The third pillar of identity for the agentic era.
AuthN proves who you are. AuthZ decides what you can do. AuthR proves whose judgment drove the decision — and carries that proof, cryptographically, across every hop of an agentic execution graph.
Autonomous agents, AI workers, and verified digital twins now act across time, systems, and teams on behalf of people and organizations. They compose. They re-plan. They chain tools. They run overnight. When something goes wrong — or right — OAuth's On-Behalf-Of can tell you which token was used. It cannot tell you whose judgment was behind it.
An OBO token propagates access. If the orchestrator re-plans and issues a wire with different rationale — same API call, different judgment — the token still passes. The CFO's original intent disappears with no structural trace.
Multi-agent executions span hours, services, and model versions. Current standards answer which token was used and what scope it carried. They cannot answer whose judgment was executed across an async, multi-hop agent graph.
A compromised sub-agent can attempt to widen its permissions. With OBO there is no structural enforcement — only application-layer policy that assumes agents are well-behaved. Rejection happens too late, if at all.
Where OAuth's On-Behalf-Of delegates access, AuthR delegates authorship: it carries grounded responsibility, intent, and lineage across the entire execution graph. AuthR sits above existing identity infrastructure without displacing it.
These are not metadata. They are structural primitives — cryptographically bound, inherited across hops, and enforced at the verification boundary. Together they make authorship provable, not just claimed.
AuthR defines three core operations. Everything in the protocol flows through these three verbs — from the moment the CFO authorizes a wire to the moment the resource service decides whether to proceed.
The Issuing Authority mints a signed root AuthR record. Author, actor, intent, scope, and provenance are cryptographically bound at authorship time — not at execution time.
The root record anchors the entire chain. Everything downstream inherits from and traces back to this record.
Each delegation hop creates a child record linked to its parent. Scope attenuates monotonically — the child can only narrow, never widen. The original author is preserved across every hop.
The orchestrator knows exactly what the CFO authorized. The sub-agent knows what the orchestrator delegated. No hop can invent new permissions.
The enforcement point — an API gateway, MCP server, or resource service — verifies all six invariants structurally before any action reaches the resource.
A compromised sub-agent that claims wire.cancel when the root only authorized wire.submit is rejected before the request lands. Structural, not aspirational.
from authr import IssuingAuthority, Verifier, Author, Actor, Intent, Scope
ia = IssuingAuthority(key_id="treasury-twin-key-1")
# The CFO authorizes a $180K wire via her verified digital twin
root = ia.issue_root(
author=Author(
id="did:web:acme.com:people:jane-doe",
type="verified_digital_twin",
role="CFO"
),
actor=Actor(
id="spiffe://acme.com/agents/treasury-orchestrator",
type="agent"
),
intent=Intent(
purpose="approve_wire_transfer",
risk_tier="high",
human_in_the_loop=True
),
scope=Scope(
actions=["wire.prepare", "wire.validate",
"wire.approve", "wire.submit"]
),
)
# The orchestrator delegates a narrower scope to the validator
hop = ia.extend_chain(
parent=root,
actor=Actor(id="spiffe://acme.com/agents/wire-validator"),
scope=Scope(actions=["wire.prepare", "wire.validate"])
# wire.approve and wire.submit removed — monotonic attenuation
)
# Wire service verifies before any action reaches the resource
Verifier(
trust_store={"treasury-twin-key-1": ia.public_key}
).verify_chain([root, hop])
# Returns True — all six invariants pass
# A hop claiming wire.cancel would raise AuthRError hereVerification is structural, not operational. A sub-agent cannot widen its scope at the application layer — the verifier rejects it before the request reaches any resource. One failed invariant invalidates the entire chain.
AuthR operates across a control plane, an execution plane, and an enforcement plane. Each has distinct responsibilities — and distinct failure modes the protocol explicitly accounts for.
AuthR is not a competitor to existing standards. It is an additional assertion layer that slots above them. OAuth handles access delegation. AuthR handles authorship delegation. Both are necessary; neither is sufficient alone.
v0.1 is deliberately narrow. The v0.2 backlog includes cross-domain federation, multi-author records, formal revocation propagation, and threshold signing. Veterans of IETF, W3C, OpenID Foundation, and security researchers are especially welcome.