An AI agent's decision to act fires unchecked.

OAuth issues the agent a token. SPIFFE issues it an ID. OPA evaluates a policy at dispatch. None of them sits between the model deciding to call fetch() and the call leaving the host. There is no protocol-level pause, no signed approval, no audit artifact tied to this exact action on this exact resource at this exact moment.

Replit dropped a SaaStr production database during an explicit code freeze (July 2025). Cursor + Claude Opus 4.6 wiped PocketOS production and its only volume backup in nine seconds (April 2026). EchoLeak — CVE-2025-32711, CVSS 9.3 — exfiltrated Microsoft 365 Copilot mailboxes from a single email, zero clicks. Nearly 80% of organizations deploying autonomous AI cannot say in real time what those systems are doing or who is responsible for them (Strata 2026). 88% of enterprises had an AI-agent security incident in the past 12 months (VentureBeat 2026).

Where the standards stop

The IETF's draft-klrc-aiagent-auth-00 explicitly puts policy format and action authorization semantics out of scope. MCP's Elicitation extension pauses on the client side — a buggy or hostile client just doesn't pause, and the server has no way to demand a signed decision. Google A2A's auth-required TaskState says "credentials needed" and stops there; what happens next is "implementation-specific". Today every agent framework solves this with a private hook, a custom Slack DM, or nothing at all. LangGraph interrupts, Temporal signal events, n8n's Wait node, homegrown approval bots — none speak the same wire format and none produce a signed receipt the auditor can verify next year.

We call that missing checkpoint the Action Authorization Boundary. Machine Authority Protocol is the wire-format binding for it. Four v1.0 specifications: a byte-deterministic JSON schema for the proposed action (CAR), a signed policy verdict carrying the five AARM R4 decision states plus a MAP-defined REVOKE (Decision Envelope), a four-message protocol for routing the action to a human approver (Elicitation Loop), and an Ed25519-signed receipt any auditor can replay offline (CAC).

Standards landscape

We surveyed every active draft, RFC, and shipping protocol that touches agent authorization (12 most relevant shown; full 27-standard matrix on GitHub). The pattern: identity layers don't speak action, policy engines don't speak DEFER, OAuth extensions stop at grant time, and the one abstract spec that does name the requirements (AARM v1) leaves the wire format undefined. That undefined wire format is what MAP specifies.

Standard	Action eval at runtime	Async DEFER state	Signed per-action receipt	Wire format defined
Machine Authority Protocol v1.0	✓ CAR + Decision Envelope	✓ Elicitation Loop	✓ CAC, Ed25519 over JCS-canonical CAR	✓ JSON Schema
AARM v1 (CSA, 2025)	✓ required (R3)	✓ required (R4)	✓ required (R5)	✗ abstract requirements only
OPA / Rego	✓ synchronous PDP	✗ no pending state	✗ decision logs unsigned	~ Rego language; no input/output schema
OpenFGA / Authzed (Zanzibar)	✓ `Check`	✗	✗ ZedTokens are consistency, not receipts	~ tuple model
Cedar (AWS / Verified Permissions)	✓ binary Allow/Deny	✗	✗	~ `(principal, action, resource, context)`
SPIFFE / SPIRE	N/A — identity layer	N/A	N/A	✓ SPIFFE ID + SVID
MCP Elicitation 2025-11-25	✗ UI-prompt RPC only	~ client-controlled, server cannot enforce	✗ unsigned `{action, content}`	~ JSON-RPC method only
Google A2A	✗	~ `AUTH_REQUIRED` TaskState; workflow "implementation-specific"	✗	✗ no auth-required workflow
RFC 9396 RAR (OAuth)	✗ request-time at AS only	✗	~ echoed in token; replayable for token lifetime	~ `authorization_details` array; per-type schema implementation-defined
CIBA	✗ authentication, not authorization	✓ for user auth (`authorization_pending`)	✗ produces OAuth tokens	✓ backchannel endpoint + grant type
DSSE + in-toto Statement v1	N/A — build/release attestation	N/A	✓ on artifacts, not actions	✓ DSSE envelope + in-toto Statement
draft-klrc-aiagent-auth-01 (IETF)	✗ "policy model and document format are out of scope"	✗ not defined	✗ not defined	✗ synthesis doc

OPA, OpenFGA, Cedar, and Authzed all evaluate runtime actions correctly as synchronous PDPs. None define a pending state. CIBA defines an async authentication pattern but produces an access token, not a per-action receipt. DSSE + in-toto produces signed attestations — on build artifacts. AARM v1 requires the runtime evaluation, the DEFER state, and the signed receipt as conformance items but does not define how they go on the wire. MAP defines the wire format. CAC encodes the receipt as a JWS-EdDSA detached signature (MAP-CAC-JWS-1, required) and offers a DSSE+in-toto profile (MAP-CAC-DSSE-1, optional) that drops into Sigstore-aware tooling.

