an ACT is created by a delegating agent (or a human
operator) to authorize a target agent to perform a specific task. The
token carries:
- The identity of the issuing agent and the target agent.
- The capabilities granted, with associated constraints.
- Human oversight requirements for high-impact actions.
- The delegation provenance (who authorized the issuer to delegate).
- A task identifier and declared purpose.
The Phase 1 ACT is signed by the issuing agent using its private key.
The target agent receives the ACT and uses it as a bearer mandate —
evidence that it is authorized to proceed.
Phase 1 ACTs are short-lived. Implementations SHOULD set expiration
(`exp`) to no more than 15 minutes after issuance (`iat`) for
automated agent-to-agent workflows. Longer lifetimes MAY be used for
human-initiated mandates where the agent may not act immediately.
### 3.2. Phase 2: Execution Record
Upon completing the authorized task, the executing agent MUST
transition the ACT to Phase 2 by:
1. Adding the `exec_act` claim describing the action performed.
2. Optionally adding `inp_hash` and/or `out_hash` SHA-256 hashes
of task inputs and outputs (RECOMMENDED for regulated environments).
3. Adding the `par` array referencing parent task identifiers (DAG
dependencies).
4. Adding `exec_ts` and `status` claims.
5. Re-signing the complete token with its own private key.
The re-signing is critical: it produces a new signature over the
combined authorization + execution claims, binding the executing
agent's cryptographic identity to both the mandate it received and
the execution it performed. This creates a single, non-repudiable
record that answers both "was this agent authorized?" and "what
did it do?"
Note on issuer signature preservation: re-signing replaces the
Phase 1 signature produced by the issuing agent (`iss`). The
integrity of the original mandate is preserved through the
`del.chain` mechanism: the chain entry's `sig` field is the `iss`
agent's signature over the Phase 1 ACT, and this signature remains
intact and verifiable in the Phase 2 token. For root mandates where
`del.chain` is empty, the issuer's signature is not independently
preserved in Phase 2. Deployments requiring independent
verifiability of the original mandate SHOULD retain the Phase 1
ACT separately alongside the Phase 2 record.
The resulting Phase 2 ACT SHOULD be submitted to an audit ledger
(Section 10) and MAY be sent to the next agent in the workflow as
evidence of completed prerequisites.
### 3.3. Lifecycle State Machine
```
[Issuer creates Phase 1 ACT]
|
| sign(issuer_key)
v
+------------------+
| MANDATE | Phase 1: Authorization Mandate
| (unsigned by | Carried as bearer token by target agent
| target agent) |
+------------------+
|
| Target agent executes task
| adds exec_act, inp_hash, out_hash, par
| re-signs with target_agent_key
v
+------------------+
| RECORD | Phase 2: Execution Record
| (signed by | Submitted to ledger, passed to next agent
| target agent) |
+------------------+
|
| (optional) anchor to SCITT Transparency Service
v
+------------------+
| ANCHORED | Phase 2 + external non-equivocation
+------------------+
```
---
## 4. ACT Token Format
An ACT is a JSON Web Token [RFC7519] signed as a JSON Web Signature
[RFC7515] using JWS Compact Serialization. All ACTs MUST use JWS
Compact Serialization to ensure they can be carried in a single HTTP
header value.
### 4.1. JOSE Header
The ACT JOSE header MUST contain:
```json
{
"alg": "ES256",
"typ": "act+jwt",
"kid": "agent-a-key-2026-03"
}
```
**alg** (REQUIRED): The digital signature algorithm. Implementations
MUST support ES256 [RFC7518]. EdDSA (Ed25519) [RFC8037] is
RECOMMENDED for new deployments due to smaller signatures and
resistance to side-channel attacks. Symmetric algorithms (HS256,
HS384, HS512) MUST NOT be used. The "alg" value MUST NOT be "none".
**typ** (REQUIRED): MUST be "act+jwt" to distinguish ACTs from other
JWT types.
**kid** (REQUIRED): An identifier for the signing key. In Tier 1
deployments (pre-shared keys), this is an opaque string agreed
out-of-band. In Tier 2 deployments (PKI), this is the X.509
certificate thumbprint. In Tier 3 deployments (DID), this is the
DID key fragment (e.g., `did:key:z6Mk...#key-1`).
**x5c** (OPTIONAL): In Tier 2 deployments, the X.509 certificate
chain MAY be included to enable verification without out-of-band
key distribution.
**did** (OPTIONAL): In Tier 3 deployments, the full DID of the
issuing agent MAY be included for resolution.
### 4.2. JWT Claims: Authorization Phase
#### 4.2.1. Standard JWT Claims
**iss** (REQUIRED): The identifier of the agent issuing the mandate.
Format depends on trust tier: an opaque string (Tier 1), an X.509
Subject DN (Tier 2), or a DID (Tier 3).
