access

Identity-Based Access

The simplest resource access mode. The agent signs the request with its agent token (sig=jwt), the resource verifies the signature by resolving the agent provider's JWKS via the token's iss and dwk claims, and makes an access decision based on agent identity alone — no token exchange, no PS, no AS.

§ Identity-Based Access

GET https://api.example/data200

Agent presents its agent token in the Signature-Key header using sig=jwt.

Resource resolves the token: fetches agent.example/.well-known/aauth-agent.json, verifies JWT signature, extracts cnf.jwk.

Resource confirms the HTTP signature was made with the key in cnf.jwk.

Resource checks its internal policy — this agent identifier is in the allowed list.

Access granted. No PS, no AS, no token exchange — pure cryptographic identity.

1 / 1

speed

Step 1: Signed GET /data (sig=jwt) → resource verifies agent token → 200

Request / response

GEThttps://api.example/data

Host

api.example

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU…

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

"@signature-params": ("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Agent Tokenaa-agent+jwt

Header

{"alg":"EdDSA",
"kid":"agent-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-agent+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://agent.example",
"sub"?Subject — who or what the token is about:"aauth:local@agent.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-agent.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"a6ae301d-1dc7-4b75-8f8b-5612197664a7",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494
}

sig: 8byvGd-PR3uOLeS_HYOpbW7OD_8whUuD…