| Internet-Draft | AuthZ Sharing for Agents | February 2026 |
| Diaconu, et al. | Expires 10 August 2026 | [Page] |
Distributed Multi-Agent Systems consist of Agents and MCP Servers operating across multiple administrative domains, each with its own Identity Providers (IdPs) and Authorization Servers (AS).¶
This document discusses the challenges and solution approaches for sharing authorization information securely and flexibly across domains, including the use of dynamic identity, interoperable claims, and verifiable credentials.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Distributed Multi-Agent Systems, consisting of Agents and Model Context Protocol (MCP) Servers, are increasingly deployed across multiple administrative domains. Each domain typically operates its own Identity Providers (IdPs) and Authorization Servers (AS), creating a fundamental challenge: how can an agent from Organization A securely prove its identity and authorization to resources in Organization B?¶
While OAuth 2.0 and related specifications provide robust authorization frameworks for human users and pre-registered clients, the emergence of autonomous agent systems operating across organizational boundaries presents new challenges that existing mechanisms do not fully address.¶
This challenge is distinct from traditional cross-domain identity federation for human users. Humans rarely delegate authority through multiple organizational boundaries. Agents routinely do so--an orchestrator agent in Domain X may invoke a tool agent in Domain Y, which accesses an MCP server in Domain Z. Existing authorization mechanisms such as OAuth 2.0 Dynamic Client Registration [RFC7591] and Token Exchange [RFC8693] assume single-domain operation or pre-established relationships, and do not address the dynamic, multi-hop delegation patterns that characterize modern agentic systems.¶
This document analyzes the cross-domain agent authorization problem and evaluates solution approaches. The proposed solution extends OAuth 2.0 Client-ID Metadata [I-D.ietf-oauth-client-id-metadata-document] with W3C Verifiable Credentials [W3C.VCDM2.0] to enable dynamic identity establishment without pre-registration across domains, cryptographically verifiable authorization claims that travel with the agent, multi-hop delegation with monotonic scope narrowing and accountability chains, and selective disclosure of sensitive authorization attributes.¶
The document is structured as follows: Section 3 defines key terminology. Section 4 presents use cases demonstrating cross-domain scenarios. Section 8.1.1 identifies threats specific to cross-domain authorization sharing. Section 5 establishes requirements and evaluates solution approaches. Section 8.1 covers security considerations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] and [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following use cases demonstrate scenarios where cross-domain agent authorization presents challenges not addressed by existing single-domain mechanisms.¶
A coding assistant agent operated by Developer Tools Inc. needs to invoke a code review tool provided by Code Analysis Corp. The tool is exposed as an MCP Server protected by Code Analysis Corp's Authorization Server.¶
Company A partners with Company B to provide integrated customer support services. Company A deploys a support agent that needs to access Company B's customer ticketing system and knowledge base to resolve customer issues.¶
A security operations workflow involves agents from multiple vendors: an orchestrator agent from Security Vendor X coordinates a threat intelligence agent from Vendor Y and a remediation agent from Vendor Z. The orchestrator must delegate appropriate permissions to each specialized agent.¶
A manufacturer's inventory management agent needs to query suppliers' availability systems. Multiple suppliers operate their own authorization infrastructure. The agent must access each supplier's MCP servers with appropriate credentials.¶
A financial services agent operating in the EU needs to access data from a partner institution in the US. Both jurisdictions have different regulatory requirements.¶
A system for cross-domain sharing of authorization information of agents needs to meet the following set of requirements:¶
Description: Dynamic Client Registration as outlined in [RFC7591] allows clients to register with an AS dynamically, facilitating the management of client credentials and metadata.¶
Discussion:¶
| Requirement | Met or Partially Met | Not Met |
|---|---|---|
| Dynamic Identity for Agents and MCP Servers | Met | |
| Interoperability Across Domains | Partially Met (Granted by the Dynamic Registration, however no common ground between AS) | |
| Flexible Definition of Claims | Not Met (OAuth2 claims only) | |
| Dynamic Management of Authorization Information | Not Met (Delete or Update not supported) | |
| Security and Privacy | Not Met (Claims are shared but no common schema) | |
