Conditional Operations

An agent holds an auth token where list_calendar_events is fully granted but create_calendar_event is conditional. When it attempts to create an event, the resource challenges with the actual call parameters. The agent sends the conditional resource token to its Person Server (PS), which federates with the AS. The AS evaluates the concrete request — not just intent — before issuing a narrow per-call auth token.

R3 §6 — Resource Enforcement

POST https://calendar.example.com/mcp/tools/call401

Agent presents the auth token. Resource checks: 'create_calendar_event' is in r3_conditional, not r3_granted.

Resource issues a 401 challenge with a NEW resource token that embeds the actual call parameters (title, attendees, time).

KEY: The AS will now evaluate the CONCRETE call — not just that the agent wants to create events, but WHO is being invited to WHICH meeting.

This lets the AS enforce fine-grained policy: e.g., 'allow meeting creation but require approval when inviting executives'.

1 / 5

speed

Step 1: POST /mcp/tools/call (create_event) → 401 AAuth-Requirement (conditional)

Request / response

Token Lifecycle

Existing Auth Tokenauth+jwt

Conditional Resource Tokenresource+jwt

Per-Call Auth Tokenauth+jwt

POSThttps://calendar.example.com/mcp/tools/call

Host

calendar.example.com

Content-Type?

application/json

Authorization?

DPoP eyJhbGciOiJFUzI1NiIsImtpZCI6ImFzLWtleS0xIiwidHlwIjoiYXV0aCtqd3QifQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "authorization");created=1741824100;alg="ed2…

SignatureAAuth?

sig=:Q29uZGl0aW9uYWxPcENhbGxTaWduYXR1cmVCYXNlNjQ=:

Body

{
  "name": "create_calendar_event",
  "arguments": {
    "title": "Budget Review",
    "start": "2026-05-15T09:00:00Z",
    "end": "2026-05-15T10:00:00Z",
    "attendees": [
      "alice@example.com",
      "cfo@example.com",
      "ceo@example.com"
    ]
  }
}

Existing Auth Token (r3_conditional)aa-auth+jwt

Header

{"alg":"ES256",
"kid":"as-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-auth+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://as.example.com",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-access.json",
"aud"?Audience — which party should accept this token:"https://calendar.example.com",
"jti"?JWT ID — unique identifier for this token (prevents replay):"at-6b1c3d",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"sub"?Subject — who or what the token is about:"user:alice@example.com",
"r3_uri"?URI of the R3 document defining the authorized operations for this token:"https://calendar.example.com/r3/a1b2c3d4e5f67890",
"r3_s256"?SHA-256 hash of the R3 document (base64url). Content-addressed — enables immutable audit trail and infinite AS caching.:"ZzKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMn",
"r3_granted"?Operations fully authorized by the AS. Resource serves these immediately without calling back to the AS.:{"vocabulary":"urn:aauth:vocabulary:mcp",
"operations":
},
"r3_conditional"?Operations authorized in principle but requiring per-call approval. Resource challenges with the actual call parameters before serving.:{"vocabulary":"urn:aauth:vocabulary:mcp",
"operations":
},
"iat"?Issued At — Unix timestamp when the token was created:1741824000,
"exp"?Expiration — Unix timestamp after which the token is invalid:1741824900
}

sig: MEYCIQDexisting_auth_token_with_…

Conditional Resource Tokenaa-resource+jwt

Header

{"alg":"ES256",
"kid":"resource-key-2",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-resource+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://calendar.example.com",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-resource.json",
"aud"?Audience — which party should accept this token:"https://as.example.com",
"jti"?JWT ID — unique identifier for this token (prevents replay):"rt-cond-9a3b",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"agent_jkt"?JWK Thumbprint of the agent's signing key — used for key binding:"NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs",
"r3_uri"?URI of the R3 document defining the authorized operations for this token:"https://calendar.example.com/r3/a1b2c3d4e5f67890",
"r3_s256"?SHA-256 hash of the R3 document (base64url). Content-addressed — enables immutable audit trail and infinite AS caching.:"ZzKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMn",
"call_params":{"name":"create_calendar_event",
"arguments":
},
"iat"?Issued At — Unix timestamp when the token was created:1741824100,
"exp"?Expiration — Unix timestamp after which the token is invalid:1741824200
}

sig: MEYCIQDconditional_resource_toke…