| Internet-Draft | Agentic JWT Protocol | December 2025 |
| Goswami | Expires 4 July 2026 | [Page] |
This document specifies Agentic JSON Web Token (Agentic JWT), as an extension to OAuth 2.0 that addresses authorization challenges unique to autonomous agentic AI systems. This protocol solves the problem of Zero-Trust drift due to non-deterministic Agentic AI clients causing separation between user's (resource owner's) intent and client application's actions.¶
Traditional OAuth 2.0 assumes that client applications faithfully represent user intent when requesting authorization. This assumption breaks down when autonomous AI agents dynamically generate workflows, create sub-agents, and make authorization decisions without continuous human oversight. We term this the "intent-execution separation problem."¶
Agentic JWT introduces three mechanisms to address this problem: (1) cryptographic agent identity through agent checksums (based on agent's system prompts, tools and configurations), (2) workflow-aware token binding that links user intent to agent execution, and (3) a new OAuth 2.0 grant type (agent_checksum) for secure token issuance, (4) a flavor of PoP (Proof-of-Possession) at the level of an agentic identity to prevent token replays by other agents in the same multi-agent process.¶
This specification enables Zero-Trust security principles in multi-agent systems while maintaining backward compatibility with existing OAuth 2.0 infrastructure. The security analysis and experimental validation are described in the companion research paper.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 July 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
OAuth 2.0 is designed for deterministic client applications that execute some workflow on behalf of a resource owner [RFC6749]. The principle is that an authorization server (or Identity Provider, IDP) validates the client application using an authorization grant appoved by the resource owner and issues an access token as the proof of authorization, which is then used by some fixed workflow on the client to invoke an API hosted on the resource server. This mechanism breaks down for client applications using agentic AI with LLM reasoning because the decision to call resource server APIs could be taken by non-deterministic LLM reasoning that creates a separation between user's intent and actual agentic execution.¶
Consider a multi-agent vulnerability patching system where a supervisor agent coordinates planner, classifier, and patcher sub-agents. Traditional OAuth 2.0 cannot detect when a low-privilege classifier agent tricks a high-privilege patcher into modifying critical system files, as the bearer token provides no cryptographic binding between user intent and agent execution. While next-generation protocols like GNAP [I-D.ietf-txauth-gnap] address some OAuth 2.0 limitations through JSON-based grant negotiation, they do not provide the agent-specific identity verification and workflow binding mechanisms required for autonomous AI systems.¶
This document addresses the following critical gaps in existing authorization frameworks for autonomous agents:¶
This specification does NOT address:¶
Agentic AI based applications are rapidly solving more use cases and have already become targets for massive investments in enterprises across industries. Agentic clients would likely proliferate much faster than the currently available Zero-Trust implementations, including OAuth 2.0. The fundamental Zero-Trust principles [NIST-SP-800-207] outlined in the NIST 800.63 publication [NIST-SP-800-63] and [NIST-SP-800-63C] are very much applicable and sound but current implementations need to catch up. This protocol enhancement attempts to achieve permanent protection from the possibility of Zero-Trust drift in API invocations done by agentic client applications. This specification outlines this novel protocol as fully backward compatible with the current OAuth 2.0 primitives while expanding the token issuance and resource server validation processes to recognzie agents as separate identities, their currently running version, the currently executing workflow and entire delegation chain in case of multi-agent applications. It also defines a way to make agentic clients auditable on the authorization server side.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A comprehensive threat modelling using the STRIDE methodology [SHOSTACK], including experimental evaluation, and performance analysis is described in the research paper, [PAPER-REF]. This document focuses on protocol specification for implementers.¶
The system architecture and mechanisms described in this specification are the subject of U.S. Patent Application 19/315,486 [PATENT-REF].¶
This document uses the following terms in addition to those defined in [RFC6749] and [RFC7519]¶
This specification recognizes three agent types based on autonomy level:¶
The security requirements vary by agent type, with fully autonomous agents requiring the strongest guarantees.¶
This agentic JWT architecture introduces the following novel (but backward compatible) protocol features:¶
All of the above mentioned architectural choices are fully backward compatible with OAuth 2.0.¶
The architecture components that make these features possible can be implemented using general purpose programming languages like python, nodejs, java etc. The exact logical component design is outlined below:¶
The Agentic JWT protocol flow is conceptually similar to that of OAuth 2.0 [RFC6749] at high level. However, the internal structure and mechanism is different and encapsulates agentic aware protocol features.¶
+----------------------+ | | | Client | | | | +----------------+ | +-----------------+ | | | | Agent Registration | | | | +--+--(A)--------------------------->| Resource | | | | | | Owner | | | | | | | | | |<-+--(B)---Authorization-Grant------+ | | | | | (agent_checksum) +-----------------+ | | | | | | | | | | Shim Library | | +-----------------+ | | +--+---(C)-----agent_checksum------->| | | | | | | | | | | | | Authorization | | | | | | Server | | | |<-+--(D)------intent-token----------+ | | | | | (with agent information) +-----------------+ | | | | | | | | +-----------------+ | | +--+--(E)------intent-token--------->| | | | | | | Resource | | | | | | Server | | | |<-+--(F)----Protected-Resource------+ | | +----------------+ | +-----------------+ +----------------------+ Workflow: User → IDP → Intent Token → Agent → Access Token → API