| Compliance and Auditability | Partially Met (Claims are shared, APIs are auditable, but no regulatory standards are defined for the schema) |
[I-D.abbey-scim-agent-extension] proposes extending the SCIM (System for Cross-Domain Identity Management) protocol to standardize the provisioning, management, and governance of AI agents and other digital workers.¶
[I-D.wahl-scim-agent-schema] is a companion document to the draft-abbey-scim-agent-extension. Its purpose is to define the specific SCIM schema and attributes required to represent AI agents (digital workers) and agentic applications within the SCIM framework.¶
Description: Provision Agents / MCP Servers through a SCIM extension.¶
Discussion:¶
| Requirement | Met or Partially Met | Not Met |
|---|---|---|
| Dynamic Identity for Agents and MCP Servers | Partially Met (SCIM support is limited and with constraints, example for Azure: “Subsequent syncs are triggered every 20-40 minutes”.) | |
| Interoperability Across Domains | Partially Met (SCIM is supported and schema is well defined) | |
| Flexible Definition of Claims | Met (Defined by the schema) | |
| Dynamic Management of Authorization Information | Partially Met (SCIM support is limited and with constraints, example for Azure: “Subsequent syncs are triggered every 20-40 minutes”.) | |
| Security and Privacy | Partially Met (A schema is defined but Selective Disclosure not supported) | |
| Compliance and Auditability | Partially Met (Claims are shared, APIs are auditable, but no regulatory standards are defined for the schema) |
Description: Client ID Metadata [I-D.ietf-oauth-client-id-metadata-document] is a method for OAuth clients to identify themselves using a URL, which points to a JSON file containing their OAuth metadata. Instead of requiring pre-registration, an authorization server can fetch this JSON document at the client's provided URL to provision the identity.¶
Discussion:¶
| Requirement | Met or Partially Met | Not Met |
|---|---|---|
| Dynamic Identity for Agents and MCP Servers | Met | |
| Interoperability Across Domains | Met | |
| Flexible Definition of Claims | Not Met* (client_id is common, all the rest is limited to OAuth2 claims) | |
| Dynamic Management of Authorization Information | Met | |
| Security and Privacy | Partially Met** (A schema is defined but Selective Disclosure not supported) | |
| Compliance and Auditability | Partially Met** (Claims are shared, APIs are auditable, but no regulatory standards are defined for the schema) |
*Flexible Definition of Claims: The OAuth claims in the draft follow the claims exposed and defined by IANA OAuth Parameters. Hence, the metadata fields are limited to a fixed set of claims. This makes it difficult to convey richer features about the client, including provenance details, compliance attestations, or contextual trust scores without introducing vendor-specific extensions, thereby reducing portability and interoperability.¶
**Security and Privacy, Compliance and Auditability: All metadata is published to a publicly accessible endpoint. There is no native ability to keep certain attributes private, apply selective disclosure, or restrict visibility based on trust relationships. Sensitive operational data or compliance-related data must be handled outside the metadata framework, leading to fragmented trust models. There is no mechanism for revocation and expiration.¶
Agent (Client) AuthZ Server (AS) Metadata Endpoint
| | |
| 1. Authorization Request | |
| (client_id = URL) | |
|--------------------------->| |
| | |
| | 2. HTTP GET (URL) |
| |--------------------->|
| | |
| | 3. Returns Metadata |
| | (JWKS + "vc+jwt") |
| |<---------------------|
| | |
| | 4. Validate Metadata |
| | & Verify VC Signature (JWKS)
| | |
Description: The proposed solution is based on Solution 3, but enhances the supported claims with a new claim, "vc+jwt", based on the Verifiable Credentials Data Model 2.0 from W3C.¶
Discussion:¶
| Requirement | Met or Partially Met | Not Met |
|---|---|---|
| Dynamic Identity for Agents and MCP Servers | Met | |
| Interoperability Across Domains | Met (1) | |
| Flexible Definition of Claims | Met (2) | |
| Dynamic Management of Authorization Information | Met | |
| Security and Privacy | Met (3) | |
| Compliance and Auditability | Met (4) |
Detailed explanations:¶
The W3C Verifiable Credentials Data Model 2.0 addresses the shortcomings of the previous Solution 3, by introducing a cryptographically verifiable and standards-based way to assert identities, capabilities, and compliance attestations. It supports selective disclosure to protect sensitive information, enables time-bound and revocable authorizations, and ensures provenance tracking for audit and regulatory compliance. They are part of a broader decentralized identity (DID) specification.¶
Using the W3C Verifiable Credentials Data Model 2.0 for Agents, MCP Clients, and MCP Servers provides a standardized, cryptographically secure way to establish trust, delegate authority, and ensure interoperability across different systems.¶