**sub** (REQUIRED): The identifier of the agent authorized to act.
MUST use the same format convention as `iss`.
**aud** (REQUIRED): The intended recipient(s). MUST include the
identifier of the target agent (`sub`). When an audit ledger is
deployed, MUST also include the ledger's identifier. When multiple
recipients are present, MUST be an array. Verifiers that are audit
ledgers MUST verify that their own identifier appears in `aud`.
**iat** (REQUIRED): Issuance time as a NumericDate [RFC7519].
**exp** (REQUIRED): Expiration time. Implementations SHOULD set to
no more than 15 minutes after `iat` for automated workflows.
**jti** (REQUIRED): A UUID [RFC9562] uniquely identifying this ACT
and, in Phase 2, the task it records. Used as the task identifier
for DAG parent references in `par`.
#### 4.2.2. ACT Authorization Claims
**wid** (OPTIONAL): A UUID identifying the workflow to which this
task belongs. When present, groups related ACTs and scopes `jti`
uniqueness to the workflow.
**task** (REQUIRED): An object describing the authorized task:
```json
{
"task": {
"purpose": "validate_patient_dosage",
"data_sensitivity": "restricted",
"created_by": "operator:clinical-admin-01",
"expires_at": 1772064750
}
}
```
- `purpose` (REQUIRED): A string describing the intended task.
Implementations SHOULD use a controlled vocabulary or reverse-
domain notation (e.g., "com.example.validate_dosage") to enable
semantic consistency checking by the receiving agent.
- `data_sensitivity` (OPTIONAL): One of "public", "internal",
"confidential", "restricted". Receiving agents MUST NOT perform
actions that would expose data above this classification.
- `created_by` (OPTIONAL): An identifier for the human or system
that initiated the workflow. SHOULD be pseudonymous (see
Section 12).
- `expires_at` (OPTIONAL): A NumericDate after which the task
mandate is no longer valid, independent of `exp`.
**cap** (REQUIRED): An array of capability objects, each specifying
an action the agent is authorized to perform and the constraints
under which it may do so:
```json
{
"cap": [
{
"action": "read.patient_record",
"constraints": {
"patient_id_scope": "current_task_only",
"max_records": 1,
"data_classification_max": "restricted"
}
},
{
"action": "write.dosage_recommendation",
"constraints": {
"status": "draft_only"
}
}
]
}
```
Action names MUST conform to the ABNF grammar:
```
action-name = component *( "." component )
component = ALPHA *( ALPHA / DIGIT / "-" / "_" )
```
Receiving agents MUST perform exact string matching on action names.
Wildcard matching is NOT part of this specification.
When multiple capabilities match the same action, OR semantics
apply: if ANY capability grants the action, the request is
authorized subject to that capability's constraints. When multiple
constraints exist within a single capability, AND semantics apply:
ALL constraints MUST be satisfied. When the same constraint key
appears in both a capability-level and a policy-level context, the
more restrictive value applies: lower numeric limits, narrower
allow-lists (intersection), broader block-lists (union), and
narrower time windows.
**oversight** (OPTIONAL): Human oversight requirements:
```json
{
"oversight": {
"requires_approval_for": ["write.publish", "execute.payment"],
"approval_ref": "https://approval.example.com/workflow/w-123"
}
}
```
When `requires_approval_for` lists an action, the receiving agent
MUST NOT execute that action autonomously. The approval mechanism
is out of scope for this specification.
**del** (OPTIONAL): Delegation provenance, establishing the chain
of authority from the root mandate to this ACT. If `del` is absent,
the ACT MUST be treated as a root mandate with `depth` = 0 and
further delegation is not permitted (i.e., the receiving agent MUST
NOT issue sub-mandates based on this ACT).
```json
{
"del": {
"depth": 1,
"max_depth": 3,
"chain": [
{
"delegator": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
"jti": "550e8400-e29b-41d4-a716-446655440000",
"sig": "base64url-encoded-signature-of-parent-act-hash"
}
]
}
}
```
- `depth`: The current delegation depth. 0 means this is a root
mandate issued by a human or root authority.
- `max_depth`: The maximum permitted delegation depth. Receiving
agents MUST NOT issue sub-mandates that would exceed this depth.
- `chain`: An array of delegation provenance records ordered from
root to immediate parent (chain[0] is the root authority,
chain[depth-1] is the direct parent of this ACT). Each entry
contains:
- `delegator`: The identifier of the agent that authorized this
delegation step (i.e., the `iss` of the parent ACT at that
depth).
- `jti`: The `jti` of the parent ACT that authorized this
delegation step.