The protocol flow described in Figure 1 outlines the interactions between the client (via Shim Library), the Resource Owner, the Authorization Server, and the Resource Server. This flow is fully compatible with the original OAuth 2.0 protocol flow. The complexities of verifying registered agents on the Client, capturing runtime identity of an agent for minting intent tokens, tracking runtime workflow and sending these to Authorization Server with the intent token request, are hidden inside the Shim Library. A Client application just needs to include the Shim library as a dependency to make this flow work. The protocol flow steps are described below:¶
This specification defines a new OAuth 2.0 grant type for autonomous AI agents: "agent_checksum". This grant type enables agents to obtain access tokens (called intent tokens in context of this specification) by proving their identity through cryptographic checksum verification rather than traditional client credentials.¶
The grant type is designed specifically for agentic clients that:¶
Grant Type Identifier:¶
urn:ietf:params:oauth:grant-type:agent_checksum
¶
Note: For brevity in examples, this document uses the short form "agent_checksum" instead of the full URN.¶
The client shim library (see Section 2), on behalf of an agent, makes a request to the token endpoint by sending the following parameters using the "application/json" format with a character encoding of UTF-8:¶
Example HTTP request (with line breaks for readability):¶
POST /intent/token HTTP/1.1
Host: idp.example.com
Content-Type: application/json
Authorization: Bearer <admin_token>
{
"grant_type": "agent_checksum",
"agent_id": "vulnerability-patcher-v1",
"computed_checksum": "sha256:a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1...",
"workflow_id": "auto-patch-workflow-v1",
"workflow_step": "step_3_patch_application",
"workflow_enabled": true,
"requested_scopes": [
"repo:write",
"vulnerability:read"
],
"audience": "https://api.github.com",
"delegation_context": {
"chain": [
"supervisor-agent",
"planner-agent",
"vulnerability-patcher-v1"
],
"completed_steps": [
"step_1_analyze_manifest",
"step_2_create_patch_plan"
]
}
}
¶
The token endpoint MUST be protected. In the reference implementation, requests require an Authorization header with a bearer token that has the "generate:intent-token" scope and audience "idp.localhost". This token may well be the usual JWT client level access token that uses one of the traditional OAuth 2.0 Authorization Grants [RFC6749].¶
Implementations MAY use different authentication mechanisms (e.g., client credentials, mutual TLS) but MUST ensure that only authorized entities can request tokens on behalf of agents.¶
Upon receiving a token request, the authorization server MUST perform the following validation steps IN ORDER:¶
For the checksum verification procedure please see Section 5.5.2¶
When workflow_enabled is true, the authorization server MUST validate the workflow execution state:¶
Check that all required prerequisite steps have been completed:¶
If the step has requires_approval=true:¶
This validation ensures that agents cannot skip required steps or bypass approval gates in multi-step workflows.¶
If delegation_context is provided, the authorization server SHOULD validate the delegation chain:¶
The delegation_context.chain array represents the delegation hierarchy from the original initiating agent to the current agent. For example: ["supervisor", "planner", "patcher"] indicates that the supervisor delegated to the planner, which delegated to the patcher.¶
If the request is valid and all verification checks pass, the authorization server issues an intent token and returns it in the response:¶
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6...",
"token_type": "Bearer",
"expires_in": 300,
"scope": "repo:write vulnerability:read"
}
¶
Response fields:¶
The intent token is a JWT [RFC7519] with the following claims:¶
Standard JWT Claims:¶
Proof-of-Possession Claim:¶
Intent-Specific Claims (nested under "intent" object):¶
Agent Proof Claims (nested under "agent_proof" object):¶
Example decoded intent token payload:¶
{
"iss": "https://idp.example.com",
"aud": "https://api.github.com",
"sub": "vulnerability-patcher-v1",
"exp": 1735690800,
"iat": 1735690500,
"jti": "token_a3f7e89c",
"scope": "repo:write vulnerability:read",
"cnf": {
"jwk": {
"kty": "RSA",
"use": "sig",
"alg": "RS256",
"n": "xGOr-H7A-PWi...",
"e": "AQAB"
}
},
"intent": {
"workflow_id": "auto-patch-workflow-v1",
"workflow_step": "step_3_patch_application",
"executed_by": "vulnerability-patcher-v1",
"delegation_chain": "f3e8d9c7b2a41a3c",
"step_sequence_hash": "a7c9e2f4b8d61c3f"
},
"agent_proof": {
"agent_checksum": "sha256:a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1...",
"registration_id": "reg_vulnerability-patcher-v1_1735680000"
}
}
¶
The delegation_chain and step_sequence_hash provide cryptographic integrity over the workflow execution path:¶
Delegation Chain Hash:¶
# Input: delegation_context.chain + current agent_id
chain = ["supervisor", "planner", "patcher"]
chain_string = "supervisor|planner|patcher"
hash = SHA256(chain_string.encode('utf-8'))
delegation_chain = hash.hexdigest()[:16]
# Result: "f3e8d9c7b2a41a3c"
¶
Step Sequence Hash:¶
# Input: delegation_context.completed_steps + current step
steps = ["step_1_analyze", "step_2_plan", "step_3_patch"]
steps_string = "step_1_analyze|step_2_plan|step_3_patch"
hash = SHA256(steps_string.encode('utf-8'))
step_sequence_hash = hash.hexdigest()[:16]
# Result: "a7c9e2f4b8d61c3f"
¶
If an agent has skipped steps or altered the delegation chain, the IDP side library will be able to detect during intent token request. However, including these hashes in the intent token additionally enables resource servers to detect if an agent has skipped steps or altered the delegation chain.¶
Error responses follow the OAuth 2.0 error response format defined in Section 5.2 of RFC 6749 [RFC6749]:¶
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"error": "agent_checksum_mismatch",
"error_description": "Agent checksum mismatch - code integrity violation",
"error_uri": "https://idp.example.com/docs/errors#checksum_mismatch"
}
¶
Error Code: unsupported_grant_type¶
HTTP Status: 400 Bad Request¶
Description: The grant_type parameter does not equal "agent_checksum".¶
Example:¶
{
"error": "unsupported_grant_type",
"error_description": "Grant type must be 'agent_checksum'"
}
¶
Error Code: unknown_agent¶
HTTP Status: 401 Unauthorized¶
Description: The agent_id is not registered with the authorization server.¶
Recommended Action: Agent must complete registration (Section 6.1) before requesting tokens.¶
Example:¶
{
"error": "unknown_agent",
"error_description": "Agent ID not found in registry. Register first."