It enables Agents, MCP Clients, and MCP Servers to prove, among other things, their identities, identity issuers and provenance, supported skills and permitted actions through verifiable proofs, including support for fine-grained and time-bound access control, while maintaining transparency enabling audit trails for compliance.¶
Additionally, it enhances privacy through selective disclosure and privacy-preserving proofs (e.g., allowing Agents to prove skills and authorized actions without exposing unnecessary details).¶
The Verifiable Credentials Data Model 2.0 is a W3C standard that fits the needs expressed above:¶
(1) Enhanced Interoperability: VCDM 2.0 provides a standardized, extensible way to express identities, capabilities, and compliance data across different systems. Its use of DIDs and schema-governed claims ensures that Agents, MCP Clients, and MCP Servers can verify and exchange trust information, enabling consistent interoperability across domains and platforms.¶
(2) Flexible Definition of Claims: VCDM 2.0 allows arbitrary, schema-governed claims that can represent complex concepts such as provenance, software supply-chain attestations (e.g., SLSA), security posture, audit certifications (SOC2, ISO-27001), or dynamic trust signals. These claims can be extended without breaking interoperability, thanks to widely adopted JSON-LD and schema registries.¶
(3) Security and Privacy: Credentials are signed using verifiable cryptographic proofs (e.g., JSON Web Signatures, Data Integrity proofs). This ensures that Agents, MCP clients, and MCP servers can verify the authenticity of claims without relying solely on HTTPS endpoints or centralized registries. Through techniques like BBS+ signatures, holders can disclose only the subset of claims required for a given authorization flow. This is essential for scenarios where Agents must prove capabilities (e.g., "I'm allowed to execute this skill") without revealing unnecessary or sensitive identity attributes.¶
(4) Compliance and Auditability: VCDM 2.0 enables cryptographically verifiable audit trails by binding each credential to an issuer, timestamp, and revocation status. Compliance attestations can be embedded directly in credentials, and real-time revocation checks ensure they remain valid. This provides trustworthy provenance, regulatory-grade accountability, and reliable lifecycle tracking across distributed systems.¶
Multi-agent systems frequently involve chains of delegation where Agent A invokes Agent B, which may invoke Agent C—potentially spanning multiple administrative domains. This section defines authorization semantics for such delegation chains, addressing the novel challenges of cross-domain delegation.¶
Humans rarely delegate authority through multiple levels across organizational boundaries. Agents routinely do so. Existing delegation mechanisms ([RFC8693] Token Exchange 'act' claims) assume single-domain operation and do not address cross-domain VC-based delegation with verifiable accountability chains.¶
This specification supports two delegation models:¶
Domain X | Domain Y
|
+-----------+ +---------+ | +---------+ +--------------+
| Principal | | Agent A | | | Agent B | | MCP Server M |
| P | | | | | | | |
+-----------+ +---------+ | +---------+ +--------------+
| | | | |
| 1. Task | | | |
|------------->| | | |
| | | | |
| | 2. Delegate + VC(A)| |
| |------------|------>| |
| | | | |
| | | | 3. Request |
| | | | + VC(B) |
| | | | + Deleg(A) |
| | | |-------------->|
| | | | |
| | | | 4. Verify chain
| | | | 5. Apply local policy
| | | | 6. Authorize
When Agent A delegates to Agent B (potentially across domains), B's effective scope MUST be computed as the intersection of:¶
Effective_Scope(B) = A.delegatable_scope
INTERSECT B.intrinsic_scope
INTERSECT Delegation.granted_scope
INTERSECT Receiving_Domain_Policy
This ensures:¶
Implementations MUST enforce monotonic scope narrowing: at each delegation step, effective scope can only decrease or remain the same, never increase.¶
This intersection semantics aligns with capability-based security principles (see: Mark Miller's Principle of Least Authority, Google Macaroons, Biscuit authorization tokens) and extends [RFC8693] Token Exchange delegation semantics to cross-domain VC-based scenarios.¶
Each delegation step MUST produce a verifiable record enabling cross-domain forensic reconstruction.To support revocation and scope-change handling, delegation records SHOULD enable downstream verifiers to identify and validate upstream delegation elements so that authorization decisions do not depend on revoked or superseded delegation claims. The delegation record MUST include:¶
| Field | Description | Cross-Domain Relevance |
|---|---|---|
| delegator_id | Agent A's id from its VC | Enables tracing to originating domain |
| delegator_domain | Domain that issued A's VC | Identifies trust relationship to verify |
