accessPhase 4

User Delegation — Deferred Authorization

The Access Server requires user consent before issuing an auth token. It returns 202 Accepted with a pending URL (for polling) and an interaction URL (for the user to visit). Agent polls while user approves in a browser.

§ User Delegation

GET https://api.example/data-auth401

Resource issues 401 + resource token challenge.

The flow starts like Phase 3, but the AS will defer issuance pending user consent.

1 / 9

speed

Step 1: GET /data-auth → 401 + resource token

Request / response

Token Lifecycle

Resource Tokenaa-resource+jwt

Agent Tokenaa-agent+jwt

Auth Tokenaa-auth+jwt

Deferred Authorization Polling

→

GEThttps://api.example/data-auth

Host

api.example

Signature-KeyAAuth?

sig=jwks_uri;id="https://agent.example";kid="agent-key-1"

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ…

HTTP Signaturescheme=jwks_uri

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data-auth

"signature-key": sig=jwks_uri;id="https://agent.example";kid="agent-key-1"

"@signature-params": ("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwks_uri;id="https://agent.example";kid="agent-key-1"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Resource Tokenaa-resource+jwt

Header

{"alg":"EdDSA",
"kid":"as-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-resource+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://api.example",
"aud"?Audience — which party should accept this token:"https://as.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-resource.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"12a636d0-a852-40a9-9124-2087e0d7f066",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"https://agent.example",
"agent_jkt"?JWK Thumbprint of the agent's signing key — used for key binding:"1FNwxhV09Z2qgypZ7wHKC4lga_g5zEYuQ4l9LBVdszg",
"scope"?Authorized scope/permissions granted by this token:"read write",
"iat"?Issued At — Unix timestamp when the token was created:1776224501,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776225101
}

sig: eLx4tCiLfz1HSXlmxSgPw1578Zbay-91…