}
¶
Error Code: agent_checksum_mismatch¶
HTTP Status: 401 Unauthorized¶
Description: The computed_checksum does not match the registered checksum for the agent_id. This indicates that the agent's configuration (prompt, tools, or model parameters) has been modified since registration.¶
Security Implication: This is a critical security error that may indicate:¶
Recommended Action: Agent must re-register with updated checksum before requesting tokens. Authorization server SHOULD log this event for security monitoring.¶
Example:¶
{
"error": "agent_checksum_mismatch",
"error_description": "Agent checksum mismatch - code integrity violation",
"error_uri": "https://idp.example.com/docs/errors#checksum_mismatch"
}
¶
Error Code: invalid_request¶
HTTP Status: 400 Bad Request¶
Description: The request is malformed or missing required parameters. Common causes:¶
Example:¶
{
"error": "invalid_request",
"error_description": "Missing required parameter: computed_checksum"
}
¶
For grant type specific security considerations, see:¶
The authorization server maintains an agent registry mapping agent_id to registration records. Each record contains:¶
Multiple registrations may exist for the same agent_id when the agent's configuration changes. The authorization server uses the LATEST registration for verification.¶
The workflow registry stores workflow definitions including:¶
Each step contains:¶
The checksum verification and workflow validation add overhead to token issuance. Implementations SHOULD:¶
The reference implementation shows ~4.3% overhead compared to standard OAuth 2.0 token issuance, which is acceptable for most production deployments.¶
Agent identity in this specification is based on cryptographic checksums computed over an agent's configuration. Unlike traditional client credentials that can be shared or stolen, the agent checksum provides a unique cryptographic fingerprint of the agent's actual implementation.¶
The agent checksum serves three critical functions:¶
This section defines how agent identity is established, verified, and maintained throughout the agent lifecycle.¶
An agent's identity is derived from its specification, which includes all components that define the agent's behavior:¶
OPTIONAL. Additional configuration parameters including:¶
Example agent specification for a vulnerability patching agent:¶
{
"agent_id": "vulnerability-patcher-v1",
"prompt": "You are a security agent responsible for patching
vulnerabilities in software dependencies. Analyze
manifests, identify vulnerable packages, and generate
patches. Always verify changes before committing.",
"tools": [
{
"name": "read_manifest",
"description": "Read package manifest file",
"parameters": {
"type": "object",
"properties": {
"file_path": {"type": "string"}
},
"required": ["file_path"]
}
},
{
"name": "check_vulnerability",
"description": "Check package for known vulnerabilities",
"parameters": {
"type": "object",
"properties": {
"package": {"type": "string"},
"version": {"type": "string"}
},
"required": ["package", "version"]
}
},
{
"name": "create_patch",
"description": "Create patch for vulnerable package",
"parameters": {
"type": "object",
"properties": {
"package": {"type": "string"},
"current_version": {"type": "string"},
"target_version": {"type": "string"}
},
"required": ["package", "current_version", "target_version"]
}
}
],
"configuration": {
"model_name": "claude-3-5-sonnet-20241022",
"temperature": 0.0,
"max_tokens": 4096
}
}
¶
Tools may be included in the checksum computation at two levels:¶
Implementations MUST support shallow checksums. Deep checksums are OPTIONAL and MAY be indicated through tool metadata.¶
In the reference implementation, tools are marked for deep checksumming using a decorator:¶
@secure_tool(name="critical_operation", checksum_level=ChecksumLevel.deep)
def critical_operation(params):
# Tool implementation included in checksum
pass
¶
When including source code in deep checksums, implementations MUST normalize the source code to ensure formatting changes do not affect checksums while logic changes are always detected.¶
Tool function signatures MUST be normalized to remove framework-specific wrapper parameters that do not affect agent behavior. This ensures that checksums remain stable across different agent frameworks.¶
Wrapper Parameters to Remove:¶
Reference implementation for signature normalization:¶
import inspect
def get_core_signature(func) -> str:
"""
Get function signature with wrapper parameters removed.
"""
# Unwrap decorators to get original function
current = func
try:
current = inspect.unwrap(func)
except (ValueError, AttributeError):
pass
sig = inspect.signature(current)
# Known wrapper parameters to filter out
WRAPPER_PARAMS = {
'config', 'callbacks', 'run_manager', 'tags', 'metadata',
'run_id', 'parent_run_id', 'configurable', 'recursion_limit'
}
# Build cleaned parameter list
cleaned_params = []
for name, param in sig.parameters.items():
# Skip known wrapper params
if name in WRAPPER_PARAMS:
continue
# Skip VAR_KEYWORD (**kwargs) if it looks like wrapper catchall
if param.kind == inspect.Parameter.VAR_KEYWORD:
continue
# Skip VAR_POSITIONAL (*args) used by wrappers
if param.kind == inspect.Parameter.VAR_POSITIONAL and name == 'args':
continue
cleaned_params.append(param)
# Create new signature
new_sig = inspect.Signature(
cleaned_params,
return_annotation=sig.return_annotation
)
return str(new_sig)
¶
This normalization is CRITICAL for cross-framework compatibility. Without it, the same logical tool would have different checksums when used in LangChain [LANGCHAIN] vs CrewAI [CREWAI] vs other frameworks. [LANGGRAPH]¶
For deep checksum tools that include source code, implementations MUST normalize the source code using Abstract Syntax Tree (AST) parsing. This ensures that formatting changes do not affect checksums while any logic changes are always detected.¶
Normalization process:¶
Reference implementation:¶
import ast
import textwrap
import inspect
def remove_docstrings(tree: ast.AST) -> None:
"""
Remove docstring nodes from AST in-place.
Docstrings are captured separately in tool description,
so we remove them from implementation to avoid duplication.
"""
for node in ast.walk(tree):
if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef,
ast.ClassDef, ast.Module)):
if (node.body and
isinstance(node.body[0], ast.Expr) and
isinstance(node.body[0].value, ast.Constant) and
isinstance(node.body[0].value.value, str)):
# This is a docstring - remove it
node.body = node.body[1:] if len(node.body) > 1 else [ast.Pass()]
def normalize_source(source_code: str) -> str:
"""
Normalize Python source code using AST.
This ensures that formatting changes don't affect checksums
while logic changes are always detected.