- `sig`: The delegating agent's signature over the SHA-256 hash
of that parent ACT, providing cryptographic linkage without
requiring the full parent ACT to be transmitted.
The `sig` field in each chain entry is the critical departure from
AAP's delegation model: rather than requiring a central AS to
validate the chain, any verifier holding the delegating agent's
public key can independently verify each step by recomputing the
hash and checking the signature.
### 4.3. JWT Claims: Execution Phase
The following claims are added by the executing agent when
transitioning to Phase 2. Their presence distinguishes an Execution
Record from an Authorization Mandate.
**exec_act** (REQUIRED in Phase 2): A string identifying the action
actually performed. MUST conform to the same ABNF grammar as
capability action names. MUST match one of the `action` values in
the `cap` array of the Phase 1 claims.
**par** (REQUIRED in Phase 2): An array of `jti` values of parent
tasks in the DAG. An empty array indicates a root task. Each value
MUST be the `jti` of a previously verified ACT (Phase 2) within
the same workflow (same `wid`) or the global ACT store if `wid` is
absent.
**inp_hash** (OPTIONAL): The base64url encoding (without padding) of
the SHA-256 hash of the task's input data, computed over the raw
octets of the serialized input. Provides cryptographic evidence of
what data the agent processed.
**out_hash** (OPTIONAL): The base64url encoding (without padding) of
the SHA-256 hash of the task's output data, using the same format
as `inp_hash`. Provides cryptographic evidence of what data the
agent produced.
**exec_ts** (REQUIRED in Phase 2): A NumericDate recording the
actual time of task execution. MAY differ from `iat` when the agent
queued the mandate before execution. MUST be greater than or equal
to `iat`. SHOULD be less than or equal to `exp`; execution after
mandate expiry is possible when tasks are long-running and MUST NOT
cause automatic rejection, but implementors SHOULD log a warning.
**status** (REQUIRED in Phase 2): One of "completed", "failed",
"partial". Allows audit systems to distinguish successful execution
from partial or failed attempts, which is essential for regulated
environments where failed attempts must be recorded.
**err** (OPTIONAL, present when `status` is "failed" or "partial"):
An object providing error context:
```json
{
"err": {
"code": "constraint_violation",
"detail": "data_classification_max exceeded"
}
}
```
Error detail SHOULD NOT reveal internal system state beyond what is
necessary for audit purposes.
### 4.4. Complete Examples
#### Phase 1 — Authorization Mandate
```json
{
"alg": "ES256",
"typ": "act+jwt",
"kid": "agent-clinical-key-2026-03"
}
.
{
"iss": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
"sub": "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
"aud": [
"did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
"https://ledger.hospital.example.com"
],
"iat": 1772064000,
"exp": 1772064900,
"jti": "550e8400-e29b-41d4-a716-446655440001",
"wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
"task": {
"purpose": "validate_treatment_recommendation",
"data_sensitivity": "restricted",
"created_by": "operator:clinical-admin-01"
},
"cap": [
{
"action": "read.patient_record",
"constraints": {
"patient_id_scope": "current_task_only",
"max_records": 1
}
},
{
"action": "write.safety_assessment",
"constraints": {
"status": "draft_only"
}
}
],
"oversight": {
"requires_approval_for": ["write.publish_assessment"]
},
"del": {
"depth": 0,
"max_depth": 2,
"chain": []
}
}
```
#### Phase 2 — Execution Record (same token, re-signed by target agent)
```json
{
"alg": "EdDSA",
"typ": "act+jwt",
"kid": "agent-safety-key-2026-03"
}
.
{
"iss": "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
"sub": "did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
"aud": [
"did:key:z6MknGc3omCyas4b1GmEn4xySHgLuSHxrKrUBnrhJekxZHFz",
"https://ledger.hospital.example.com"
],
"iat": 1772064000,
"exp": 1772064900,
"jti": "550e8400-e29b-41d4-a716-446655440001",
"wid": "a0b1c2d3-e4f5-6789-abcd-ef0123456789",
"task": {
"purpose": "validate_treatment_recommendation",
"data_sensitivity": "restricted",
"created_by": "operator:clinical-admin-01"
},
"cap": [
{
"action": "read.patient_record",
"constraints": {
"patient_id_scope": "current_task_only",
"max_records": 1
}
},
{
"action": "write.safety_assessment",
"constraints": {
"status": "draft_only"
}
}
],
"oversight": {
"requires_approval_for": ["write.publish_assessment"]
},
"del": {
"depth": 0,
"max_depth": 2,
"chain": []
},
"exec_act": "write.safety_assessment",
"par": ["550e8400-e29b-41d4-a716-446655440000"],
"inp_hash": "n4bQgYhMfWWaL-qgxVrQFaO_TxsrC4Is0V1sFbDwCgg",
"out_hash": "LCa0a2j_xo_5m0U8HTBBNBNCLXBkg7-g-YpeiGJm564",
"exec_ts": 1772064300,
"status": "completed"
}
```
---
## 5. Trust Model
ACT defines four trust tiers. Tier 1 is mandatory-to-implement; all
others are optional upgrades. An ACT verifier MUST be able to process
ACTs from any tier it has configured. The trust tier in use is
determined by the `kid` format and the presence of `x5c` or `did`
header parameters.
