accessPhase 4

Federated Access (4-party)

The complete 4-party autonomous flow: Agent → Resource → Person Server → Access Server. The resource issues a resource token with aud=AS URL. The PS federates to the AS on behalf of the agent, and the AS issues the aa-auth+jwt that the agent presents to the resource.

§ Federated Access (Four-Party)

GET https://api.example/data-auth401

Agent signs with sig=jwks_uri (agent identity).

Resource issues 401 + AAuth-Requirement containing aa-resource+jwt.

Resource token has aud=AS — only the AS can honour it.

The agent token's ps claim tells the ecosystem which Person Server represents this agent.

1 / 5

speed

Step 1: Signed GET /data-auth → 401 + resource token

Request / response

Token Lifecycle

Resource Tokenaa-resource+jwt

Auth Tokenaa-auth+jwt

Agent Tokenaa-agent+jwt

GEThttps://api.example/data-auth

Host

api.example

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgo…

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data-auth

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

"@signature-params": ("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Resource Tokenaa-resource+jwt

Header

{"alg":"EdDSA",
"kid":"resource-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-resource+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://api.example",
"aud"?Audience — which party should accept this token:"https://as.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-resource.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"ec12c052-ab17-49e1-88d3-5e2317ba82c4",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"agent_jkt"?JWK Thumbprint of the agent's signing key — used for key binding:"tcP75aIbpvVmzZ0P-LIZeoLua8SuE8RGM4tO_2OkRpg",
"scope"?Authorized scope/permissions granted by this token:"read",
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776223494
}

sig: 6QznE3sOp9JX6RY4a0olsuHZSIKAn5t4…