Strips:
- Comments (not part of execution logic)
- Formatting differences (whitespace, indentation)
- Docstrings (captured separately in checksum)
Preserves:
- All execution logic
- Variable names (semantically significant)
- Control flow structures
- Function calls and their arguments
"""
# Remove leading indentation
source = textwrap.dedent(source_code)
try:
# Parse to AST
tree = ast.parse(source)
# Remove docstrings
remove_docstrings(tree)
# Unparse to canonical form
normalized = ast.unparse(tree)
return normalized
except SyntaxError:
# If code has syntax errors, return as-is
# This will cause checksum mismatch (correct behavior)
return source
def get_tool_source_code(func: callable) -> str | None:
"""
Get normalized source code for a tool function.
Returns None if source cannot be retrieved.
"""
try:
source = inspect.getsource(func)
normalized = normalize_source(source)
return normalized
except (OSError, TypeError):
return None
¶
This normalization means:¶
Example demonstrating normalization:¶
# These produce IDENTICAL checksums after normalization:
def example1(x):
# This is a comment
return x + 1
def example1(x): return x+1 # inline
def example1(x):
"""Docstring here"""
return x + 1
# This produces DIFFERENT checksum:
def example1(x):
return x + 2 # Logic changed
¶
The agent checksum MUST be computed as follows:¶
Construct Agent Components Object: Create a JSON object containing the agent's configuration:¶
{
"agent_id": "string",
"prompt_template": "string",
"tools": [
{
"name": "string",
"description": "string",
"parameters": { /* JSON schema */ }
}
],
"configuration": {
"model_name": "string",
"temperature": number,
"max_tokens": number
}
}
¶
Canonicalize JSON: Serialize the object using RFC 8785 [RFC8785] JSON Canonicalization Scheme (JCS). This ensures deterministic ordering of keys and consistent formatting.¶
Canonical serialization is REQUIRED because:¶
Format Checksum: Encode the hash as lowercase hexadecimal (64 characters):¶
checksum = hex(hash_bytes).lowercase()
# Result: "a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1a8e7d3c2b5f4e9..."
¶
Note: The reference implementation uses bare hex encoding. Implementations MAY prefix with "sha256:" for explicit algorithm identification.¶
Implementations MUST ensure checksum computation is deterministic across different platforms, languages, and runtime environments.¶
Reference Implementation (Python):¶
import hashlib
import json
def normalize_prompt(prompt: str) -> str:
"""
Normalize prompt string for consistent checksum computation.
Apply this in BOTH client and server-side computation.
"""
if not prompt:
return ""
# 1. Strip leading/trailing whitespace
normalized = prompt.strip()
# 2. Normalize line endings (Windows \r\n vs Unix \n)
normalized = normalized.replace('\r\n', '\n')
# 3. Collapse multiple consecutive newlines into single newline
import re
normalized = re.sub(r'\n\s*\n', '\n', normalized)
# 4. Strip whitespace from each line
lines = [line.strip() for line in normalized.split('\n')]
normalized = '\n'.join(lines)
# 5. Remove empty lines
lines = [line for line in lines if line]
normalized = '\n'.join(lines)
return normalized
def compute_agent_checksum(agent_components) -> str:
"""
Compute deterministic SHA-256 checksum for agent configuration.
Args:
agent_components: Object with fields:
- agent_id: str
- prompt_template: str
- tools: list of Tool objects
- configuration: dict
Returns:
64-character lowercase hex string (SHA-256 hash)
"""
# Construct canonical components object
components = {
"id": agent_components.agent_id,
"prompt": normalize_prompt(agent_components.prompt_template),
"tools": sorted([
{
"name": tool.name,
"signature": tool.signature,
"description": tool.description
# "source_code" included only for deep checksum tools
}
for tool in agent_components.tools
], key=lambda x: x["name"]), # Sort tools by name
"config": agent_components.configuration
}
# Serialize with sorted keys for determinism
content = json.dumps(components, sort_keys=True)
# Compute SHA-256 hash
return hashlib.sha256(content.encode('utf-8')).hexdigest()
¶
Critical Requirements:¶
json.dumps() with sort_keys=True for
deterministic JSON serialization¶
get_core_signature() to remove
wrapper parameters (see Section 4.2.4)¶
Common Implementation Pitfalls:¶
Before an agent can request tokens, it MUST register its checksum with the authorization server. Registration creates a binding between the agent_id and its cryptographic identity.¶
The registration process:¶
The authorization server MUST perform the following steps:¶
Generate Registration ID: Create unique registration identifier:¶
registration_id = "reg_" + agent_id + "_" + timestamp
¶
Store Registration: Persist mapping:¶
{
"agent_id": "vulnerability-patcher-v1",
"registration_id": "reg_vulnerability-patcher-v1_1735680000",
"checksum": "a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1a8e7d3c2b5f4e9a7c3d8f2b6e1a9c4f7",
"prompt": "You are a security agent...",
"tools": [ /* tool definitions */ ],
"public_key": "-----BEGIN PUBLIC KEY-----...",
"registered_at": 1735680000000,
"app_id": "vulnerability-patcher-app",
"version": 1
}
¶
Success response:¶
HTTP/1.1 200 OK
Content-Type: application/json
{
"agent_id": "vulnerability-patcher-v1",
"registration_id": "reg_vulnerability-patcher-v1_1735680000",
"checksum": "a3c7f2e8d9b4f1e2c8a7d6f3e9b2c4f1a8e7d3c2b5f4e9a7c3d8f2b6e1a9c4f7"
}
¶
Error response (duplicate checksum):¶
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error": "duplicate_agent",
"error_description": "Agent with identical checksum already exists",
"existing_agent_id": "other-agent-v1"
}
¶
When an agent's configuration changes (e.g., tool updates, prompt modifications), a new checksum is computed and the agent MUST re-register.¶
NOTE: This registration process can be automated by introdcuing additional steps into CI / CD or by Model Context Protocol (MCP, [MCP]) integration to the IDP server, or by any other agent resource management process. Regardless of the methodology used the underlying conceptual process remains the same.¶
Update procedure:¶
Example: Agent version progression¶
// Version 1 (original)
{
"agent_id": "patcher-v1",
"checksum": "aaa1234567890abcdef1234567890abcdef1234567890abcdef1234567890abc",
"version": 1,
"registered_at": 1735680000000
}
// Version 2 (tool updated)
{
"agent_id": "patcher-v1",
"checksum": "bbb9876543210fedcba9876543210fedcba9876543210fedcba9876543210fed",
"version": 2,
"registered_at": 1735690000000
}
¶
The IDP MUST use the latest version (highest registered_at) for checksum verification during token requests.¶
Before requesting a token, the agent MUST compute its current checksum and include it in the token request. This proves that the requesting agent's configuration matches the registered identity.¶
Client-side process:¶
# 1. Detect current agent context
agent_spec = get_current_agent_spec()
# 2. Compute checksum from current configuration
current_checksum = compute_agent_checksum(agent_spec)
# 3. Include in token request
token_request = {
"grant_type": "agent_checksum",
"agent_id": agent_spec.agent_id,
"computed_checksum": current_checksum,
...