Specifications — v1.0 stable

Four specifications. Wire formats, JSON Schemas, and the conformance vector suite are locked. Breaking changes from this point require a 12-month deprecation window per Governance.

Canonical Action Representation (CAR) v1.0 Stable →

Byte-deterministic JSON schema for a tool call that has been decided but not executed. Tool name (regex-bounded), typed arguments, actor identity (SPIFFE SVID / W3C DID / HTTPS Agent Identity Document), delegation chain, accumulated context (env / time / geo / risk_tier / organizational / accumulated / extensions), timestamp. Canonicalized with RFC 8785 + Unicode NFC + empty-key rejection. Hashed to car_hash for downstream binding. Identity bound by mTLS or RFC 9421 HTTP Message Signatures.

RFC 8785 canonicalization · AARM R1, R2, R6 · Schema schema/car-v1.json

Decision Envelope v1.0 Stable →

JWS-EdDSA-signed (RFC 7797 detached) statement from the AAB carrying one of the five AARM v1 §R4 decisions (ALLOW, DENY, DEFER, MODIFY, STEP_UP) or the MAP-defined REVOKE extension that aborts an in-flight ALLOW. Each decision pins the payload that makes it actionable — DEFER carries a resume_token plus the dispatcher's RFC 7638 JWK thumbprint for DPoP binding, MODIFY carries replacement arguments, STEP_UP carries the required ACR. aab_signature is REQUIRED.

Five R4 decisions + REVOKE · aab_signature required · Schema schema/decision-envelope-v1.json

Elicitation Loop v1.0 Stable →

Push-by-default four-message protocol that pauses execution for asynchronous human review: DeferredActionRequest → ApprovalDecision (signed JWS-EdDSA, typ: MAP-APPROVAL-DECISION-1) → ExecutionReceipt. Resume tokens are bound to the dispatcher's key per RFC 9449 (DPoP); approval decisions are signed; CAC is embedded inside the ApprovalDecision when the verdict is APPROVE.

DPoP-bound resume (RFC 9449) · Signed approval · Schema schema/elicitation-loop-v1.json

Cryptographic Attestation of Consent (CAC) v1.0 Stable →

The signed receipt for an authorized action: action hash, approver identity, declared intent, Ed25519 signature, timestamp, policy version. Encoded as a JWS-EdDSA detached signature (MAP-CAC-JWS-1, REQUIRED); a DSSE + in-toto Statement v1 profile (MAP-CAC-DSSE-1, OPTIONAL) is also defined for Sigstore-aware verifiers. Carries intent_alignment so auditors can detect mismatches between what the agent declared and what the approver saw. A stolen CAC authorizes nothing — it is an audit artifact, not an access token.

MAP-CAC-JWS-1 required · MAP-CAC-DSSE-1 optional · AARM R3, R5 · Schema schema/cac-v1.json

All four specifications are the wire-format binding for AARM v1 conformance requirements R1–R6 (Cloud Security Alliance, 2025). The traceability matrix in CONFORMANCE.md maps every R1–R6 row to the exact spec section, schema field, and test vector that satisfies it.

Verify it yourself

One command clones the reference implementation, walks a complete elicitation loop (CAR → DEFER → APPROVE → CAC → receipt), and verifies every Ed25519 signature against published JWKS. No npm install — the verifier uses Node's stdlib crypto.

curl -sL https://machineauthority.org/examples/v1/dispatch.sh | sh

Exit 0 only if every step verifies: DEFER envelope (MAP-DECISION-ENVELOPE-1), CAC over canonical CAR (MAP-CAC-JWS-1 RFC 7797 detached), the same CAC re-encoded as DSSE+in-toto (MAP-CAC-DSSE-1), and the full loop with DPoP-bound resume_token. Source: /examples/v1/dispatch.sh.

Contribute

Read the specs. Find a hole. File the issue. We respond on every one. GOVERNANCE.md caps any single organization — including Plaw — below a majority of maintainer seats. The spec is MIT-licensed. The v1.0 conformance vector suite is locked under /test-vectors/; bun run reference/cli/run-conformance.js walks every vector and exits 0 on conformance. Implementations passing all required vectors for a tier MAY self-certify per CONFORMANCE.md (OpenID Connect Conformance model).

Read the spec → GitHub Discussions Contributing

Machine Authority Protocol was initiated by Plaw, Inc. in the course of building Veto, a commercial action-authorization platform. Veto is a reference implementation, not the standard. Plaw holds no special governance rights; all normative changes pass through the public maintainer council. If Plaw shuts down tomorrow, the spec keeps shipping. See Governance.