{
  "profile_id": "structured_agent_authorization",
  "version": "1.0.0",
  "published": "2026-06-29",
  "name": "Structured Agent Authorization Profile",
  "description": "A cross-domain validation profile requiring that every AI agent action touching a protected resource be authorized by a structured, request-specific authorization object. If the authorization object is missing, malformed, expired, exceeds the agent's registered ceiling, or cannot be validated by the resource server, the action must be denied.",
  "normative_anchor": {
    "source_id": "openid",
    "standard": "RFC 9396 — OAuth 2.0 Rich Authorization Requests",
    "url": "https://www.rfc-editor.org/rfc/rfc9396"
  },
  "implementation_signals": [
    {
      "source_id": "hashicorp_vault_aar_2026",
      "description": "HashiCorp Vault AI Agent Authorization Pattern — per-request OAuth 2.0 RAR with agent registration, permission ceiling policies, and IaC-governed resource server configuration",
      "normative_force": "best-practice"
    }
  ],
  "core_requirement": "Every protected AI agent action must carry a structured, request-specific authorization object (authorization_details per RFC 9396) that binds the action to a verified agent identity, a declared purpose, a specific resource, applicable constraints, and a short TTL. Resource servers must validate this object and deny the action if any required field is missing, malformed, expired, or exceeds the agent's registered permission ceiling.",
  "required_capabilities": [
    {
      "capability_id": "registered_agent_identity",
      "description": "Every agent must be explicitly registered before receiving privileged access. Registration binds the agent to a verified entity and defines its maximum permission ceilings.",
      "owner_domains": ["identity"],
      "apeiris_controls": [
        "apeiris://identity/controls/II-01",
        "apeiris://identity/controls/II-02",
        "apeiris://identity/controls/NI-01"
      ]
    },
    {
      "capability_id": "request_scoped_authorization_details",
      "description": "Every protected action must carry a structured authorization object with fields: action, resource, purpose, constraints, ttl, agent_id, delegator (if applicable), audience. Missing or malformed authorization_details must fail closed.",
      "owner_domains": ["authority", "agentic"],
      "apeiris_controls": [
        "apeiris://authority/controls/PV-02",
        "apeiris://authority/controls/PA-01",
        "apeiris://agentic/controls/AB-02",
        "apeiris://agentic/controls/AT-02"
      ],
      "authorization_object_required_fields": [
        "type",
        "action",
        "resource",
        "purpose",
        "constraints",
        "ttl",
        "agent_id",
        "audience"
      ],
      "fail_closed_on_missing": true
    },
    {
      "capability_id": "permission_ceiling_enforcement",
      "description": "Even if a request asks for broader access, the agent's registered ceiling policy caps what can be granted. Ceiling enforcement applies at the authorization server before issuing the authorization object and at the resource server before executing the action.",
      "owner_domains": ["authority", "identity"],
      "apeiris_controls": [
        "apeiris://identity/controls/DE-03",
        "apeiris://authority/controls/PV-04",
        "apeiris://authority/controls/PA-03"
      ]
    },
    {
      "capability_id": "short_lived_task_bound_credentials",
      "description": "Authorization tokens and assertions must be minted per task/request with a short TTL (typically ≤15 minutes for assertions, ≤1 hour for access tokens). Long-lived credentials must not directly authorize consequential agent actions.",
      "owner_domains": ["identity", "security"],
      "apeiris_controls": [
        "apeiris://identity/controls/NI-02",
        "apeiris://identity/controls/NI-04",
        "apeiris://security/controls/IA-03",
        "apeiris://agentic/controls/AA-01",
        "apeiris://agentic/controls/AA-02",
        "apeiris://agentic/controls/AA-05"
      ],
      "ttl_guidance": {
        "bearer_assertion_max": "PT15M",
        "access_token_max": "PT1H",
        "long_lived_credential_direct_authorization": "prohibited"
      }
    },
    {
      "capability_id": "resource_server_token_validation",
      "description": "Resource servers must validate: issuer, audience, signing algorithm, JWKS or static key trust, clock skew (±30s), JWT type (typ), and identity claim mapping before executing any agent action.",
      "owner_domains": ["security", "identity"],
      "apeiris_controls": [
        "apeiris://identity/controls/IF-01",
        "apeiris://identity/controls/IF-02",
        "apeiris://security/controls/IA-04"
      ],
      "validation_checklist": {
        "issuer": true,
        "audience": true,
        "signing_algorithm": true,
        "jwks_or_static_key": true,
        "clock_skew_max_seconds": 30,
