advancedPhase 9

Interaction Chaining (202 Bubbles Back)

R1 calls R2, but R2’s AS requires user consent. Instead of blocking, R1 returns its own 202 to the original agent, with an interaction URL that redirects through R1 to AS2. The agent polls R1; R1 polls AS2 in parallel. Once the user consents at AS2, R1 gets the auth token, completes the R2 call, and the agent’s next poll returns the combined result.

§ Interaction Chaining

GET https://api.example/data202

Agent accesses R1 using its AS1-issued auth token (sig=jwt).

R1 needs data from R2, but R2’s AS requires user consent.

R1 bubbles the 202 back: returns its own pending URL + interaction URL to the agent.

The agent’s interaction URL points to R1 (/interact), which will redirect to AS2.

1 / 7

speed

Step 1: Agent → R1 with auth token → R1 bubbles 202

Request / response

Interaction Chain Timeline

→

GEThttps://api.example/data

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:ZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGR…

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": GET

"@authority": api.example

"@path": /data

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand0In0…"

"@signature-params": sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFzMS1rZXktMSIsInR5cCI6ImFhLWF1dGgrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Auth Token (Agent→R1)aa-auth+jwt

Header

{"alg":"EdDSA",
"kid":"as1-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-auth+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://as.example",
"aud"?Audience — which party should accept this token:"https://api.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-access.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"34449e73-d2d2-4e45-80d2-01b4b198e025",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494,
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"act"?Authorized actor chain — records delegation/call-chaining path:{"sub"?Subject — who or what the token is about:"aauth:local@agent.example"
},
"scope"?Authorized scope/permissions granted by this token:"read"
}

sig: jgOiLDIGo4TiSjiL9tEIvkFIR4qX6r7G…