advancedPhase 7

Call Chaining (R1 acts as Agent to R2)

Resource 1 needs data from Resource 2 to fulfil the agent’s request. R1 acts as an agent to call R2 — sending the R2 resource token plus the upstream auth token to the PS. The resulting auth token has nested act claims recording the full delegation chain: R2 sees R1 as the current actor, acting on behalf of the original agent.

§ Call Chaining

GET https://api.example/data200

Agent accesses R1 using its AS1-issued auth token (sig=jwt — auth token is the signing credential).

R1 processes the request but needs data from R2 to fulfil it.

R1 returns 200 immediately (processing); it will call R2 while the agent waits.

1 / 5

speed

Step 1: Agent → R1 with AS1 auth token → R1 needs R2

Request / response

GEThttps://api.example/data

Host

api.example

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB…

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand0In0…"

"@signature-params": sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Auth Token (Agent→R1)aa-auth+jwt

Header

{"alg":"EdDSA",
"kid":"as1-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-auth+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://as.example",
"aud"?Audience — which party should accept this token:"https://api.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-access.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"5aba3c5f-0509-4483-a99e-394c0a2b1313",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494,
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"act"?Authorized actor chain — records delegation/call-chaining path:{"sub"?Subject — who or what the token is about:"aauth:local@agent.example"
},
"scope"?Authorized scope/permissions granted by this token:"read"
}

sig: wuhpIWVGWe2kNxVtCXDsYgp0ngxD7Hth…