        "jwt_type_claim": true,
        "identity_claim_mapping": true
      }
    },
    {
      "capability_id": "fail_closed_missing_authorization",
      "description": "Any protected resource that receives an agent action request without a valid authorization object must deny the request immediately. No fallback to implicit trust, network-level allowlists, or ambient authorization.",
      "owner_domains": ["agentic", "security", "authority"],
      "apeiris_controls": [
        "apeiris://agentic/controls/AB-02",
        "apeiris://agentic/controls/AT-05",
        "apeiris://security/controls/EC-04"
      ]
    },
    {
      "capability_id": "policy_as_code_registration",
      "description": "Agent registrations, resource server configurations, authorization policies, and ceiling policies must be declarative and reviewable (IaC). Evidence includes: policy-as-code config, review history, deployment state, and drift detection results.",
      "owner_domains": ["security", "authority"],
      "apeiris_controls": [
        "apeiris://security/controls/GV-03",
        "apeiris://authority/controls/PG-02"
      ],
      "evidence_artifacts": [
        "iac_config_files (Terraform, Pulumi, Helm, or equivalent)",
        "policy_review_history (PR/MR records with approvals)",
        "drift_detection_report",
        "deployment_state_snapshot"
      ]
    },
    {
      "capability_id": "authorization_event_logging",
      "description": "Every authorization grant, denial, and ceiling enforcement event must be logged with: agent_id, action, resource, authorization_object_hash, verdict (granted/denied/ceiling-exceeded), timestamp, and enforcing component.",
      "owner_domains": ["agentic", "security"],
      "apeiris_controls": [
        "apeiris://agentic/controls/AT-07",
        "apeiris://agentic/controls/AM-01",
        "apeiris://security/controls/RT-03"
      ]
    }
  ],
  "validation_evidence_schema": {
    "description": "Fields required on controls that authorize agent actions to satisfy this profile",
    "fields": {
      "authorization_details_required": {
        "type": "boolean",
        "description": "Whether this control requires RFC 9396 authorization_details at runtime enforcement"
      },
      "authorization_scope_fields": {
        "type": "array",
        "description": "Required fields in the authorization_details object for this control",
        "enum_values": ["type", "action", "resource", "purpose", "constraints", "ttl", "agent_id", "delegator", "audience"]
      },
      "fail_closed_on_missing_authorization_details": {
        "type": "boolean",
        "description": "Whether missing authorization_details causes an immediate deny"
      },
      "permission_ceiling_policy_required": {
        "type": "boolean",
        "description": "Whether this control requires a registered ceiling policy that caps what can be granted"
      },
      "agent_registration_required": {
        "type": "boolean",
        "description": "Whether the acting agent must be pre-registered before access is permitted"
      },
      "jwt_validation_required": {
        "type": "object",
        "description": "Token validation fields the resource server must check",
        "properties": {
          "issuer": "boolean",
          "audience": "boolean",
          "jwks_or_static_key": "boolean",
          "signing_algorithm": "boolean",
          "clock_skew": "boolean",
          "identity_claim": "boolean"
        }
      }
    }
  },
  "cross_domain_evidence_dag": {
    "description": "Authorization for a single agent action requires evidence from four domains in this dependency order",
    "stages": [
      {
        "stage": 1,
        "domain": "identity",
        "produces": "IdentityAttestation (IC-08)",
        "requirement": "Agent is registered, bound to a verified entity, and has a current non-revoked credential"
      },
      {
        "stage": 2,
        "domain": "authority",
        "produces": "PolicyAttestation (PE-08)",
        "requirement": "The requested action is within the agent's ceiling policy for this resource and purpose",
        "depends_on_stage": 1
      },
      {
        "stage": 3,
        "domain": "agentic",
        "produces": "BehavioralAttestation (AG-08)",
        "requirement": "The tool call carries a valid authorization_details object and the action is within the agent's behavioral scope",
        "depends_on_stage": 2
      },
      {
        "stage": 4,
        "domain": "security",
        "produces": "SecurityPostureAttestation (AS-08)",
        "requirement": "The resource server validated the token (issuer, audience, signature, expiry, ceiling) before executing",
        "depends_on_stage": 3
      }
    ]
  },
  "meta": {
    "authored_on": "2026-06-29",
    "schema_version": "1.0.0",
    "endpoint": "https://apeiris.ai/integration/profiles/structured_agent_authorization.json"
  }
}