### 5.1. Tier 0: Bootstrap (TOFU — Trust On First Use)
Tier 0 is NOT part of the normative trust model and MUST NOT be used
in regulated environments. It is defined here for documentation
purposes only, to describe the common bootstrapping scenario.
In Tier 0, the first ACT received from an agent establishes its
public key. This is equivalent to SSH TOFU behavior: an attacker
who intercepts the first message can substitute their own key. Tier 0
deployments MUST transition to Tier 1 or higher before exchanging
ACTs that carry sensitive capabilities.
### 5.2. Tier 1: Pre-Shared Keys (Mandatory-to-Implement)
In Tier 1, both parties exchange public keys out-of-band prior to
the first ACT exchange. The `kid` is an opaque string agreed during
the key exchange. Implementations MUST support Tier 1.
Key exchange MAY occur via any out-of-band mechanism: manual
configuration, a configuration management system, or a prior
authenticated channel. This specification does not mandate a
specific key exchange protocol.
Tier 1 public keys MUST be Ed25519 [RFC8037] or P-256 (ES256)
[RFC7518] keys. RSA keys SHOULD NOT be used in Tier 1 deployments due to
key size. Key rotation MUST be performed out-of-band using the same
mechanism as the initial exchange.
### 5.3. Tier 2: PKI / X.509
In Tier 2, agent identity is bound to an X.509 certificate issued
by a mutually trusted Certificate Authority (CA). The `kid` is the
certificate thumbprint (SHA-256 of the DER-encoded certificate).
Cross-organizational ACT exchange in Tier 2 requires either:
(a) a mutually trusted root CA, or
(b) cross-certification between the organizations' CAs, or
(c) explicit trust anchoring (one organization's CA is added to
the other's trust store).
The `x5c` JOSE header parameter [RFC7515] MAY carry the full
certificate chain to enable verification without out-of-band trust
store configuration.
### 5.4. Tier 3: Decentralized Identifiers (DID)
In Tier 3, agent identity is expressed as a DID [W3C-DID]. The
`kid` is a DID key fragment. The `did` JOSE header parameter carries
the full DID for resolution.
Implementations SHOULD support at minimum `did:key` [DID-KEY] for
self-contained key distribution without external resolution, and
`did:web` [DID-WEB] for organizations that prefer DNS-anchored
identity.
DID resolution latency introduces a dependency on external
infrastructure. To preserve the zero-infrastructure baseline,
implementations using Tier 3 MAY cache DID Documents and MUST
specify a maximum cache TTL in their configuration.
### 5.5. Cross-Tier Interoperability
A delegation chain MAY include agents operating at different trust
tiers. Each step in the chain is verified using the trust tier of
the signing agent at that step. Verifiers MUST NOT reject a chain
solely because it mixes trust tiers, but MAY apply stricter
policy for chains that include Tier 0 or Tier 1 steps when
exchanging sensitive capabilities.
---
## 6. Delegation Chain
ACT delegation is peer-to-peer: no Authorization Server is involved.
Delegation is expressed as a cryptographically verifiable chain of
ACT issuances, where each step reduces privileges relative to the
previous step.
### 6.1. Peer-to-Peer Delegation
When Agent A authorizes Agent B to perform a sub-task, Agent A:
1. Creates a new ACT with `sub` set to Agent B's identifier.
2. Sets `cap` to a subset of A's own authorized capabilities,
with constraints at least as restrictive as those in A's mandate.
3. Sets `del.depth` to A's own `del.depth + 1`.
4. Sets `del.max_depth` to no more than the `del.max_depth` value
in A's own mandate.
5. Adds a chain entry containing A's identifier as `delegator`,
the `jti` of A's own mandate, and a `sig` value computed as:
```
sig = Sign(A.private_key, SHA-256(canonical_ACT_phase1_bytes))
```
where `canonical_ACT_phase1_bytes` is the UTF-8 encoded bytes
of the JWS Compact Serialization of A's Phase 1 ACT.
6. Signs the new ACT with A's private key.
### 6.2. Privilege Reduction Requirements
When issuing a delegated ACT, the issuing agent MUST reduce
privileges by one or more of:
- Removing capabilities (sub-set of parent capabilities only).
