Software Is Changing

Clients used to be written. Now agents assemble them at runtime.

The protocols underneath weren't built for that.

> Try the Playground Protocol Explorer

What Changed

Software used to know at build time what it would call and what it would need. Now agents decide in the moment, against services they've never seen — the old protocols assumed neither.

> Client IDs Don't Travel

In OAuth and OIDC, a client has no independent identity — a client_id at Google is meaningless at GitHub. Agents have no identity of their own to carry between services.

> Copied Secrets Leak

API keys are a shared secret issued by the service and copied to the client. Any secret copied to a workload will eventually leak somewhere it shouldn’t.

> Decisions Happen Mid-Task

Agents need authorization decisions mid-task. Consent lands on human timelines — and today's protocols treat pending as an error, not a first-class state.

> Tool Chains Assemble Live

Agents pick their tool chain at runtime, one call at a time. The sequence isn't declared in code — they choose the next tool as the task unfolds, and the chain shifts with every task.

> Scopes Don't Capture Intent

A scope is standing permission, not per-call intent. `mail.read` looks the same whether the agent is summarizing or scraping — policy can't tell them apart.

> Calls Cross Trust Domains

A single task can span orgs, clouds, and identity domains. Workload identity (SPIFFE) stops at the trust-domain edge — and authority stops there too.

Why AAuth?

By Dick Hardt, author of OAuth 2.0

After implementing authorization for our MCP server, I concluded OAuth is not a good fit for MCP ↗ and started working with others in the identity community who'd hit the same walls.

AAuth is what came out of that work. It gives every HTTP client its own cryptographic identity and carries identity claims and authorization claims in the same token. It coexists with OAuth 2.0 and OpenID Connect rather than replacing them.

The web gave servers identity. It's time clients got the same.

How AAuth Works

AAuth has four access modes. All replace API keys with cryptographic identity. Capability grows from simplest to most capable — adopt incrementally as your needs expand.

Resource authorizes off the agent identifier alone — no authorization flow, no tokens beyond the agent token.

  1. 1
    Agent Resource
    HTTPSig w/ agent_token
  2. 2
    Resource Agent
    200 OK
  • agent_token establishes the agent's identity
  • resource_token describes the access needed
  • auth_token grants an agent access to a resource
  • jwks_uri Person Server's JWKS endpoint, discovered via well-known metadata

Explore AAuth

Try the protocol, explore the SDKs, and follow the conversation.

The demos and Playground run against the Hellō Beta Person Server — data is reset regularly, so don't store anything you need to keep.

Protocol Explorer

Browse AAuth access modes, tokens, and headers with side-by-side wire examples.

Open Explorer ↗

Image whoami.aauth.dev

A minimal AAuth identity resource — one endpoint that returns who the caller is.

Try in Playground ↗ Source ↗

Image notes.aauth.dev

A notes API using AAuth R3 ↗. Agents declare OpenAPI operations; consent is over actions, not endpoints.

Try in Playground ↗ Source ↗

Specifications

The Internet-Drafts defining the AAuth protocol and signatures.

Image Node.js SDK

Reference SDK for agents and MCP servers with signed-request auth.

Image Python Demo Source

End-to-end A2A multi-agent flow with Keycloak and user consent.

Know Which of Your Agents Wrote What

2026-04-28

Mark Hendrickson Mark Hendrickson — Per-row attribution for agent writes via AAuth identity in Neotoma

AAuth Now Has a Mission Layer

2026-04-15

Karl McGuinness Karl McGuinness — Mission is now a first-class protocol object — is the layer strong enough?

AAuth Full Demo

2026-03-31

Christian Posta Christian Posta — Working demo with Keycloak, Agentgateway, Java/Python/Rust

Open-World OAuth Still Needs Mission Shaping

2026-03-21

Karl McGuinness Karl McGuinness — Open-world OAuth, discovery, and bounded authority across delegation chains

Mission Architecture on AAuth

2026-03-15

Karl McGuinness Karl McGuinness — Whether AAuth is the right protocol foundation for mission-bound authorization

Deep Dive AAuth — Identity and Access Management for AI Agents

2026-02-17

Christian Posta Christian Posta — Comprehensive overview of AAuth architecture and design

Do AI Agents Need Their Own Identity?

2025-06-02

Christian Posta Christian Posta — The case for independent agent identity

Community

Join the discussion on Slack.

Image IETF Slack

IETF #aauth channel for AAuth specification discussion and feedback.

Image AAuth Slack

AAuth community Slack for implementation discussion and questions.

Office Hours

Drop in to ask questions, share what you're building, or listen along. Sign up below or at lu.ma/aauth ↗.