AuthR — Authorship Representation
A Protocol Sketch for the Agentic Era
Overview
Identity and Access Management has historically answered two questions. AuthN asks who you are. AuthZ asks what you may do. Both were designed for a world where a human sits in front of a terminal, signs in, and directly invokes a system. That world is ending.
Autonomous agents, AI workers, synthetic personas, and verified digital twins now act across time, systems, and teams on behalf of people and organizations. They compose. They re-plan. They chain tools. They run overnight. When something goes wrong — or right — the question that matters is not who signed in, nor what scope did the token carry. The question is: who is ultimately responsible for this action?
This paper proposes AuthR — Authorship Representation — as the third pillar of identity, complementing AuthN and AuthZ. Where OAuth's On-Behalf-Of pattern delegates access, AuthR delegates authorship: it carries grounded responsibility, intent, and lineage across the entire execution graph.
Why AuthR
Naming matters. A new primitive that does not feel native to engineers who already live in AuthN and AuthZ will not be adopted. AuthR was chosen because the ambiguity of R is a feature: authorship, responsibility, and representation are the same idea viewed from three angles. The protocol exists to make all three verifiable.
| Candidate | Expands to | Strength | Weakness |
|---|---|---|---|
| AuthR | Authorship · Responsibility · Representation | Keeps the pattern. R maps cleanly to all three concepts. | Slight ambiguity on which R word is canonical. |
| AuthS | Source | Emphasizes origin. | Softer than authorship. Reads as provenance only. |
| AuthP | Provenance | Aligned with data governance language. | Breaks the authorship framing. |
| AuthA | Attribution | Conceptually clean. | Easily confused with AuthN. |
The six primitives
AuthR defines six primitives. The first four derive directly from the Verified Intelligence pillars (Grounding, Scope, Provenance, Drift) and extend them for identity contexts.
Actor
The entity that actually executes the action.
Usually an agent, AI worker, synthetic agent, orchestrator, or tool. Actors carry model manifests (signed code and model hashes) and runtime attestation (TEE quotes, SPIFFE SVIDs, or platform attestation). Swapping the model under a stable agent identifier is a known attack vector — binding the actor to a measured manifest closes it.
idstringSPIFFE SVID or registry URI for the agent.typeenumagent | orchestrator | tooldisplay_namestringHuman-readable agent name.model_manifest.code_hashstringsha256 of the agent code at execution time.model_manifest.model_hashstringsha256 of the model weights.model_manifest.model_versionstringSemantic version of the model.model_manifest.signer_idstringIdentity of the governance authority that signed the manifest.attestation.typestringtee_tdx | tpm | spiffe | platformattestation.evidence_digeststringDigest of the runtime attestation evidence.Intent
Why this action is being taken, captured at authorship time.
Intent answers why this action is being taken, in the author's own words, at authorship time. It includes a canonical purpose label, a natural-language statement, a risk tier, and whether a human checkpoint is required before irreversible effects. Intent persists across the chain — it is inherited by downstream hops, not reinvented.
purposestringMachine-readable canonical label (e.g. approve_wire_transfer).statementstringNatural-language statement of intent in the author's own words.risk_tierenumlow | medium | high — determines HITL routing.human_in_the_loopbooleanIf true, a live human confirmation is required before irreversible effects.Scope
Explicit limits on what the Actor may do under this authorship.
Scope is the explicit limits on what the Actor may do: actions, resources, monetary caps, time windows, maximum delegation depth. The central invariant: scope attenuates monotonically. A sub-agent can receive a narrower scope. It cannot receive a wider one. The AuthR verifier enforces this, not the application.
permitted_actionsstring[]Exhaustive list of actions the actor may invoke.resourcesstring[]Resource URIs the actor may access.constraints.max_amountnumberMaximum monetary value the actor may authorize.constraints.currencystringISO 4217 currency code.constraints.max_delegation_depthnumberMaximum chain depth from this record.Provenance
The lineage — ordered chain of prior records and data sources.
