Conversation
|
@razashariff - I have added this to the week TDC agenda. We should be able to merge it then. |
|
No, x-agent-trust-required is not registered separately yet. Happy to register it as a follow-up PR if the group prefers it as a standalone entry. |
|
@razashariff we talked about some more general auth planning ideas in the TDC (technical developer community) call today, which might impact this so we did not get to deciding on merging it. I might have some additional feedback here between now and next week based on that more general planning, and we should be able to get things merged then. |
|
@razashariff I guess my first question here is why this is a new OpenAPI Object / Operation Object field instead of leveraging the Security Scheme Object and Security Requirement Object. How are you thinking about the relationship between these things? |
|
Thanks Henry, appreciate the update. Happy to align with the broader auth direction -- let me know if any changes are needed and I'll update the PR. Looking forward to next week. |
|
The core issue is that agent authentication introduces a concept that doesn't exist in the current Security Scheme model: graduated trust. Today's securitySchemes answer a binary question -- is this caller authenticated? Agent auth answers a different question -- how much should I trust this caller, and what should I allow based on that trust level? An agent with a valid OAuth2 token is authenticated. But that tells the API nothing about whether the agent has been verified, what its behaviour history looks like, whether it's been sanctioned, or what trust tier it belongs to. Trust levels (L0-L4) gate access per operation based on verified agent identity and reputation -- that's a layer above authentication. The verification model is also distinct. Agent trust tokens use JWKS-based local verification with pre-signed credentials from a trust authority. No redirect flows, no token introspection, no authorization server round-trips. The API caches the issuer's public keys and verifies independently. This maps closer to certificate-based identity than to OAuth2 or OpenID flows. There have been 30+ CVEs filed against MCP implementations in 2026 (CVE-2026-23744, CVE-2026-0756, CVE-2025-6514). The root cause in most cases is that APIs have no way to verify agent identity or enforce trust-based access. The OWASP MCP Security Cheat Sheet documents this gap. I built this as an extension because it addresses a pattern that the current Security Scheme types weren't designed for. If the auth rework creates a path to express this within the core security model, I'd welcome that and will adapt accordingly. |
|
hi @razashariff Can you point out the exact text of the OWASP MCP security guide that you are referring to? I don't see a concern in merging this PR as is unless something significant shows up before the next TDC. If changes need to be made later, that should be fine too. |
|
Could you comment on how you see the comparison between the graduated trust compares with the scopes required aspect of the existing OAuth2 support? I know you're getting a lot of questions here but that's because we're supportive of the change but WITH one eye on the changes we know are coming in OpenAPI 3.3. If there's a way to get this extension registered in a more forwards-compatible way, I would like us to do that even if it takes a little longer to get it right. |
|
Hi @miqui, thanks for the quick response and for the positive signal on merging. The relevant text is from the OWASP MCP Security Cheat Sheet under "Best Practices" sections 6 and 7: Section 6 - Authentication, Authorization & Transport Security:
Section 7 - Message-Level Integrity and Replay Protection:
Full cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_Cheat_Sheet.html The `x-agent-auth` extension provides the OpenAPI-level mechanism for advertising these authentication and signing requirements at the specification level, so that client tooling can discover and enforce them without relying on out-of-band documentation. Happy to refine the extension wording in a follow-up PR if anything surfaces at the next TDC. Appreciate your review. Raza |
|
Thanks for the follow-up @lornajane -- and thanks for the TSC's patience on this. This is exactly the distinction I should have made clearer in the original PR. Graduated trust vs OAuth2 scopes -- orthogonal, not overlapping
They compose rather than replace each other. A request to `POST /payments` might require both:
Neither check substitutes for the other. An agent can have the right scope but insufficient trust level (rejected). An agent can be highly trusted but lack the scope (rejected). Only agents satisfying both pass the trust gate. The practical difference matters because OAuth2 binds authorisation to the client, not to individual agent instances running inside that client. Two agent instances running under the same client and the same token can have different trust levels (one has fresh code attestation, the other has not yet passed scanning). Trust levels fill that gap. Forward compatibility with 3.3You raise the critical point. I'd like to structure this so it can graduate cleanly from an extension to a first-class mechanism in 3.3 without breaking existing specs. Two directions I've considered: Direction A -- Extension mirroring the paths:
/payments:
post:
security:
- oauth2: [write:payments]
x-agent-auth:
- agentTrust: [L3]The Direction B -- Treat it as a proposed new security scheme type: components:
securitySchemes:
agentTrust:
type: agentTrust
minLevel: L2
verificationEndpoint: https://trust.example.com/verify
paths:
/payments:
post:
security:
- oauth2: [write:payments]
- agentTrust: [L3]This uses the first-class `security:` field today and adds `agentTrust` as a new type in `securitySchemes`. Strictly, the new type value requires a spec amendment -- which is exactly what 3.3 could land. Until then, the extension acts as a forward-looking reservation of the syntax. I'd lean toward Direction B for forward compatibility. It means the extension today already uses the structure that 3.3 would formalise, and the migration is "promote the type from extension-registered to spec-recognised" rather than rewriting the spec files. Would either direction align with what the TSC is considering for 3.3? Happy to restructure the PR accordingly. I want this to land in a way that survives 3.3 without requiring a second migration from implementers. Raza |
