signingPhase 6

Agent Tokens (sig=jwt)

An agent provider issues an aa-agent+jwt whose cnf.jwk is the agent's own public key — binding the token to the agent's signing key. The agent then signs requests using sig=jwt, embedding the agent token in Signature-Key. The resource verifies that the key used to sign matches cnf.jwk in the token, establishing the agent's identity.

§ Agent Tokens / sig=jwt

POST https://agent.example/agent/token200

Agent requests an agent token from the Agent Provider.

Agent Provider issues aa-agent+jwt with cnf.jwk = agent's public key.

sub = aauth:agent-1@agent.example (agent identifier).

The agent now has a token that asserts its identity and binds its signing key.

1 / 2

speed

Step 1: Request agent token (agent's key in cnf)

Request / response

POSThttps://agent.example/agent/token

Content-Type?

application/json

Body

{
  "agent_jwk": {
    "kty": "OKP",
    "crv": "Ed25519",
    "x": "OK41bXI2IfSWc_sfpUA1FrIBbZLtb_GOj1S3inS1Fcg",
    "kid": "agent-key-1"
  }
}

Agent Tokenaa-agent+jwt

Header

{"alg":"EdDSA",
"kid":"agent-provider-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-agent+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://agent.example",
"sub"?Subject — who or what the token is about:"aauth:agent-1@agent.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-agent.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"7afefded-cac6-4ca1-9856-d665a1903333",
"cnf"?Confirmation — proof-of-possession claim binding this token to a key:{"jwk"?JSON Web Key — the public key bound to this token:
},
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776226494
}

sig: D8vHslQBE8Aj67fay9Hrad3zKCInlg4k…