| delegatee_id | Agent B's id from its VC | Identifies receiving agent |
| delegatee_domain | Domain that issued B's VC | Identifies receiving domain |
| timestamp | Time of delegation | Temporal ordering for forensics |
| granted_scope | Scopes delegated | Audit of intended authorization |
| expiration | Delegation validity period | MUST NOT exceed delegator's VC expiration |
| chain_hash | Cryptographic binding to prior chain | Ensures chain integrity across domains |
The complete accountability chain enables:¶
Implementations SHOULD enforce maximum delegation depth. Cross-domain delegations SHOULD count toward depth limits regardless of whether they're same-domain or cross-domain.¶
Receiving domains MAY impose stricter depth limits than the originating domain. When a delegation would exceed the receiving domain's depth limit, the AS MUST reject the request with an error indicating the depth violation.¶
To express delegation authority in VCs, the following claims are defined for credentialSubject:¶
{
"credentialSubject": {
"id": "https://example.com/agents/agent-a",
"delegation": {
"permitted": true,
"maxDepth": 2,
"crossDomainDelegation": {
"permitted": true,
"allowedDomains": ["partner.example.org"],
"deniedDomains": ["competitor.example.com"]
},
"allowedDelegateeTypes": ["tool-agent", "workflow-agent"],
"scopeRestrictions": {
"nonDelegatable": ["admin:*", "pii:write"],
"crossDomainNonDelegatable": ["internal:*"]
}
}
}
}
This section defines a Verifiable Credential profile that enables interoperable cross-domain agent authorization. The profile specifies claims that Authorization Servers in different domains can reliably interpret.¶
W3C VCDM 2.0 is intentionally flexible. For cross-domain interoperability, domains must agree on claim semantics. This profile provides that common language.¶
The Agent Authorization VC Profile (AAVC) enables:¶
The credentialSubject MUST include these claims for a VC to be recognized across domains:¶
Classification of the agent. Receiving domains use this to apply type-specific policies. Implementations MUST support:¶
Maximum data sensitivity level this agent may access. Standard values:¶
Organizations MAY extend the profile with additional claims by:¶
Implementations receiving VCs with unrecognized claims SHOULD:¶
For cross-domain interoperability, implementations:¶
MUST:¶
SHOULD:¶
MAY:¶
This section provides illustrative examples of how Client-ID Metadata can be extended with Verifiable Credentials for agent identity. These examples demonstrate the recommended Approach 4 and show how the concepts apply to scenarios similar to the travel booking use case described earlier. These examples are non-normative and intended to demonstrate the concepts discussed in this document.¶
The following example shows OAuth client metadata that includes a Verifiable Credential in the "vc+jwt" field:¶
{
"client_id": "https://agents.example.com/agent-001/metadata.json",
"client_name": "Customer Service Agent 001",
"jwks_uri": "https://agents.example.com/agent-001/jwks.json",
"token_endpoint_auth_method": "private_key_jwt",
"grant_types": ["client_credentials"],
"scope": "read:orders write:tickets",
"vc+jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJAY29udGV4dCI6W..."
}
¶
The "vc+jwt" field contains a JWT-encoded Verifiable Credential. The actual JWT would be significantly longer and contain the complete credential structure shown in the next subsection.¶
The following example shows the decoded structure of a Verifiable Credential for an agent (before JWT encoding):¶
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://example.org/agent-credentials/v1"
],
"type": ["VerifiableCredential", "AgentIdentityCredential"],
"issuer": "did:web:issuer.example.com",
"issuanceDate": "2025-01-15T10:30:00Z",
"expirationDate": "2026-01-15T10:30:00Z",
"credentialSubject": {
"id": "https://agents.example.com/agent-001/metadata.json",
"agentName": "Customer Service Agent 001",
"agentVersion": "2.1.0",
"agentType": "customer-service",
"owner": "did:web:example.com",
"authorizedCapabilities": [
"order-lookup",
"ticket-creation",
"customer-notification"
],
"delegatedCredentials":[
{
"id": "https://agents.partner.com/agent-111/metadata.json",
"agentName":"Sec Agent 111",
"delegatedBy":"https://agents.example.com/agent-001/metadata.json",
"delegationChain": [
"urn:uuid:*****",
"urn:uuid:***"
],
"scope": "read:sec-remediate:isolations",
"authorizedCapabilities": [
"enrichment",
"isolation-request"
],
"constraints": {
"dpopNonceRequired": true
}
}
],
"complianceFrameworks": ["SOC2-TypeII", "ISO-27001"],
"delegationLevel": 1,
"maxDelegationDepth": 2
},
"credentialStatus": {
"id": "https://issuer.example.com/status/2024/12345",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "12345",
"statusListCredential": "https://issuer.example.com/status/2024"
}
}
¶
Note: The actual credential would include a "proof" section with cryptographic signatures. The proof section is omitted here for clarity, as it would add significant length to the example. The proof structure varies depending on the signature suite used (e.g., Ed25519Signature2020, JsonWebSignature2020).¶