}
¶
Upon receiving a token request, the authorization server MUST verify the agent checksum:¶
# From intent.py implementation
# 1. Retrieve registered checksum
registered_checksums = registry.get_agent(agent_id)
stored_checksum = registered_checksums[-1].checksum # Latest version
# 2. Compare with submitted checksum (constant-time)
if computed_checksum != stored_checksum:
raise AgentChecksumMismatch(
"Agent checksum mismatch - code integrity violation"
)
¶
The comparison MUST use constant-time string comparison to prevent timing attacks that could reveal checksum information.¶
NOTE: The authorization server retrieves the LATEST registration for the agent_id, as agents may re-register with updated checksums when their configuration changes.¶
Agent identity progresses through several stages:¶
Valid state transitions:¶
UNREGISTERED --[register]--> REGISTERED
|
v
REGISTERED --[token request + checksum match]--> VERIFIED
|
v
VERIFIED --[config change]--> UPDATED --[re-register]--> REGISTERED
|
v
ANY STATE --[admin action]--> REVOKED
¶
Agent identity security considerations:¶
This section describes the detailed protocol flows for agent registration, token issuance, and authorization. Each flow includes step-by-step procedures, HTTP request/response examples, and validation requirements.¶
The flows in this section build upon the abstract protocol flow described in Section 3.2, providing complete implementation guidance for:¶
Before an agent can request tokens, it MUST register its identity with the authorization server. This flow establishes the cryptographic binding between the agent_id and its configuration checksum.¶
Agent registration sequence:¶
┌─────────┐ ┌─────────────┐ ┌──────────────┐
│ Agent │ │ Application │ │ IDP │
│ Runtime │ │ (Client) │ │ │
└────┬────┘ └──────┬──────┘ └──────┬───────┘
│ │ │
│ 1. Compute checksum │ │
│<─────────────────────────│ │
│ compute_agent_checksum()│ │
│ │ │
│ 2. Return checksum │ │
│──────────────────────────>│ │
│ │ │
│ │ 3. POST /register/agent│
│ │──────────────────────>│
│ │ (agent_components, │
│ │ public_key) │
│ │ │
│ │ │ 4. Recompute
│ │ │ checksum
│ │ │<───────────
│ │ │
│ │ │ 5. Check for
│ │ │ duplicates
│ │ │<───────────
│ │ │
│ │ │ 6. Store
│ │ │ registration
│ │ │<───────────
│ │ │
│ │ 7. Registration response│
│ │<──────────────────────│
│ │ (registration_id, │
│ │ checksum) │
│ │ │
¶
Agent Checksum Computation (Client-Side): The agent runtime computes its configuration checksum using the algorithm defined in Section 5.3. This includes the agent's prompt, tools, and configuration parameters.¶
Public Key Generation (Optional): If proof-of-possession [RFC7800] is required, the agent generates an RSA key pair and prepares the public key in PEM format.¶
Registration Request: The application sends a registration request to the IDP's agent registration endpoint, including the complete agent configuration and optional public key.¶
Server-Side Checksum Verification: The IDP recomputes the agent checksum from the submitted configuration and verifies it matches the claimed checksum.¶
Duplicate Detection: The IDP checks if the computed checksum already exists in the registry. If found, the request is rejected with error "duplicate_agent" to prevent agent impersonation.¶
Registration Storage: The IDP creates a unique registration_id, stores the mapping (agent_id → checksum → registration_id), and persists the registration record.¶
Response: The IDP returns the registration_id and computed checksum to the client for verification.¶
Workflows define the sequence of steps that agents execute and the authorization requirements for each step. Workflow registration establishes the workflow definition with the IDP before execution.¶
┌─────────────┐ ┌──────────────┐
│ Application │ │ IDP │
└──────┬──────┘ └──────┬───────┘
│ │
│ 1. POST /register/workflow │
│────────────────────────────────────────>│
│ (workflow_id, steps[]) │
│ │
│ │ 2. Validate
│ │ structure
│ │<───────────
│ │
│ │ 3. Check for
│ │ duplicates
│ │<───────────
│ │
│ │ 4. Store
│ │ workflow
│ │<───────────
│ │
│ 5. Registration confirmation │
│<────────────────────────────────────────│
│ (workflow_id, status) │
│ │
¶
Workflow registration request:¶
POST /intent/register/workflow HTTP/1.1
Host: idp.example.com
Content-Type: application/json
Authorization: Bearer <admin_token>
{
"workflow_id": "auto-patch-workflow-v1",
"steps": {
"step_1_analyze_manifest": {
"required": true,
"requires_approval": false,
"agent_id": "vulnerability-analyzer"
},
"step_2_create_patch_plan": {
"required": true,
"requires_approval": false,
"agent_id": "patch-planner"
},
"step_3_approval_gate": {
"required": true,
"requires_approval": false,
"approval_gate": true
},
"step_4_apply_patch": {
"required": true,
"requires_approval": true,
"agent_id": "vulnerability-patcher-v1"
},
"step_5_verify_patch": {
"required": true,
"requires_approval": false,
"agent_id": "patch-verifier"
}
}
}
¶
Success response:¶
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "registered",
"workflow_id": "auto-patch-workflow-v1"
}
¶
This flow describes how an agent requests an intent token using the agent_checksum grant type. The flow includes agent identity verification, workflow step authorization, and token issuance.¶
┌──────┐ ┌────────┐ ┌─────┐ ┌──────────┐ ┌──────────┐
│Agent │ │Client │ │User │ │IDP │ │Registry │
└──┬───┘ └───┬────┘ └──┬──┘ └────┬─────┘ └────┬─────┘
│ │ │ │ │
│1. Trigger │ │ │ │
│────────────>│ │ │ │
│ │ │ │ │
│ │2. Compute │ │ │
│ │ checksum │ │ │
│<────────────│ │ │ │
│ │ │ │ │
│3. Checksum │ │ │ │
│────────────>│ │ │ │
│ │ │ │ │
│ │4. POST /token│ │ │
│ │──────────────┼─────────────>│ │
│ │ (agent_id, │ │ │
│ │ checksum, │ │ │
