For twenty years, enterprise identity has been a two-question system. Who are you? What can you do? AuthN and AuthZ — designed for the world where a human sits at a terminal, signs in, and clicks. That world is ending.

When an AI agent acts, the questions that mattered for humans are no longer sufficient. A token can prove which credential made the call. It cannot prove who is responsible for the action that followed. In a fleet of autonomous agents that chain tools, re-plan, and execute overnight on behalf of people and organizations, the gap between authenticated and accountable is the place where consequence lives.

Today I’m publishing AuthR v0.1 — Authorship Representation — as an open protocol for closing that gap.

GitHub: github.com/identient/authr

Interactive playground: playground.identient.com

The working paper, the v0.1 specification, the JSON Schema, and a runnable Python reference implementation are all live. The playground lets you mint a root authorship record, extend it to a sub-agent, watch the scope narrow, and watch the verifier reject a scope-widening attempt — sixty seconds, no install.

The problem, concretely

A CFO authorizes a $250K supplier payment. Her verified digital twin passes the work to a treasury orchestrator agent. The orchestrator delegates validation to a narrower sub-agent. The sub-agent is prompt-injected and tries to escalate to wire.cancel. The wire service is about to execute.

Under OAuth’s On-Behalf-Of pattern alone, the wire service has no structural way to know the original authorization didn’t include cancel. The token validates. The access claim is intact. The damage is reconstructed at the audit-log level, three weeks later.

Under AuthR, the verifier rejects the attempt before the request reaches the wire service. Scope attenuation is monotonic and structural — a child’s scope MUST be a strict subset of its parent’s, enforced at every hop, in every conformant implementation. Authorship is preserved across the chain. Intent travels with the work. Provenance is signed end to end.

This is not a feature added to OAuth. It is a third pillar sitting alongside it:

• AuthN asks who are you.

• AuthZ asks what can you do.

• AuthR asks who is responsible for what was done.

What’s in v0.1

Six primitives — Author, Actor, Intent, Scope, Provenance, Drift. Three operations — issue, extend, verify. Six invariants every chain must satisfy. A three-plane architecture (Control, Execution, Enforcement) that separates issuance from execution from enforcement, so a compromised agent cannot widen its own authority no matter how its prompt evolves at runtime.

The reference implementation is in Python with Ed25519 signatures and canonical JSON. The protocol is designed to sit above existing identity standards — OAuth tokens, SAML assertions, SPIFFE workload IDs, W3C Verifiable Credentials — not replace any of them. The work to do is integration, not migration.

What v0.1 is, and isn’t

v0.1 is deliberately a draft. The point of publishing this early is to put a concrete enough artifact in front of practitioners, security architects, and standards-body veterans that they will argue with it. The fastest way to help AuthR is to argue with it. The next fastest is to break it.

Specific contributions wanted: ports to C#/.NET, TypeScript, Go, and Rust; adversarial reviews of the threat model; use case proposals from teams building agentic systems in production; feedback from CoSAI, OpenID Foundation, W3C, and CNCF veterans on the standards-track path.

Acknowledgments

Two people sharpened this version of the work in ways that show in the protocol itself.

Paul Chapman (VP Business Strategy, Cisco; former CIO, Box) for the executive-level conversation that clarified what auditability has to look like when employees are no longer the only actors in the system — and what happens to enterprise operating models when one human is supervising a hundred agents instead of a hundred employees.

Eve Maler (co-inventor of SAML; longtime steward of identity standards, and founder of Venn Factory) for the engaging conversations and constructive feedback across both AuthR and the broader Verified Intelligence work it sits inside. Eve has been a tireless champion for open standards her entire career; her early conviction that AuthR mattered specifically for agent governance gave me the confidence to push this version of the work into public form.

I’ve been writing toward this protocol for months. The Death of Identity as We Know It in CIO was the framing of the problem. From AI to Verified Intelligence on identient.com was the framing of the operating model that runs on top of it. AuthR is the protocol that makes both possible.

If you’re building in this space, or evaluating where to place a bet, the repository is the artifact. Read it, run it, file an issue with what’s wrong.

Trust is expensive. So is its absence.

— Steve

Connect with me on: LinkedIn · identient.com · stevetout.com

👉 As a bonus, my latest piece for CIO Online, The Death of Identity as we Know It, is available here.