AAuth Explorer
missionsPhase 12

Full Mission Lifecycle (End-to-End)

The complete mission lifecycle in a four-party federated deployment, from PS discovery through resource access. Mission approval requires user interaction — the PS returns 202 with an interaction URL so the user can review the description and tools. Once approved, the s256 mission fingerprint flows unchanged through every token and header: proposal → AAuth-Mission → resource token (aud=AS) → auth token (iss=AS) → final access check.

§ Mission Lifecycle
AgentResourcePerson ServerAccess ServerUser1Discover PS metadata2002POST /mission (sig=jwt) → 2…3User reviews mission at int…4Poll /pending/e2e9f3c7 → 20…5POST /authorize + AAuth-Mis…6POST /token → PS federates …7GET /data + auth token + AA…
GET https://ps.example/.well-known/aauth-person.json200

Agent fetches PS well-known metadata to discover the mission_endpoint.

mission_endpoint is where the agent POSTs mission proposals for approval.

1 / 7
speed

Step 1: Discover PS metadata

Request / response
Token Lifecycle
Resource Tokenaa-resource+jwt
Auth Tokenaa-auth+jwt
Mission Approval Timeline
Approved Mission Blob

Description (Markdown)

# Analyze Q2 Customer Feedback

Read customer feedback records and produce a summary report with sentiment analysis and key themes.

Structured Fields

approverhttps://ps.example
agentaauth:local@agent.example
approved_at2026-04-14T17:14:54Z
s256R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

Approved Tools

FeedbackReader

Read customer feedback records

ReportWriter

Write the summary report to the shared drive

PS Capabilities

interactionclarification
s256 Chain
Mission ProposalPOST /mission body (pre-approval)

R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

On approval, PS computes SHA-256(approved_blob_bytes) = s256.

User ApprovalAAuth-Mission header on approved-mission response

R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

User approves at PS; PS returns the blob + AAuth-Mission header carrying s256.

Resource Token Claimaa-resource+jwt mission.s256 (aud=AS)

R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

Resource embeds the same s256 in the resource token it issues for proactive authorization.

Auth Token Claimaa-auth+jwt mission.s256 (iss=AS)

R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

The Access Server preserves mission.s256 in the auth token after federation.

Final Access CheckAAuth-Mission header + aa-auth+jwt

R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0

Resource compares AAuth-Mission s256 with auth token mission.s256 — end-to-end chain verified.

GEThttps://ps.example/.well-known/aauth-person.json
Host

ps.example