│ │ workflow) │ │ │
│ │ │ │ │
│ │ │ │5. Get agent │
│ │ │ │ registration │
│ │ │ │───────────────>│
│ │ │ │ │
│ │ │ │6. Registration │
│ │ │ │<───────────────│
│ │ │ │ │
│ │ │ │7. Verify │
│ │ │ │ checksum │
│ │ │ │<─────────── │
│ │ │ │ │
│ │ │ │8. Validate │
│ │ │ │ workflow step│
│ │ │ │<─────────── │
│ │ │ │ │
│ │ │ │9. Create token │
│ │ │ │<─────────── │
│ │ │ │ │
│ │10. Token │ │ │
│ │<─────────────┼─────────────│ │
│ │ response │ │ │
│ │ │ │ │
¶
Workflow Step Validation: If workflow_enabled=true, IDP validates:¶
If validation fails, return error "workflow_step_unauthorized".¶
Token Creation: IDP creates intent token with:¶
Multi-agent workflows involve delegation chains where a supervisor agent delegates tasks to subordinate agents. Each agent in the chain requests its own token, building upon the delegation context from parent agents.¶
This flow illustrates a three-agent delegation chain for automated vulnerability patching:¶
┌────────────┐ ┌─────────┐ ┌─────────┐ ┌─────┐ ┌─────────────┐
│Supervisor │ │Planner │ │Patcher │ │User │ │IDP │
└─────┬──────┘ └────┬────┘ └────┬────┘ └──┬──┘ └──────┬──────┘
│ │ │ │ │
│1. Request │ │ │ │
│ token │ │ │ │
│──────────────┼─────────────┼──────────┼───────────>│
│ (step_1, │ │ │ │
│ chain=[]) │ │ │ │
│ │ │ │ │
│2. Token │ │ │ │
│<─────────────┼─────────────┼──────────┼────────────│
│ │ │ │ │
│3. Delegate │ │ │ │
│ to Planner │ │ │ │
│─────────────>│ │ │ │
│ │ │ │ │
│ │4. Request │ │ │
│ │ token │ │ │
│ │─────────────┼──────────┼───────────>│
│ │ (step_2, │ │ │
│ │ chain=[S]) │ │ │
│ │ │ │ │
│ │5. Token │ │ │
│ │<────────────┼──────────┼────────────│
│ │ │ │ │
│ │6. Delegate │ │ │
│ │ to Patcher│ │ │
│ │────────────>│ │ │
│ │ │ │ │
│ │ │7. Request│ │
│ │ │ token │ │
│ │ │──────────┼───────────>│
│ │ │(step_4, │ │
│ │ │chain=[S,P]) │
│ │ │ │ │
│ │ │ │8. Approval │
│ │ │ │ required │
│ │ │ │<───────────│
│ │ │ │ │
│ │ │ │9. Approve │
│ │ │ │───────────>│
│ │ │ │ │
│ │ │10. Token │ │
│ │ │<─────────┼────────────│
│ │ │ │ │
│ │ │11. Execute │
│ │ │<───────── │
│ │ │ │
¶
Legend: S = Supervisor, P = Planner¶
Supervisor Token Request: Supervisor agent requests token for step_1 with empty delegation chain.¶
{
"agent_id": "supervisor-agent",
"workflow_step": "step_1_analyze_manifest",
"delegation_context": {
"chain": [],
"completed_steps": []
}
}
¶
Supervisor Executes Step 1: Supervisor analyzes the manifest and determines patching is needed.¶
Delegation to Planner: Supervisor delegates to Planner agent, passing delegation context.¶
Planner Token Request: Planner requests token for step_2, including Supervisor in chain.¶
{
"agent_id": "patch-planner",
"workflow_step": "step_2_create_patch_plan",
"delegation_context": {
"chain": ["supervisor-agent"],
"completed_steps": ["step_1_analyze_manifest"]
}
}
¶
Planner Executes Step 2: Planner creates patch strategy and identifies target packages.¶
Delegation to Patcher: Planner delegates to Patcher agent, passing updated delegation context.¶
Patcher Token Request: Patcher requests token for step_4, including full delegation chain.¶
{
"agent_id": "vulnerability-patcher-v1",
"workflow_step": "step_4_apply_patch",
"delegation_context": {
"chain": ["supervisor-agent", "patch-planner"],
"completed_steps": [
"step_1_analyze_manifest",
"step_2_create_patch_plan",
"step_3_approval_gate"
]
}
}
¶
Approval Check: IDP detects step_4 requires approval (step_3 is approval gate). Step_3 must be in completed_steps or request is rejected.¶
User Approval: User has already approved at step_3 approval gate.¶
Token Issuance: IDP issues token to Patcher with:¶
Patcher Execution: Patcher applies the security patch using the intent token.¶
At each delegation step, the IDP validates:¶
Resource servers MAY additionally validate:¶
Future versions or extensions of this specification may align with the Grant Negotiation and Authorization Protocol (GNAP) [I-D.ietf-txauth-gnap], which provides a JSON-based foundation for dynamic authorization scenarios. A GNAP binding for Agentic JWT would enable the agent-specific security mechanisms defined in this specification to work within the GNAP framework.¶
Additional areas for future development include:¶
This specification requires IANA to register a new OAuth 2.0 authorization grant type, JWT claims, OAuth parameters, and error codes in the appropriate registries.¶
This section registers the following grant type value in the IANA "OAuth URI" registry [IANA.OAuth.URI] established by "An IETF URN Sub-Namespace for Auth" [RFC6755]:¶
| Grant Type | URN | Common Name | Change Controller | Reference |
|---|---|---|---|---|
| agent_checksum | urn:ietf:params:oauth:grant-type:agent_checksum | Agent Checksum Grant type for OAuth 2.0 | IETF | [this document], Section 4 |
This section registers the following claims in the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims] established by [RFC7519]:¶
| Claim Name | Claim Description | Change Controller | Specification Document |
|---|---|---|---|
| workflow_id | Identifier of the workflow being executed | IETF | [this document], Section 4.4.2 |
| workflow_step | Identifier of the current workflow step | IETF | [this document], Section 4.4.2 |
| executed_by | Agent identifier executing the workflow step | IETF | [this document], Section 4.4.2 |
| delegation_chain | SHA-256 hash of agent delegation sequence | IETF | [this document], Section 4.4.2 |
| step_sequence_hash | SHA-256 hash of completed workflow steps | IETF | [this document], Section 4.4.2 |
| agent_checksum | SHA-256 checksum of agent configuration | IETF | [this document], Section 4.4.2 |
| registration_id | Unique agent registration instance identifier | IETF | [this document], Section 4.4.2 |