I think the question here is how this text relates to your specific effort. This seems to be setting forth some general guidelines rather than endorsing a specific approach such as your IETF drafts. Which is fine if you're putting forth a possible solution, but it kind-of sounds like you're saying that these MCP documents endorse your own approach, specifically? You don't need to prove that your proposal will be adopted to get an extension registered (extensions are for experimentation, after all), we're just trying to understand how your proposals relate to these documents since you have referenced them repeatedly. |
The issue with mirroring the security field syntax is that it is one of several features that require unusual handling in terms of resolving component names. That's going to be a heavier lift for tools — some of them might have their code organized well enough to re-use the infrastructure, but this sort of resolution is generally a thorny area to work with. Part of the extension review process is making sure that the extensions are reasonably easy to implement in major tools. You're correct that we can't add a new This is similar to @lornajane 's questions about scopes- looking at what we currently have that might be close to what you need as a way to make the extension easier to support. |
|
@handrews -- happy to clarify the relationship. The OWASP MCP Security Cheat Sheet was developed in discussion with OWASP maintainers who agreed that signed agentic flows materially reduce the attack surface in MCP-based systems. Section 7 (Message-Level Integrity and Replay Protection) is based on the IETF draft I submitted (draft-sharif-mcps-secure-mcp), which specifies per-message ECDSA P-256 signing, nonce-and-timestamp replay protection, and signer-identity binding for JSON-RPC payloads in the MCP context. That IETF draft is one proposed solution to the threat model the cheat sheet documents. Other implementations of the same guidance are possible and equally valid. Bringing this back to the OpenAPI spec: The OWASP guidance describes what needs to happen (authenticated, signed, replay-protected agentic requests). The IETF draft describes how one vendor-neutral mechanism can achieve it. The gap both leave open is at the advertisement layer -- how does an API declare to consuming agents that it expects these properties, in a format that standard tooling can parse and enforce? That's what `x-agent-auth` is proposing. It doesn't mandate ECDSA P-256, doesn't mandate the IETF draft, doesn't mandate any specific wire format. It gives an OpenAPI-level declaration point where an API vendor can say "requests to this operation require agent authentication at minimum level L3" and let the consumer resolve the actual mechanism via configuration or discovery. Concrete example. A payments API using mutual TLS plus the IETF draft's message signing could advertise: paths:
/payments:
post:
security:
- oauth2: [write:payments]
- agentTrust: [L3]A different API using a completely different agent-auth stack could use the same `agentTrust` declaration with the mechanism resolved by their security scheme configuration. The extension is a contract surface, not a protocol implementation. On the point about not needing adoption-proof for an experimental extension: agreed, and that's the lane I'm asking for. Experimental extension registration, not endorsement of the underlying IETF work. If the TSC is comfortable with that, I'm happy to restructure in whichever direction (A or B from my previous comment) lines up best with 3.3 planning. Hope this helps. Raza |
|
Thanks Henry -- sounds good. Tool compatibility was a key driver for this proposal so aligned with that fully. Reusing type: apiKey makes sense. Agent authentication on the wire is really just a header carrying a signature plus a bit of metadata, so a generic apiKey-shaped representation fits naturally without needing anything exotic in the spec or in tool code paths. Whatever shape lands well with you and the TSC I'm happy to work with -- the extension itself is deliberately thin and the heavy lifting happens at the verification layer, not in OpenAPI. Thanks again, Raza |
|
@razashariff I seem to be having a bit of trouble finding the HTTP header in question- apologies if I am missing something obvious. Of your three proposed RFC the one that is not MCP or OIDC-specific doesn't seem to define any headers? What is the name and format? Given that I can try to pull together bits from both @lornajane 's questions and mine to offer a suggestion of how this might work within the current security schemes. |
|
Hi @handrews — you're right. The umbrella framework draft ( Header: Format (one line, structured fields style per RFC 8941): Where:
Optional companion header for passport / delegation context: That's what the live demo at If it's useful, I can also extract this into a short standalone section in the framework draft so there's a single citable reference rather than asking reviewers to pull it from the MCP draft. Thanks both — this is the shaping that cleans it up for a clean landing. Raza |
|
Hi Henry — as per your suggestion, I've updated the demo spec so the Raza |
|
@razashariff thanks! For your I-Ds, you'll need an "IANA Considerations" section with a "Field Name Registration" section. RFC9110 has an example of this, although you can probably find other RFCs that have this section for headers using the structured field syntax. But including that will help folks used to reading IETF drafts understand what you're doing. Particularly as your live demo just shows inputs and outputs and not the HTTP messages going back and forth. With this in mind, I think you could do something like: components:
securitySchems:
AgentTrust:
type: apiKey
description: Uses agent trust information in lieu of a traditional API Key.
