advancedPhase 8

Clarification Chat During Consent

During authorization, the Access Server poses a clarification question to the agent before presenting the consent UI to the user. The agent declares clarification support via AAuth-Capabilities: clarification. The AS returns 202 with AAuth-Requirement: requirement=clarification so the agent can answer. Once answered, the AS proceeds to user consent. The user sees the agent’s clarification answer as part of the consent context.

§ Clarification

GET https://api.example/data401

Agent signs with its agent token (sig=jwt) and declares AAuth-Capabilities: clarification.

This signals to the AS that the agent can answer clarification questions.

Resource responds with 401 + resource token for the agent to exchange at the AS.

1 / 6

speed

Step 1: Request resource → 401 + resource token

Request / response

Clarification & Consent Timeline

→

GEThttps://api.example/data

AAuth-CapabilitiesAAuth?

clarification, interaction

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:WlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlpaWQWlp…

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

"@signature-params": sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Resource Tokenaa-resource+jwt

Header

{"alg":"EdDSA",
"kid":"as-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-resource+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://api.example",
"aud"?Audience — which party should accept this token:"https://as.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-resource.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"d07a759e-21ff-4ba5-8dde-7f4917be8741",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"agent_jkt"?JWK Thumbprint of the agent's signing key — used for key binding:"5j5WMuITu8-cV1RdClUeNgnSg3aLJpCYiFvzcwDgYhI",
"scope"?Authorized scope/permissions granted by this token:"read",
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776223494
}

sig: ouuGVYcy_PGnxVaY70RR_QM5bT8et2UV…

Agent Tokenaa-agent+jwt

Header

{"alg":"EdDSA",
"kid":"agent-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-agent+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://agent.example",
"sub"?Subject — who or what the token is about:"aauth:local@agent.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-agent.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"a6ae301d-1dc7-4b75-8f8b-5612197664a7",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494,
"ps"?Person Server URL — the PS that represents this agent's user:"https://ps.example"
}

sig: 8byvGd-PR3uOLeS_HYOpbW7OD_8whUuD…