[OAUTH-WG] Re: ZeroID: Reference implementation of OAuth 2.0 / RFC 8693 delegation patterns for autonomous agents

Tue, 26 May 2026 22:32:07 -0700

Hi,

The concepts sound interesting. Do you have an RFC style spec that describes how the extensions added to existing OAuth specs work? I didn’t find that in the GitHub repository.

Thanks,

George Fletcher 
Practical Identity LLC

On May 26, 2026, at 11:19 PM, Sharath Rajasekar <[email protected]> wrote:



Hello OAuth WG,

I’d like to introduce ZeroID, an open-source implementation focused on OAuth 2.0 / OAuth 2.1 delegation and token exchange patterns in autonomous agent and machine-to-machine systems.

Repository:
https://github.com/highflame-ai/zeroid

ZeroID is built directly on top of established OAuth mechanisms, with a focus on implementing and stress-testing real-world delegation semantics using:

  • OAuth 2.0 authorization flows (RFC 6749),
  • Token Exchange (RFC 8693),
  • constrained and attenuated delegation of authority,
  • impersonation and on-behalf-of patterns,
  • multi-hop delegation chains between non-human actors.

Rather than introducing a new authorization framework, ZeroID implements a concrete model of how OAuth-based delegation behaves in autonomous agent environments where:

  • authority is dynamically delegated across multiple agents,
  • execution chains may extend beyond initial authorization events,
  • tokens are exchanged across multiple hops and contexts,
  • downstream services require verifiable provenance of delegated actions.

The goal of ZeroID is to serve as a reference implementation of OAuth-style delegation in these emerging workloads, and to provide a concrete system for evaluating where current specifications are sufficient and where semantic gaps may exist.

We are particularly interested in feedback from the WG on:

  1. Whether RFC 8693-style token exchange adequately captures multi-hop delegation chains in autonomous systems,
  2. How existing OAuth semantics should be interpreted when both delegating and delegated parties are non-human agents,
  3. Any known limitations or constraints in representing attenuated authority across multiple delegation steps,
  4. Whether there are existing WG efforts or drafts that already address these patterns more directly.

We believe OAuth already provides a strong foundation for this space, and ZeroID is intended to demonstrate a concrete, interoperable implementation of those mechanisms under realistic autonomous-agent workloads.

We would welcome any feedback, critiques, or pointers to related work.

Best regards,
Sharath Rajasekar (www.highflame.com)


_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to