in: header
name: Agent-Signature
x-agent-trust:
algorithm: ES256
trustLevels: [L0, L1, L2, L3, L4]
issuerKeysUrl: /.well-known/agent-trust-keys
security:
- AgentTrust: [L3]I'm reading this as setting a minimum trust level of L3 for the API. So with this approach, you'd have to get tooling providers to notice This is just off the top of my head, I'll be interested to see what @lornajane , @miqui , @mikekistler and others think. It may not be the best approach! But it is getting it into the current framework, which means at minimum current documentation tools are likely to display it to human readers, even if runtime tools don't do anything with it. |
|
Thanks Henry — that's really clear and makes perfect sense. Wrapping it under On your two points: 1. IANA Considerations / Field Name Registration — agreed, that's missing from the framework draft. Adding a proper "IANA Considerations" section with a "Field Name Registration" subsection following the RFC 9110 pattern (name, status, structured type, reference) so there's a single citable definition for the header. 2. HTTP message visibility in the live demo — fair point, the current playground only shows token in/out. Updating it so each signed request displays the actual CC'ing @mikekistler and @lornajane — happy to adjust the shape based on anything you'd prefer differently, especially on the Raza |
|
Hi Henry — quick update on your two points: Demo: the live page now has a "Real HTTP with the Agent-Signature header" section that renders the full HTTP request on the wire (signed IANA Considerations / Field Name Registration: drafted the section against the framework I-D (RFC 9110 pattern, structured-field Dictionary per RFC 8941, both No rush on either side — just wanted to flag both are ready. Hope this helps. Raza |
|
I think what you are suggesting here: components:
securitySchemes:
AgentTrust:
type: apiKey
description: Uses agent trust information in lieu of a traditional API Key.
in: header
name: Agent-Signature
x-agent-trust:
algorithm: ES256
trustLevels: [L0, L1, L2, L3, L4]
issuerKeysUrl: /.well-known/agent-trust-keys
security:
- AgentTrust: [L3]
It is a good approach. Would we still need to register the |
|
@miqui yes, it would still be registered, @razashariff would just change the
Well, the security scheme type is still You probably also want to say something to discourage using |
|
Thanks both. Update is straightforward — Raza |
razashariff
changed the title
|
Pushed the rename and updated wording per your guidance:
@lornajane @mikekistler -- happy to adjust further if anything reads off, easy to tweak in another commit on the same branch. Raza |
|
Hi @lornajane, hope all is well. Is there any further clarification that would help your framing for PR #67? I noticed there's a TDC today and wanted to check in — Henry made a few suggestions which I've pushed in the latest commit, so just wanted to see if you or the team need anything else from my side. Thanks again, |
|
Thanks @mikekistler — appreciate the approval and thanks @handrews and @miqui for the guidance that got us here. Cheers for now, |
|
@razashariff OK, it's merged! Just to be clear, having it in the registry doesn't necessarily mean tools will support it. You'll need to do your own evangelism for that- good luck! |
|
Thanks Henry -- really appreciate the guidance throughout. Understood on evangelism, that's the next phase. Will keep you and the rest of the OpenAPI team updated as traction builds. Cheers, |
5 participants
Registers the
x-agent-authextension for agent trust verification, as suggested by @handrews in Discussion #5267.The extension declares agent authentication requirements for API endpoints. AI agents present signed trust tokens (JWT-structured, ECDSA P-256) verified locally using cached issuer public keys (JWKS pattern). Trust levels gate access per endpoint.
Follows the existing format from
x-twitter.md.