- Adding stricter constraints (lower rate limits, narrower domains,
shorter time windows, lower data classification ceiling).
- Reducing token lifetime (`exp` closer to `iat`).
- Reducing `del.max_depth`.
The issuing agent MUST NOT grant capabilities not present in its
own mandate. Capability escalation via delegation is prohibited and
MUST be detected and rejected by verifiers.
For well-known numeric constraints (e.g., `max_records`,
`max_requests_per_hour`), "more restrictive" means a numerically
lower or equal value. For well-known enumerated constraints
(e.g., `data_sensitivity`), "more restrictive" means a value that
is equal or higher in the defined ordering
("public" < "internal" < "confidential" < "restricted").
For unknown or domain-specific constraint keys, verifiers MUST
treat the constraint as non-comparable and MUST reject the
delegation unless the delegated constraint value is byte-for-byte
identical to the parent constraint value.
### 6.3. Delegation Verification
A verifier receiving a delegated ACT MUST:
1. Verify the ACT's own signature (Section 8.1).
2. For each entry in `del.chain`, in order from index 0 to
`del.depth - 1`:
a. Retrieve the public key for `entry.delegator`.
b. Verify that `entry.sig` is a valid signature over the SHA-256
hash of the referenced parent ACT (identified by `entry.jti`).
c. Verify that the capabilities in the current ACT are a subset
of the capabilities in the parent ACT, per the constraint
comparison rules in Section 6.2.
3. Verify that `del.depth` does not exceed `del.max_depth`.
4. Verify that `del.chain` length equals `del.depth`.
If any step fails, the ACT MUST be rejected.
---
## 7. DAG Structure and Causal Ordering
ACTs in Phase 2 form a DAG over the `par` (parent) claim. The DAG
encodes causal dependencies: a task MAY NOT begin before all its
parent tasks are completed.
### 7.1. DAG Validation
When processing a Phase 2 ACT, implementations MUST:
1. **Uniqueness**: Verify the `jti` is unique within the workflow
(`wid`) or globally if `wid` is absent.
2. **Parent Existence**: Verify every `jti` in `par` corresponds to
a Phase 2 ACT available in the ACT store or audit ledger.
3. **Temporal Ordering**: Verify that for each parent:
`parent.exec_ts < child.exec_ts + clock_skew_tolerance`
(RECOMMENDED tolerance: 30 seconds). Causal ordering is
primarily enforced by DAG structure, not timestamps.
4. **Acyclicity**: Following parent references MUST NOT lead back
to the current ACT's `jti`. Implementations MUST enforce a
maximum ancestor traversal limit (RECOMMENDED: 10,000 nodes).
5. **Capability Consistency**: Verify that `exec_act` matches one
of the `action` values in the `cap` array from Phase 1.
### 7.2. Root Tasks and Fan-in
A root task has `par = []`. A workflow MAY have multiple root tasks
representing parallel branches with no shared predecessor.
Fan-in — a task with multiple parents — is expressed naturally:
```json
{
"par": [
"550e8400-e29b-41d4-a716-446655440001",
"550e8400-e29b-41d4-a716-446655440002"
]
}
```
This indicates the current task depends on the completion of both
referenced parent tasks, which MAY have been executed in parallel
by different agents.
---
## 8. Verification Procedure
### 8.1. Authorization Phase Verification
A receiving agent MUST verify a Phase 1 ACT as follows:
1. Parse JWS Compact Serialization per [RFC7515].
2. Verify `typ` is "act+jwt".
3. Verify `alg` is in the verifier's algorithm allowlist. The
allowlist MUST NOT include "none" or any symmetric algorithm.
4. Retrieve the public key for `kid` per the applicable trust tier
(Section 5).
5. Verify the JWS signature.
6. Verify `exp` has not passed (with clock skew tolerance:
RECOMMENDED maximum 5 minutes).
7. Verify `iat` is not unreasonably in the future (RECOMMENDED:
no more than 30 seconds ahead).
8. Verify `aud` contains the verifier's own identifier.
9. Verify `iss` is a trusted agent identity per local policy.
10. Verify `sub` matches the verifier's own identifier (the agent
is the intended recipient of this mandate).
11. Verify all required claims are present and well-formed.
12. Verify delegation chain (Section 6.3) if `del.chain` is
non-empty.
13. Verify capabilities are within policy limits.
### 8.2. Execution Phase Verification
In addition to all Phase 1 verification steps, a verifier processing
a Phase 2 ACT MUST:
1. Verify `exec_act` is present and matches an `action` in `cap`.
2. Verify `par` is present and perform DAG validation (Section 7.1).
3. Verify `exec_ts` is present and is greater than or equal to
`iat`. If `exec_ts` is after `exp`, implementations SHOULD log
a warning but MUST NOT reject the record solely on this basis.
