Don't trust the agent.
Verify every action.
VIAA-1 stops authenticating an agent once and trusting its session. Instead, every consequential action carries a cryptographic proof of who, what, and under whose attenuated authority — and the resource returns a signed receipt of what it did.
- 1Which agent instance requested this?
- 2Who operates or sponsors that agent?
- 3Whose authority is it exercising?
- 4What exact action was authorized?
- 5What constraints and approvals apply?
- 6Was the authority still valid when used?
- 7What actually happened?
Natural-language instructions never grant authority
They may be recorded as audit commitments — but only structured, machine-enforceable mandates confer permission. The model that plans an action is treated as an untrusted proposer, never as a source of rights.
A resource can cryptographically establish which agent instance requested an exact action, under whose explicitly attenuated authority, subject to which constraints — and can later prove what it did with that request.
— VIAA-1, the narrow and enforceable guarantee
Five distinctions the protocol keeps separate
Each primitive proves exactly one thing. Conflating them is how confused-deputy and over-trust failures happen.
An authority module the model can't talk its way past
Private keys and bearer credentials live in an Agent Authority Module — a sidecar or trusted runtime — not in the planner. A compromised agent must never be the only barrier: the resource independently repeats every authorization check at the point of execution.
The Agent Authority Module
- Converts model proposals into structured actions
- Checks local constraints before signing
- Obtains necessary human or org approvals
- Signs only actions covered by a valid mandate
- Never exposes reusable user credentials to the model
No global identity authority is required. Each resource defines which issuers and trust domains it accepts. A model name or weight hash is not identity — two deployments of the same model are distinct agents.
Six objects, each independently verifiable
Every object is deterministic CBOR signed with COSE_Sign1. Together the agent-signed action and the resource-signed receipt form two-sided, tamper-evident evidence — without the agent ever having to countersign after the fact.
Agent Registration
Binds a stable agent URI to its sponsor, operator policy, and root key.
- Stable agent URI
- Sponsor + operator
- Root public key
- Manifest digests
- Revocation epoch
Instance Binding
Connects a registration to the key of one running instance.
- Registration digest
- Instance key thumbprint
- Workload identity
- Attestation result
- Expiry
Resource Descriptor
Resources identify themselves so agents can't be tricked by impostors.
- Resource identity + origins
- Service public keys
- Supported operations
- Schema digests
- Endpoints
Mandate
A holder-bound, attenuable capability — useless without key possession.
- Grantor + holder key
- Audiences
- Typed constraints
- Quotas + delegation rules
- Obligations
Action Envelope
Signed for every side-effecting call. Change anything and it breaks.
- Operation + schema digest
- Canonical parameters
- Mandate-chain digests
- Resource challenge
- Idempotency key
Execution Receipt
The resource's signed, linked record of what it actually did.
- Action digest
- Authorization result
- Effect identifier
- Metered quantity
- Previous receipt digest
A child mandate may narrow authority — never widen it
Mandate constraints use a limited, monotonic language so delegation-chain containment stays decidable and deterministic. No negation, no regex, no disjunction beyond explicit sets, no external policy calls.
Valid attenuation
- Allowed operationsA subset
- Allowed valuesA smaller set
- Numeric rangeA contained range
- URI / string prefixA longer, narrower prefix
- Resource hierarchyA descendant resource
- Time intervalA shorter interval
- Usage or budgetA smaller amount
- Delegation depthA lower number
- ObligationsAdditional obligations
R′⊆R · A′⊆A · P′⇒P · T′⊆T · Q′≤Q · D′<D · O′⊇O
No implicit union — an agent can't combine two insufficient mandates into a sufficient one. Every action must be authorized by a single valid delegation chain.
{
"type": "viaa.mandate",
"issuer": "https://authority.acme.example",
"grantor": "https://identity.acme.example/users/42",
"holder_key": "sha256:INSTANCE_KEY_THUMBPRINT",
"audience": ["https://orders.vendor.example"],
"grant": [{
"operation": "urn:vendor:orders:create:v3",
"schema": "sha256:OPERATION_SCHEMA_DIGEST",
"constraints": [
["currency", "eq", "USD"],
["amount_minor", "range", [0, 50000]],
["vendor_id", "one_of", ["V42"]],
["shipping_country", "one_of", ["US"]]
]
}],
"quota": { "uses": 3, "total_amount_minor": 100000 },
"delegation": { "allowed": true, "remaining_depth": 1 },
"obligations": ["produce_execution_receipt"]
}Cut the cap to $200, permit one use, expire in ten minutes, forbid further delegation.