This section addresses security considerations specific to cross-domain authorization information sharing. Implementations MUST also follow security guidance in [RFC6819], [W3C.VCDM2.0], and [I-D.ietf-oauth-client-id-metadata-document].¶
This section defines threats specific to sharing authorization information across administrative domain boundaries. General OAuth and VC security threats are addressed in [RFC6819] and [W3C.VCDM2.0]; this section focuses on threats that emerge or are amplified when credentials cross domain boundaries.¶
Beyond standard authorization assets, cross-domain sharing introduces additional assets requiring protection:¶
An attacker gains control of the URL hosting an agent's client-id metadata document and substitutes malicious metadata or VCs. Because the metadata URL is the trust anchor for cross-domain identity, compromise enables complete identity takeover across all trusting domains.¶
Cross-domain amplification: In single-domain scenarios, the AS typically has out-of-band trust with clients. In cross-domain scenarios, the metadata endpoint IS the sole trust anchor—there's no fallback.¶
Injection of false claims into legitimate metadata documents through supply chain attacks, DNS hijacking, or exploitation of hosting infrastructure.¶
Cross-domain amplification: Poisoned metadata propagates trust violations to all domains that fetch and cache the metadata.¶
Using legitimate cross-domain authorization to pivot from a compromised position in Domain A to resources in Domain B that would not otherwise be accessible. An attacker compromises a low-privilege agent in Domain A. That agent has cross-domain authorization to Domain B. The attacker uses the agent's credentials to establish a foothold in Domain B, then escalates within Domain B.¶
Linking agent activities across domains using stable identifiers in VCs to build profiles of organizational operations, potentially revealing sensitive business processes or security postures.¶
Cross-domain amplification: In single-domain scenarios, the domain controls what's logged. In cross-domain scenarios, each domain receiving the VC can correlate independently, and the agent's home domain cannot prevent this.¶
Before accepting VCs from another domain, an Authorization Server MUST verify that the issuing domain is in an explicitly configured trust list. Implementations MUST NOT implicitly trust domains based solely on successful cryptographic verification of the VC.¶
Trust list entries SHOULD include:¶
Implementations MUST NOT assume semantic equivalence of claims across domains. Before accepting a VC from another domain, the AS SHOULD verify:¶
Cross-domain trust relationships MUST have defined lifecycles:¶
Because the client-id metadata endpoint is the sole trust anchor for cross-domain agent identity, it requires enhanced protection beyond typical endpoint security.¶
Metadata documents SHOULD be signed independently of the transport layer, allowing verification even if TLS is compromised or if the document is cached by intermediaries.¶
Authorization Servers SHOULD:¶
When metadata endpoints are unavailable, cross-domain authorization fails. Implementations SHOULD:¶
When a delegation chain crosses a domain boundary, the receiving domain's AS MUST:¶
Receiving domains SHOULD consider the status of delegated credentials and, where status information is available, avoid making authorization decisions that rely on revoked,suspended, or suspended delegation chain elements, according to local policy.¶
Deployments concerned with stale delgations MAY apply bounded caching and periodic revalidation of delegation status appropriate to the sensitivity of protected resources.¶
Implementations MUST enforce that effective scope can only decrease (or remain the same) at each delegation step, including when crossing domain boundaries. The receiving domain MUST apply its local policy as an additional constraint on effective scope.¶
Delegation chains spanning domains MUST maintain cryptographically verifiable accountability. Each domain SHOULD:¶
Agents presenting VCs across domain boundaries SHOULD use selective disclosure mechanisms (SD-JWT VC, BBS+ signatures) to reveal only claims necessary for the specific cross-domain authorization request.¶
Organizations SHOULD assess cross-domain correlation risks before establishing trust relationships, including whether agent identifiers enable activity tracking by foreign domains.¶
This document introduces a new OAuth client metadata parameter "vc+jwt" as described in the Solution Analysis section (Approach 4). If this approach is standardized, the following registration would be required:¶
This informational document does not make a formal request for IANA registration at this time. Registration would be appropriate if this approach is adopted and progresses to a standards track specification.¶