4. Verify `status` is present and has a valid value.
5. Verify the re-signature was produced by the `sub` agent (the
executing agent), not the `iss` agent (the mandating agent).
This is verified by checking that the `kid` in the Phase 2 JOSE
header corresponds to the `sub` agent's public key.
6. If `inp_hash` or `out_hash` are present, verify them against
locally available input/output data when possible.
---
## 9. Transport
### 9.1. HTTP Header Transport
This specification defines two HTTP header fields for ACT transport:
**ACT-Mandate**: Carries a Phase 1 ACT issued by an upstream agent
or operator. Value is the JWS Compact Serialization of the ACT.
```
GET /api/safety-check HTTP/1.1
Host: safety-agent.example.com
ACT-Mandate: eyJhbGci...Phase1ACT...
```
**ACT-Record**: Carries a Phase 2 ACT from a predecessor agent,
serving as evidence of completed prerequisites.
```
POST /api/downstream HTTP/1.1
Host: downstream-agent.example.com
ACT-Mandate: eyJhbGci...Phase1ACT...
ACT-Record: eyJhbGci...Phase2ACT...
```
Multiple `ACT-Record` header lines MAY be included when a task has
multiple completed predecessors (DAG fan-in). If any single ACT-Record
fails verification, the receiver MUST reject the entire request.
### 9.2. Non-HTTP Transports
For non-HTTP transports (MCP stdio, A2A message queues, AMQP, etc.),
ACTs SHOULD be carried as a dedicated field in the transport's
metadata envelope. The field name SHOULD be `act_mandate` for Phase 1
ACTs and `act_record` for Phase 2 ACTs. Implementations MUST use the
JWS Compact Serialization form in all transports.
---
## 10. Audit Ledger Interface
Phase 2 ACTs SHOULD be submitted to an immutable audit ledger.
A ledger is RECOMMENDED for regulated environments but is not
required for basic ACT operation. This specification does not
mandate a specific storage technology.
When an audit ledger is deployed, the implementation MUST provide:
1. **Append-only semantics**: Once an ACT is recorded, it MUST NOT
be modified or deleted.
2. **Ordering**: A monotonically increasing sequence number per
recorded ACT.
3. **Lookup**: Efficient retrieval by `jti` value.
4. **Integrity**: A cryptographic commitment scheme over recorded
ACTs (e.g., hash-chaining, Merkle tree anchoring, or SCITT
registration per [I-D.ietf-scitt-architecture]).
---
## 11. Security Considerations
### 11.1. Threat Model
ACT assumes an adversarial environment where:
- Individual agents may be compromised.
- Network paths may be intercepted (mitigated by transport security).
- Attackers may attempt to replay valid ACTs from prior interactions.
- Colluding agents may attempt to fabricate execution records.
- Agents may attempt privilege escalation via manipulated delegation
chains.
ACT does NOT assume:
- A trusted central authority (by design).
- Synchronized clocks beyond the stated skew tolerance.
- Availability of external network services during verification.
### 11.2. Self-Assertion Limitation
Phase 2 ACTs are self-asserted: an executing agent signs its own
execution record. A compromised agent with an intact private key can
produce Phase 2 ACTs claiming arbitrary inputs, outputs, and action
types, as long as the claimed `exec_act` matches an authorized
capability.
This is a fundamental limitation of self-sovereign attestation. It
is the same limitation affecting WIMSE ECT
[I-D.nennemann-wimse-ect] Section 8.2.
Mitigations:
- **Cross-agent corroboration**: A receiving agent that processes
an ACT-Record as a prerequisite independently verifies that the
claimed `out_hash` matches the data it actually received.
- **Ledger sequencing**: An append-only ledger with monotonic
sequence numbers prevents retroactive insertion of fabricated
records.
- **SCITT anchoring**: For high-assurance deployments, Phase 2 ACTs
SHOULD be anchored to a SCITT Transparency Service, providing
external witness that the record was submitted at a claimed time.
### 11.3. Key Compromise
If an agent's private key is compromised, an attacker can issue
arbitrary Phase 1 mandates (impersonating the agent as an issuer)
and fabricate Phase 2 records (impersonating the agent as an
executor).
Key compromise response:
1. The compromised agent's identifier MUST be added to all
verifiers' deny lists.
2. In Tier 2 (PKI) deployments, the certificate MUST be revoked
via CRL or OCSP.
3. In Tier 3 (DID) deployments, the DID Document MUST be updated
to revoke the compromised key.
