Exploring AAuth for Agent IAM
Note โ AAuth spec as of March 31, 2026. AAuth continues to update. The flows and demos in this repo are aligned with the latest AAuth spec as of the time of writing (March 31, 2026).
Agent Auth (AAuth โ pronounced โAY-awthโ) is an IETF draft paper for agent identity and access management from Dick Hardt who authored OAuth 2.0 and co-author of OAuth 2.1.
Intro: Digging in to AAuth Flows
This set of resources is intended to help you understand the AAuth protocol in concrete detail. It is not a specification (see Agent Auth). This is specifically a more detailed review of the spec with examples (as a result of me implementing this).
This section walks through various flows with detailed Header/Payload examples so the sequence diagrams from the AAuth exploratory draft are illustrated concretely.
The source code for this section can be found on GitHub: https://github.com/christian-posta/aauth-implementation
- Header Web Key (HWK) for Pseudonymous Access
- Json Web Keys (JWKS) for Identified Access / Agent Identity
- Identified Agent Authorization
- User Consent with Identified Access with Authorization
- Authorization Token Exchange
- Delegated Agent Identity
- Clarification Chat During Authorization
๐ Full Working Demo with Keycloak and Agentgateway
This set of resources walks you through set up and evaluation of a realistic AAuth implementation with Identity Provider (Keycloak), Agentgateway, and libraries to support AAuth in multiple languages (Java, Python, Rust).
The source code for this section can be found in GitHub: https://github.com/christian-posta/aauth-full-demo
- AAuth with Keycloak and Agentgateway
- Agent Identity with JWKS
- Agent authorization (autonomous flow)
- Agent authorization (user consent)
- Token Exchange for Auth propagation (OBO)
- Apply policy with AgentGateway
- Clarification Chat on Authorization