Provenance records the ordered chain of prior AuthR records (each referenced by id and depth), a correlation id that ties the whole execution graph together, and the data sources (datasets, policies, prior rulings, retrieved documents) that shaped the decision. Without provenance, authorship collapses into a claim with nothing behind it.
chainChainLink[]Ordered list of parent record references with depth and issuer.chain[n].authr_idstringURN of the parent record at depth n.chain[n].depthnumberHop depth from root (root = 0).correlation_idstringStable identifier tying the entire execution graph together.data_sourcesDataSource[]Policies, datasets, and documents consulted at authorship time.Drift
First-class awareness of uncertainty and staleness.
Drift is first-class awareness of uncertainty and staleness: confidence at decision time, a stale_after timestamp, and observed deviation signals indicating the original intent may no longer match reality. An AuthR record that is not drift-aware is not really governed — it is hopeful.
confidencenumber0.0–1.0 confidence at decision time. Below 0.80 triggers re-anchoring.stale_afterstringISO timestamp after which the record must be re-anchored.deviation_signalsstring[]Observed signals indicating intent drift (empty = clean).The three operations
Issue (root)
A root AuthR record is minted when a human author (directly or via a verified digital twin) authorizes an agent to act. The record carries the author, the actor, intent, scope, and relevant data sources. It is signed by an Issuing Authority — a control plane component comparable in role to an OAuth authorization server, but for authorship rather than access.
# Python reference
from authr import IssuingAuthority, Author, Actor, Intent, Scope
ia = IssuingAuthority(kid="treasury-twin-key-2026-05")
root = ia.issue_root(
author=Author(id="did:web:acme.com:people:jane-doe", role="CFO"),
actor=Actor(id="spiffe://acme.com/agents/treasury-orchestrator"),
intent=Intent(
purpose="approve_wire_transfer",
statement="Release Q2 supplier payment. Halt if variance >5%.",
risk_tier="high",
human_in_the_loop=True,
),
scope=Scope(
permitted_actions=["wire.prepare","wire.validate","wire.approve","wire.submit"],
constraints={"max_amount": 250000, "currency": "USD"},
),
)Extend (hop)
When an orchestrator delegates a sub-task to a sub-agent, it calls extend on the parent record. The Issuing Authority produces a new record with the same author (authorship does not change hands), a new actor (the sub-agent), an attenuated scope (subset of the parent's), an inherited intent, and a link to the parent in provenance.
# Python reference
hop = ia.extend(
parent=root,
actor=Actor(id="spiffe://acme.com/agents/wire-validator"),
attenuated_scope=Scope(
permitted_actions=["wire.prepare","wire.validate"], # narrowed
constraints={"max_amount": 250000, "currency": "USD"},
),
)
# Attempting to add wire.cancel here raises:
# ScopeExpansionError: actions {'wire.cancel'} not in parent scopeVerify
A relying party verifies a record or full chain against a trust store. All six invariants must pass. Any failure blocks the request before it reaches the resource. The verifier is the last-mile enforcement point — not the application layer.
# Python reference
verifier = Verifier(trust_store=trust_store)
result = verifier.verify_chain([root, hop])
# result.passed → True
# result.invariants[3].passed → True (scope monotonically narrows)
# Attempting with a widened scope:
bad_hop = ia.extend(parent=root, actor=validator,
attenuated_scope=Scope(permitted_actions=["wire.cancel"]))
# Raises: ScopeExpansionError before record is even issuedVerification invariants
A relying party verifies a chain by checking all six invariants in order. Any failure blocks the request before it reaches the resource. Invariants are checked structurally — not by policy, not by the application.
§5.3.3 inv.1The record signature must be valid and the key identifier (kid) must be present in the trust store of the relying party.