4. In Tier 1 (pre-shared key) deployments, both parties MUST
perform an out-of-band key rotation.
ACT chains that include records signed by a compromised key MUST
be treated as potentially tainted from the point of compromise.
Audit systems MUST flag all ACTs signed after the estimated
compromise time.
### 11.4. Replay Attack Prevention
`jti` uniqueness within the applicable scope (workflow or global)
provides replay detection. Verifiers MUST reject ACTs whose `jti`
has already been seen and processed.
`exp` provides a time-bounded replay window. Verifiers MUST reject
expired ACTs. The combination of `jti` and `exp` means that replay
detection state only needs to be maintained for the duration of token
lifetimes.
### 11.5. Equivocation
In standalone deployment (no audit ledger, no SCITT anchoring), ACT
does NOT provide non-equivocation guarantees. A compromised agent
can maintain two valid ACT chains — presenting Phase 2 records with
different `out_hash` values to different verifiers — and both will
pass independent verification.
**Deployments claiming DORA [DORA] Article 10/11 compliance or EU AI
Act [EUAIA] Article 12 compliance MUST use one of:**
(a) A shared append-only audit ledger visible to all relevant parties,
with cryptographic integrity (hash chaining or Merkle trees).
(b) SCITT anchoring [I-D.ietf-scitt-architecture] providing external
Transparency Service receipts.
Standalone ACT provides tamper detection (a verifier can detect
modification of a record it has seen) but not split-view prevention
(a verifier cannot detect a different record shown to another
verifier).
### 11.6. Privilege Escalation
Verifiers MUST check that each step in `del.chain` reduces or
maintains (never increases) the capabilities relative to the
preceding step. Implementations MUST reject ACTs where:
- `del.depth` exceeds `del.max_depth`.
- `cap` contains actions not present in any referenced parent ACT.
- Constraints in `cap` are less restrictive than those in the parent.
### 11.7. Denial of Service
ACT verification is more computationally expensive than standard JWT
validation due to delegation chain verification and DAG traversal.
Mitigations:
- Reject ACTs larger than 64KB before parsing.
- Enforce maximum `del.chain` length (RECOMMENDED: 10 entries).
- Enforce maximum DAG ancestor traversal depth (RECOMMENDED: 10,000
nodes, Section 7.1).
- Cache verification results for recently seen `jti` values within
the token lifetime window.
---
## 12. Privacy Considerations
ACT tokens and audit ledger records may contain information that
identifies agents, organizations, or individuals. Implementations
SHOULD apply data minimization principles:
- `task.created_by` SHOULD use a pseudonymous identifier rather
than a personal email address or real name.
- `task.purpose` SHOULD use a controlled vocabulary code rather
than free-text descriptions that may contain personal data.
- `del.chain` entries reveal organizational structure. Cross-
organizational delegation chains SHOULD use Tier 3 (DID)
identifiers that do not reveal organizational affiliation.
- `inp_hash` and `out_hash` are hashes of data, not the data
itself, and do not constitute personal data under GDPR
Article 4(1) provided the underlying data is not trivially
reversible (e.g., hashes of very short strings).
For GDPR Article 17 (right to erasure) compliance, audit ledgers
SHOULD store only ACT tokens (which contain hashes, not raw data)
and SHOULD implement crypto-shredding for any associated encrypted
payloads.
---
## 13. IANA Considerations
### 13.1. Media Type Registration
This document requests registration of the following media type:
- Type name: application
- Subtype name: act+jwt
- Required parameters: none
- Encoding considerations: binary (base64url-encoded JWT)
- Security considerations: See Section 11.
- Interoperability considerations: See Section 8.
- Specification: This document.
### 13.2. HTTP Header Field Registration
This document requests registration of the following HTTP header
fields in the "Hypertext Transfer Protocol (HTTP) Field Name
Registry":
- Header field name: ACT-Mandate
- Applicable protocol: HTTP
- Status: permanent
- Specification: This document, Section 9.1.
- Header field name: ACT-Record
- Applicable protocol: HTTP
- Status: permanent
- Specification: This document, Section 9.1.
### 13.3. JWT Claims Registration
This document requests registration of the following claims in the
IANA "JSON Web Token Claims" registry:
| Claim Name | Description | Reference |
|------------|------------------------------------|-----------------|
| wid | Workflow identifier | This document |
| task | Task authorization context | This document |
| cap | Capabilities with constraints | This document |
| oversight | Human oversight requirements | This document |
| del | Delegation provenance chain | This document |
| exec_act | Executed action identifier | This document |
| par | Parent task identifiers (DAG) | This document |
| inp_hash | SHA-256 hash of task input | This document |
| out_hash | SHA-256 hash of task output | This document |
| exec_ts | Actual execution timestamp | This document |
| status | Execution status | This document |
| err | Execution error context | This document |
---
## 14. References
### 14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, May 2015.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, May 2015.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
May 2015.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Token (JWT)", RFC 7519, May 2015.
