Skip to the content.

Research notes — AAuth spec family

Engineering notes distilled from the AAuth Internet-Drafts and the companion HTTP Signature Keys draft, written while building this Agent Provider. They are the “why” behind the code and a sufficient reading of the spec to connect agents and resources/MCP to an AP without re-reading every draft. Normative statements carry the spec’s MUST/SHOULD meaning; design decisions specific to this implementation are called out as such.

Note Covers Read it if you’re…
01 — Protocol overview Parties, tokens, the four access modes, every shared primitive (requirements, deferred responses, interaction codes, identifiers, JWKS discovery, revocation), missions & delegation at a glance …new to AAuth, or want one document that maps the whole protocol
02 — The Agent Provider role The AP’s normative obligations, the two-key/single-key key model, identifier strategy, the endpoints this AP defines, multi-instance & security requirements …working on apd itself, or writing another AP
03 — HTTP signatures RFC 9421 signature base, the AAuth profile, every Signature-Key scheme (hwk/jwt/jkt-jwt/jwks_uri), Signature-Error, structured fields, JWK/thumbprint, egress admission …implementing signing or verification
04 — Connecting agents End-to-end agent lifecycle: enroll → refresh → sign → talk to resources → PS flow → sub-agents → events, plus a failure-handling cheat sheet …building an agent that uses this AP
05 — Connecting resources & MCP The resource adoption ladder, verifying agent identity, resource metadata, AAuth-Access, resource/auth tokens, and the MCP integration points …putting AAuth in front of an API or MCP server
06 — AAuth Events The AP-as-inbox model, subscribe/event tokens, the normative /events validation order, and AP→agent delivery patterns …implementing async event delivery

Source drafts (as read, 2026-06)

AAuth is an evolving set of Internet-Drafts; check the upstream repo for newer revisions before treating any detail here as final.