§5.3.3 inv.2The current timestamp must be before expires_at. Records with stale_after in the past require re-anchoring before irreversible effects.
§5.3.3 inv.3The author.id field must be identical across every record in the chain. Authorship does not change hands across delegation hops.
§5.3.3 inv.4For every consecutive pair of records in the chain, the child's permitted_actions must be a subset of the parent's. No new actions may be introduced at any hop.
§5.3.3 inv.5Each non-root record's last provenance.chain entry must reference the immediate parent by authr_id.
§5.3.3 inv.6The provenance.correlation_id must be identical across all records in the chain, tying the full execution graph together for audit reconstruction.
Record structure — v0.1
An AuthR Record is a JSON object signed with EdDSA (Ed25519). The signature covers the canonicalized record minus the signature field itself.
{
"authr_id": "urn:authr:01HZXQ6K8Y4F9D3W2P7N5V0A1B",
"version": "0.1",
"issued_at": "2026-04-20T14:02:11Z",
"expires_at": "2026-04-20T14:32:11Z",
"author": {
"id": "did:web:acme.com:people:jane-doe",
"type": "verified_digital_twin",
"role": "CFO",
"display_name": "Jane Doe (CFO)",
"grounding": {
"referent_type": "verified_human",
"verified_at": "2026-04-20T14:02:10Z",
"verifier": "acme-hrms",
"evidence_digest": "sha256:a3f2..."
}
},
"actor": {
"id": "spiffe://acme.com/agents/treasury-orchestrator/instance-42",
"type": "agent",
"model_manifest": {
"code_hash": "sha256:c81e...",
"model_hash": "sha256:9f0a...",
"model_version": "2026.04",
"signer_id": "acme-ai-governance"
},
"attestation": {
"type": "tee_tdx",
"evidence_digest": "sha256:...",
"verified_at": "2026-04-20T14:02:11Z"
}
},
"intent": {
"purpose": "approve_wire_transfer",
"statement": "Release Q2 supplier payment per approved schedule.",
"risk_tier": "high",
"human_in_the_loop": true
},
"scope": {
"permitted_actions": ["wire.prepare","wire.validate","wire.approve","wire.submit"],
"resources": ["account:acme-opex-7788","counterparty:acme-supplies"],
"constraints": {
"max_amount": 250000.00,
"currency": "USD",
"max_delegation_depth": 2
}
},
"provenance": {
"chain": [],
"correlation_id": "corr-7e21...",
"data_sources": [
{ "source_id": "policy:treasury-payments-v7", "source_type": "policy" }
]
},
"drift": {
"confidence": 0.97,
"stale_after": "2026-04-20T14:32:11Z",
"deviation_signals": []
},
"signature": {
"alg": "EdDSA",
"kid": "treasury-twin-key-1",
"value": "..."
}
}Relationship to existing standards
AuthR does not replace OAuth, SAML, OIDC, or UMA. It sits above them.
| Standard | Role | How AuthR relates |
|---|---|---|
| OAuth 2.0 / OIDC | Authentication and access token issuance | Used unchanged. The actor presents OAuth tokens for API access; the AuthR record travels alongside as an additional assertion. |
| RFC 8693 Token Exchange | Cross-domain delegation of access | AuthR extension is the authorship analogue. Both can be used together: OBO for the token, AuthR for the decision. |
| RFC 9396 Rich Authorization | Structured fine-grained permissions | AuthR scope.constraints can reference or embed RAR authorization_details. |
| UMA 2.0 | User-managed access for resource sharing | UMA grants access; AuthR declares who is responsible for the action taken under that access. |
| W3C Verifiable Credentials | Portable identity assertions | Natural fit for author.id and grounding.evidence_digest. |
| SPIFFE / SPIRE | Workload identity | Natural fit for actor.id and attestation evidence. |
| CoSAI Agentic IAM | Agents as first-class identities | AuthR is the authorship layer above the agent identity layer CoSAI defines. |