This section registers the following parameters in the IANA "OAuth Parameters" registry [IANA.OAuth.Parameters] established by [RFC6749]:¶
| Parameter Name | Parameter Usage Location | Change Controller | Specification Document |
|---|---|---|---|
| agent_id | token request | IETF | [this document], Section 4.2.1 |
| computed_checksum | token request | IETF | [this document], Section 4.2.1 |
| workflow_id | token request | IETF | [this document], Section 4.2.1 |
| workflow_step | token request | IETF | [this document], Section 4.2.1 |
| workflow_enabled | token request | IETF | [this document], Section 4.2.1 |
| delegation_context | token request | IETF | [this document], Section 4.2.1 |
| requested_scopes | token request | IETF | [this document], Section 4.2.1 |
This section registers the following error codes in the "OAuth Extensions Error Registry" [IANA.Extensions.Error] established by [RFC6749]:¶
| Error Name | Error Usage Location | Related Protocol Extension | Change Controller | Specification |
|---|---|---|---|---|
| unknown_agent | token error response | Agent Checksum Grant | IETF | [this document], Section 4.5.3 |
| agent_checksum_mismatch | token error response | Agent Checksum Grant | IETF | [this document], Section 4.5.4 |
| workflow_step_unauthorized | token error response | Agent Checksum Grant | IETF | [this document], Section 4.5.5 |
This specification does not define any new media types. Agent identity verification and token issuance use existing media types:¶
Summary of IANA registrations required by this specification:¶
| Registry | Number of Registrations |
|---|---|
| OAuth URI | 1 |
| JSON Web Token Claims | 7 |
| OAuth Parameters | 7 |
| OAuth Extensions Error Registry | 3 |
| TOTAL | 18 |
This section describes Threat Model and Security Considerations similar to OAuth 2.0 [RFC6819].¶
The agent checksum is the primary security mechanism in this grant type. Implementations MUST:¶
SHA-256 provides 256-bit security against collision and preimage attacks. This is sufficient for agent identity purposes given:¶
Future versions of this specification MAY support alternative hash algorithms (e.g., SHA-3) through algorithm prefix versioning.¶
Agent registration endpoints MUST be protected with authentication and authorization to prevent:¶
The reference implementation requires admin-level OAuth tokens with "register:intent" scope for registration endpoints.¶
The agent registry contains sensitive identity information and MUST be protected:¶
Intent tokens SHOULD have short lifetimes (5-10 minutes) because:¶
The reference implementation uses 5 minutes (300 seconds). But this value should be fully configurable.¶
The cnf (confirmation) claim with JWK binding provides proof-of-possession, preventing token theft. Resource servers SHOULD:¶
Authorization servers MUST implement access controls on workflow definition endpoints. Only authenticated administrators with appropriate privileges SHOULD be able to create or modify workflow definitions.¶
Implementations SHOULD validate workflow definitions for security properties such as: (1) no cycles in agent transitions, (2) appropriate scope restrictions at each step, (3) required approval gates for high-privilege operations.¶
Workflow step validation is critical for preventing privilege escalation. But is applicable only if enabled. Authorization servers MUST:¶
The delegation_chain hash provides integrity over the agent delegation path. However, implementations SHOULD additionally:¶
Implementations MUST use cryptographically secure hash functions for agent checksum computation. SHA-256 or stronger algorithms are REQUIRED. Weaker algorithms such as MD5 or SHA-1 MUST NOT be used.¶
For proof-of-possession key binding, implementations MUST support EdDSA with Ed25519 curves [ED25519] or ECDSA with P-256 curves. RSA keys with minimum 2048-bit length MAY be supported for backward compatibility.¶
Intent hash computation MUST use SHA-256 or stronger. The hash MUST be computed over the canonical JSON representation of the intent token to ensure consistent results across implementations.¶
Authorization servers and resource servers MUST implement appropriate data retention and deletion policies to minimize privacy risks.¶
Token logging and audit trails SHOULD exclude sensitive user data when possible. If user data must be logged, implementations SHOULD use tokenization or anonymization techniques to protect privacy.¶
Cross-border data transfers of tokens containing personal information MUST comply with applicable data protection regulations such as GDPR, CCPA, and similar frameworks.¶
The additional cryptographic operations required by this protocol (checksum computation, signature verification, hash computation) introduce potential denial of service attack vectors. Implementations SHOULD implement rate limiting on token endpoints.¶
Authorization servers SHOULD monitor for patterns indicating DoS attacks, such as: (1) excessive token requests from single clients, (2) repeated failed checksum validations, (3) malformed token requests designed to trigger expensive validation operations.¶
Resource servers MAY implement caching of validation results (with appropriate cache invalidation) to reduce computational overhead for repeated token validations.¶
The following 12 distinct security threats across six STRIDE categories [SHOSTACK] enumerated with their categorization and mitigation status in Table 6, have been used to demonstrate the need for this Agentic JWT protocol.¶
| ID | Threat Name | STRIDE | OWASP | Mitigation |
|---|---|---|---|---|
| T1 | Agent Identity Spoofing | Spoofing | A01:2021 | A1, A2 |
| T2 | Token Replay Attacks | Spoofing | A02:2021 | A6 |
