AAP, Agent Authorization Protocol

Why it exists

Trust tells you who an agent is. AAP governs what it may do, and it starts from an uncomfortable truth: an agent is non-deterministic and persuadable. The same agent, with the same permissions, behaves differently depending on its inputs. So any secret in its context is a secret one prompt injection away from being leaked.

AAP's answer is simple: never let the credential into the agent at all. The agent emits an abstract grant:// reference; a local, operator-controlled broker resolves the real, scoped access behind a trust boundary, performs the operation, and returns only the result.

The whole idea, in one picture

A grant reference goes in; a result comes out. The credential itself is bounced at the boundary, it never crosses into anything a language model can read.

What crosses the boundary, and what never does

Agent contextmodel-visiblesees a name, gets a result

boundary

grant://orders-db

Brokeroperator-controlledverify · policy · exchange · act

✓grant:// reference → passes in✗credential → bounced at boundary✓result → passes back out

The grant reference

What the agent holds is deliberately uninformative. A grant reference is an opaque logical name, it encodes no backend, no credential, and no hint of how it will be resolved.

AAP-BROKER-PROFILE, grant referencetext

grant-reference = "grant://" grant-name      ; e.g. grant://orders-db

# A grant name carries NO structure a model could learn from:
#   ✗ no backend host or address
#   ✗ no credential or token
#   ✗ no resolution mode (Retrieve / Assume / Exchange)
# It names what the agent is trusted to do, in the abstract, nothing more.

Caution

Trust is not authorization

A valid, highly-trusted ATX is a statement of identity and posture, never, by itself, permission to touch a resource. The broker default-denies: absent a local policy clause that maps this grant + trust class to a concrete resource, every resolution fails. “Easy to establish trust” must never become “any federated agent can read your database.”

Inside the broker

The broker is AAP's enforcement point: a local process the operator controls. It verifies the ATX, applies policy, mints a short-lived assertion from the ATX's claims, exchanges it for a scoped downstream credential, runs the operation in an ephemeral, isolated worker, and returns only the result. The scoped credential exists only inside that worker, briefly, and never re-enters the agent process.

Agent context · model-visible

✓ grant://orders-db
✓ returned rows (result only)
✗ no secret value
✗ no token, host, or backend name
✗ no hint of which mode resolved it

Anything here can reach the LLM, and an attacker who hijacks the agent. So nothing sensitive is ever here.

⇄Trust boundary

Broker · operator-controlled

1Verify , ATX signature + expiry + cached CRL
2Evaluate , default-deny policy: grant + trust class → scope
3Mint , short-lived broker assertion from ATX claims
4Exchange , RFC 8693 token exchange → scoped token
5Act , ephemeral worker runs the query
6Return , only the result crosses back

Ephemeral worker (isolated)

scoped_token = "eyJ…" ← exists only here, briefly

Never enters the agent process or its memory.

Trust is not authorization. A valid, highly-trusted ATX is a statement of identity and posture, never, by itself, permission to touch a resource. The broker default-denies until a local policy explicitly grants.

Three ways to resolve a grant

Retrieve: The broker proxies the operation or injects a value into the ephemeral worker. Simplest, but holds standing secrets.
Assume: The broker mints an assertion and obtains short-lived, role-scoped credentials (like STS AssumeRole). No standing secret.
Exchange: The broker performs an RFC 8693 token exchange for a scoped downstream token. The v1 reference target. No standing secret.

Because the resolution mode never leaks to the agent, operators can change how a grant resolves without touching agent code.

AAP vs. OAuth

AAP is OAuth's authorization model with one rule OAuth never needed, because OAuth clients aren't language models that can be talked into leaking a token.

OAuth 2.0 / OIDC

AAP

ID token (identity assertion)

→

ATX credentialthe subject claim

Authorization server + client

→

Brokeroperator-controlled

scope claim

→

Trust class + policydb:read → concrete resource

Token exchange (RFC 8693)

→

Exchange modea profile of RFC 8693

Client holds the access token

→

Broker holds it, agent never doesthe defining difference

Same flow, but the token stops at the trust boundary.

What it defends against

By construction, no credential value enters the agent context, which removes the substrate whole classes of attack depend on (mapped here to the AI Agent Threat Matrix):

Environment-variable exposure, there is no secret env var for a compromised tool to read.
Tool-response credential capture, the broker returns results, never credentials.
Context-window credential leak, a secret that never entered the window cannot leak from it.
Exfiltration, even a fully hijacked agent can leak only grant names and results, nothing reusable.

Conformance & status

Level 1, Context Hygiene: Grant syntax, the no-credential-in-context invariant, default-deny, ATX verification, ephemeral-worker confinement, opaque denials, signed audit. One resolution mode.
Level 2, Agile + Negotiated: Adds version negotiation, cryptographic agility (hybrid default suite), safe-ignore claims, and a discovery document.
Level 3, Federated: Adds federation-aware policy (issuer chain, trust level, scan summary), cross-broker verification, and jurisdiction enforcement.

Note

Status

AAP is 0.2.0-draft, intended for IETF Internet-Draft submission (Standards Track). The v1 reference implementation targets Level 1 with the Exchange mode. It consumes ATP/ATX as its subject claim, it does not redefine identity, trust, or revocation; it reuses them.