[RFC8037] Liusvaara, I., "CFRG Elliptic Curves for JOSE",
RFC 8037, January 2017.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, May 2017.
[RFC9110] Fielding, R., et al., "HTTP Semantics", RFC 9110,
June 2022.
[RFC9562] Davis, K., et al., "Universally Unique IDentifiers
(UUIDs)", RFC 9562, May 2024.
### 14.2. Informative References
[DORA] European Parliament, "Digital Operational Resilience
Act (DORA)", Regulation (EU) 2022/2554, 2022.
[EUAIA] European Parliament, "EU Artificial Intelligence Act",
Regulation (EU) 2024/1689, 2024.
[IEC62304] IEC, "Medical device software — Software life cycle
processes", IEC 62304:2006+AMD1:2015.
[I-D.aap-oauth-profile]
Cruz, A., "Agent Authorization Profile (AAP) for
OAuth 2.0", draft-aap-oauth-profile-01, February 2026.
[I-D.nennemann-wimse-ect]
Nennemann, C., "Execution Context Tokens for
Distributed Agentic Workflows",
draft-nennemann-wimse-ect-00, February 2026.
[I-D.ietf-scitt-architecture]
Birkholz, H., et al., "An Architecture for Trustworthy
and Transparent Digital Supply Chains",
draft-ietf-scitt-architecture-22, October 2025.
[RFC8693] Jones, M., et al., "OAuth 2.0 Token Exchange",
RFC 8693, January 2020.
[W3C-DID] Sporny, M., et al., "Decentralized Identifiers (DIDs)
v1.0", W3C Recommendation, July 2022.
[DID-KEY] Longley, D., et al., "The did:key Method v0.7", 2021.
[DID-WEB] Steele, O., et al., "did:web Method Specification",
2022.
---
## Appendix A: Complete JSON Schema
The normative JSON Schema for ACT Phase 1 and Phase 2 tokens is
available at [TODO: reference implementation repository].
---
## Appendix B: Test Vectors
### B.1. Valid Phase 1 ACT — Root Mandate (Tier 1, Pre-Shared Key)
```
[TODO: include encoded test vector with signing key, payload,
and expected JWS Compact Serialization]
```
### B.2. Valid Phase 2 ACT — Completed Execution
```
[TODO: include encoded test vector demonstrating Phase 1 → Phase 2
transition with re-signature by target agent]
```
### B.3. Valid Phase 2 ACT — Fan-in (Multiple Parents)
```
[TODO: demonstrate par with two parent jti values from parallel
workflow branches]
```
### B.4. Invalid ACT — Delegation Depth Exceeded
```
[TODO: demonstrate del.depth > del.max_depth rejection]
```
### B.5. Invalid ACT — Capability Escalation
```
[TODO: demonstrate rejection when delegated cap contains action
not present in parent ACT]
```
### B.6. Invalid ACT — exec_act Mismatch
```
[TODO: demonstrate rejection when exec_act does not match any
cap.action in the Phase 1 claims]
```
---
## Appendix C: Deployment Scenarios
### C.1. Minimal Deployment (Zero Infrastructure)
Two organizations exchange pre-shared public keys via secure email.
Each agent signs Phase 1 mandates and Phase 2 records with its
Ed25519 key. No ledger, no external services. Suitable for
development and low-risk workflows.
Limitation: No non-equivocation (Section 11.5).
### C.2. Regulated Deployment with Hash-Chained Ledger
Phase 2 ACTs are submitted to a shared append-only ledger with
hash-chaining. Each recorded ACT extends a cryptographic chain,
providing tamper evidence for each ACT and the chain as a whole.
The ledger is shared between all regulated parties participating
in the workflow. Suitable for DORA compliance.
### C.3. High-Assurance Cross-Organizational Deployment
Phase 2 ACTs are anchored to a SCITT Transparency Service. SCITT
receipts are attached to the audit record as non-equivocation proofs.
DID-based agent identities (Tier 3) enable self-sovereign key
management without shared CA infrastructure.
### C.4. WIMSE Environment Integration
In environments where WIMSE is already deployed, ACT-Mandate and
ACT-Record headers are carried alongside the WIMSE Workload-Identity
header. The ECT and ACT serve different purposes: the ECT records
workload-level execution in WIMSE terms; the ACT records the
authorization provenance and capability constraints that governed
the action.
---
## Author's Address
Christian Nennemann
Independent
Email: [TODO]
Reference in New Issue View Git Blame Copy Permalink