| T3 | Shim Library Impersonation | Spoofing | A08:2021 | A1, A2 |
| T4 | Runtime Code Modification | Tampering | A03:2021 | A1, A12 |
| T5 | Prompt Injection Attacks | Tampering | LLM01:2025 | A12 |
| T6 | Workflow Definition Tampering | Tampering | A04:2021 | A8, A11 |
| T7 | Cross-Agent Privilege Escalation | Priv. Elev. | A01:2021 | A3, A7, A8 |
| T8 | Workflow Step Bypass | Priv. Elev. | A01:2021 | A8, A10 |
| T9 | Scope Inflation | Priv. Elev. | LLM06:2025 | A7, A8 |
| T10 | Intent Origin Forgery | Repudiation | A09:2021 | A9, A10 |
| T11 | Delegation Chain Manipulation | Repudiation | A02:2021 | A6, A9 |
| T12 | Agent Configuration Exposure | Info. Disc. | A01:2021 | A1, A2 |
OWASP categories referenced [OWASP-TOP10-2021] A01:2021 (Broken Access Control), A02:2021 (Cryptographic Failures), A03:2021 (Injection), A04:2021 (Insecure Design), A08:2021 (Software and Data Integrity Failures), A09:2021 (Security Logging and Monitoring Failures), LLM01:2025 (Prompt Injection) [OWASP-LLM01], LLM06:2025 (Excessive Agency) [OWASP-LLM06].¶
Mitigation anchors (detailed in Table 8): A1 (Agent Checksum Verification), A2 (Shim Library Integrity), A3 (Scope Binding), A6 (PoP Key Binding), A7 (Delegation Context), A8 (Workflow State Tracking), A9 (Intent Hash Binding), A10 (Step Authorization), A11 (IDP Access Control), A12 (Input Validation).¶
This section provides detailed descriptions of each identified threat, including attack vectors and real-world precedents. Table 7 presents this information in tabular form.¶
| ID | Description | Attack Vector |
|---|---|---|
| T1 | A malicious agent impersonates a legitimate agent by replicating its identifier, source code structure, prompts, and tool configurations to create a malicious agent with identical checksum signatures. [OWASP-LLM07] | Attacker gains access to agent source code (e.g., through repository compromise) and creates a malicious agent with identical checksum signatures. |
| T2 | Intercepted intent tokens are replayed by unauthorized agents to gain access to protected resources. | Network interception or memory dumps expose valid intent tokens that are replayed before expiration. |
| T3 | Malicious replacement of legitimate shim library with compromised version that bypasses security controls. | Supply chain compromise or local privilege escalation to replace shim library files. |
| T4 | Agent prompts, tools, or configurations are modified at runtime after successful checksum registration. | Memory injection, debugger attachment, or reflection-based modification of agent properties. |
| T5 | Malicious inputs cause LLM agents to generate unintended instructions that bypass security policies. [OWASP-LLM01], [PEREZ-PROMPT-INJECTION]. | Crafted user inputs or external data sources containing prompt injection payloads that manipulate agent reasoning. |
| T6 | Unauthorized modification of workflow definitions in the authorization server to permit unauthorized agent transitions. | Compromised administrative credentials or authorization server vulnerabilities allowing workflow redefinition. |
| T7 | Lower-privilege agent manipulates higher-privilege agent to perform unauthorized operations beyond the original user intent. | Agent A with read-only permissions crafts requests that cause Agent B to execute destructive operations. |
| T8 | Agents skip required approval steps or execute workflow steps out of sequence to gain unauthorized access. | Direct API calls bypassing workflow engine or manipulation of workflow state tracking. |
| T9 | Agents request or utilize broader scopes than originally intended for the specific workflow step. [OWASP-LLM06] | Token minting requests with inflated scopes or misuse of broad scopes for unintended operations. |
| T10 | Unable to cryptographically prove which user intent led to specific agent actions, enabling plausible deniability. | Lack of cryptographic binding between user intent and downstream agent actions. |
| T11 | Modification or forgery of delegation chains to hide true origin of agent actions. | Manipulation of delegation assertion claims or replay of valid delegation chains in unauthorized contexts. |
| T12 | Unauthorized access to agent prompts, tools, and configurations leading to system knowledge disclosure. | API endpoints exposing agent metadata or memory dumps revealing agent configurations. |
The Agentic JWT protocol employs twelve security anchors that collectively address all identified threats. Table 8 describes each mitigation mechanism and the threats it addresses.¶
| Anchor | Mechanism | Threats |
|---|---|---|
| A1 | Agent Checksum Verification: Runtime checksum computation and verification against registered values | T1, T3, T4, T12 |
| A2 | Shim Library Integrity: Cryptographic validation of shim library authenticity | T1, T3, T12 |
| A3 | Scope Binding: Cryptographic binding of authorized scopes to specific workflow steps | T7, T9 |
| A6 | Proof-of-Possession Key Binding: Per-agent cryptographic keys bound to tokens | T2, T11 |
| A7 | Delegation Context Validation: Verification of delegation chain authenticity | T7, T9 |
| A8 | Workflow State Tracking: Authorization server maintains workflow execution state | T6, T7, T8 |
| A9 | Intent Hash Binding: Cryptographic binding of user intent to token lifecycle | T10, T11 |
| A10 | Step Authorization: Per-step authorization checks at resource servers | T8, T10 |
| A11 | Authorization Server Access Control: Protection of workflow definitions | T6 |
| A12 | Input Validation and Sanitization: Validation of agent inputs and LLM outputs | T4, T5 |
This work builds upon the foundational contributions of the OAuth working group and the broader internet security community.¶