Add vendors, countries, operations, or time. Unknown operators are rejected outright.
Five phases, ending at the point of execution
A preflight authorization response is never sufficient. The final, binding check happens at the resource enforcement point — closing the time-of-check / time-of-use gap.
The VIAA Proof Bundle
Presented together, the bundle lets a resource verify identity, authority, freshness, and the exact action — with no shared secret and no callback to the issuer required.
Ten conjuncts. Every one must hold.
A perfectly signed request from an untrusted issuer, or one outside the mandate, is still rejected. A signature failure is not the only denial condition — authorization is a conjunction, evaluated independently and reported per check.
The check is atomic and runs at execution time: the resource consumes the action nonce, reserves quota, executes the canonical action, then commits or releases the reservation.
Budgets and revocation that static tokens can't enforce
Two resources can't both accept the same remaining budget, and a revoked agent can't keep acting on yesterday's credential. VIAA treats both as stateful, freshness-bound problems.
Quota Coordinator
A stateful service issues a short-lived reservation bound to the mandate, action, resource, holder key, and a maximum quantity. The resource commits the actual metered amount — or releases the hold on failure.
Revocation & freshness
Bumping an agent's revocation epoch invalidates every older mandate at once; direct status entries revoke individual mandates. Agents staple a short-lived signed status assertion — and policy decides how fresh it must be.
Designed against the attacks that break agent authorization
Each row is a concrete attack and the protocol mechanism that defends it. The reference implementation ships a conformance test for every one.
Assurance is a vector, not a score
VIAA defines no universal 'trusted agent' number. Resources evaluate independent claims and require exactly the level each one needs — and attestation is evaluated separately from authorization. It can inform a trust decision; it never grants access by itself.
A high-risk resource can require
- organization-verified principal
- sponsor-issued agent registration
- hardware-backed instance key
- fresh runtime attestation
- per-action human approval
- live revocation status
A deterministic cryptographic core that rides existing rails
VIAA need not replace your identity stack. It defines the downstream action proof and receipts, and slots in beneath the protocols you already run.
Cryptographic profile
- Deterministic CBOR for all signed data
- COSE_Sign1 signature structures
- SHA-256 object digests + key thumbprints
- Ed25519 suite (P-256 ECDSA profile when required)
- TLS transport · signed store-and-forward envelopes
- Strict schema validation, duplicate-key rejection
- Integer monetary quantities — never floating point
application/viaa+cborapplication/viaa-bundle+cborapplication/viaa-receipt+cborCompatible with existing standards
- W3C Verifiable Credentials 2.0principal, sponsor, certification & registration claims
- GNAPnegotiate and issue root mandates
- DPoPthe holder-binding pattern, generalized to exact actions
- SPIFFE · EAT · RATSworkload identity and runtime attestation
- WebAuthnfresh human approval / user-presence evidence
- MCP · A2A · HTTP · gRPCtransport adapters beneath the application semantics
A working MVP, not just a paper
The recommended first implementation exists: one trust domain, registration + short-lived instance binding, single-hop attenuated mandates, the monotonic constraint language, signed action envelopes and receipts, a quota coordinator, status epochs — and conformance tests for attenuation, replay, schema substitution, and quota races.
$ node examples/demo.ts Phase E — Verification & execution at the resource ✓ TrustedIdentityPath ✓ ValidSignatures ✓ HolderProof ✓ NonEscalatingDelegation ✓ FreshStatus — stapled assertions fresh ✓ AtomicStateCommit ✓ ActionMatch ✓ ApprovalsMet — none required ✓ ObligationsMet — produce_execution_receipt ✓ LocalPolicy Authorization: ALLOW Receipt: executed | effect: order_V42_25000 | metered: 25000 Attack — over-budget action ($600 > $500 cap) ✗ ActionMatch — amount_minor=60000 violates range [0,50000] Authorization: DENY | receipt: rejected
Stack
Narrow on purpose
VIAA does not make broad permissions safe, and it proves none of the things people wish identity could prove. It provides something smaller and enforceable instead.
VIAA does not prove…
- that an agent is intelligent
- that it is safe or aligned
- that it is truthful
- that it is legally liable
- that it acts in your best interests
- that an LLM understood your intent