missionsPhase 14

Audit Endpoint

The audit endpoint enables agents to log actions they performed — providing the PS with a record for governance and monitoring that feeds the mission log. The agent POSTs a signed audit entry after performing an action, the PS responds 201 Created, and the audit is fire-and-forget (the agent SHOULD NOT block on the response). The audit endpoint REQUIRES a mission — there is no audit outside a mission context (§1046).

§ Audit Endpoint / § Mission Log

POST https://ps.example/audit201

Agent signs the request with its agent token (Signature-Key: sig=jwt, §1050).

Request body REQUIRES mission + action (§1054–1055).

description, parameters, result are OPTIONAL but recommended for useful audit (§1056–1058).

AAuth-Capabilities is NOT sent on PS endpoints (§1731).

PS returns 201 Created — audit is fire-and-forget (§1094). Agent SHOULD NOT block.

1 / 3

speed

Step 1: POST /audit (FeedbackReader.read) → 201 Created

Request / response

Audit Flow

→

Mission being audited

Description (Markdown)

# Analyze Q2 Customer Feedback

Read customer feedback records and produce a summary report with sentiment analysis and key themes.

Structured Fields

approverhttps://ps.example

agentaauth:local@agent.example

approved_at2026-04-14T17:14:54Z

s256R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

Approved Tools

FeedbackReader

Read customer feedback records

ReportWriter

Write the summary report to the shared drive

PS Capabilities

interactionclarification

POSThttps://ps.example/audit

Content-Type?

application/json

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed2…

SignatureAAuth?

sig=:AQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQI…

Body

{
  "mission": {
    "approver": "https://ps.example",
    "s256": "R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0"
  },
  "action": "FeedbackReader.read",
  "description": "Read Q2 customer feedback records from the feedback service.",
  "parameters": {
    "date_range": "2026-04-01..2026-06-30",
    "product": "all"
  },
  "result": {
    "status": "completed",
    "records_read": 1247
  }
}

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

Signature Base

"@method": POST

"@authority": ps.example

"@path": /audit

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

"@signature-params": sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key");created=1700000000;alg="ed25519"

Agent Tokenaa-agent+jwt

Header

{"alg":"EdDSA",
"kid":"agent-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-agent+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://agent.example",
"sub"?Subject — who or what the token is about:"aauth:local@agent.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-agent.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"a6ae301d-1dc7-4b75-8f8b-5612197664a7",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494,
"ps"?Person Server URL — the PS that represents this agent's user:"https://ps.example"
}

sig: 8byvGd-PR3uOLeS_HYOpbW7OD_8whUuD…