[OAUTH-WG] Re: OAuth Digest, Vol 206, Issue 62

2026-01-01 Thread emelia 
In the email quoted:To unsubscribe send an email to [email protected] this helps.EmeliaOn 1. Jan 2026, at 12:42, leesha ankola  wrote: To unsubscribe send an email to [email protected]___
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[OAUTH-WG] Re: OAuth Digest, Vol 206, Issue 62

2026-01-01 Thread leesha ankola 
I want to stop these emails

On Fri, Dec 26, 2025, 3:59 PM  wrote:

> Send OAuth mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via email, send a message with subject or
> body 'help' to
> [email protected]
>
> You can reach the person managing the list at
> [email protected]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OAuth digest..."
>
> Today's Topics:
>
>1. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension
> for AI Model Access
>   (Warren Parad)
>2. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension
> for AI Model Access
>   (Hemanth H.M)
>3. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension
> for AI Model Access
>   (Hemanth H.M)
>
>
> --
>
> Message: 1
> Date: Fri, 26 Dec 2025 06:55:31 +
> From: Warren Parad 
> Subject: [OAUTH-WG] Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 -
> OAuth 2.0 Extension for AI Model Access
> To: "Hemanth H.M" 
> Cc: oauth 
> Message-ID:
>  [email protected]>
> Content-Type: multipart/alternative;
> boundary="a513c00646d56152"
>
> Authorization to specific models doesn't need to live inside the the oauth2
> generated JWT. OAuth is not the appropriate place for that.
>
> On Thu, Dec 25, 2025, 21:36 Hemanth H.M  wrote:
>
> > Hey Warren,
> >
> > Good question. Current OAuth doesn't have a standard way to scope access
> > *to specific models* or attach usage limits (spend/rate) directly to the
> > token metadata without heavy custom extensions, right? This ID tries to
> > standardize that delegation layer.
> >
> > Justin, We can leverage RAR type for this?
> >
> >
> > --
> > Thank you,
> > Hemanth.HM 
> >
> >
> >
> > On Thu, Dec 25, 2025 at 1:31 PM Justin Richer  wrote:
> >
> >> It is an extremely terrible idea to create a structure for scopes. I've
> >> done this several times in different ecosystems and it always starts
> out ok
> >> but falls apart quickly. Do not repeat this mistake.
> >>
> >> If you need structure for access, define a RAR type, that's what it's
> >> there for.
> >>
> >> - Justin
> >> --
> >> *From:* Hemanth H.M 
> >> *Sent:* Wednesday, December 24, 2025 4:41 PM
> >> *To:* [email protected] 
> >> *Subject:* [OAUTH-WG] [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth
> >> 2.0 Extension for AI Model Access
> >>
> >> Hi OAuth WG,
> >>
> >> I've submitted a new Internet-Draft for your consideration:
> >>
> >> draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension for AI Model
> Access
> >>
> >> Problem: AI model APIs (OpenAI, Anthropic, Google, etc.) require API key
> >> delegation, but current practices involve sharing master keys directly
> with
> >> third-party applications—no scoping, no revocation, no usage limits.
> >>
> >> Proposal: Extend OAuth 2.0 with:
> >>
> >>
> >>1. Standard scope syntax: ai:::
> >>2. Token metadata for spend/rate limits
> >>3. Token introspection extensions for usage tracking
> >>4. Security considerations (DPoP/mTLS for high-security deployments)
> >>
> >>
> >> GitHub: https://github.com/hemanth/oauth-ai-scopes
> >>
> >> I'd welcome feedback on the scope syntax, alignment with existing OAuth
> >> extensions (RFC 8707, RFC 9449), and whether this is something the WG
> would
> >> consider adopting.
> >>
> >> P.S: I also started https://okap.dev as a separate protocol, in case...
> >>
> >> --
> >> Thank you,
> >> Hemanth.HM 
> >>
> >> ___
> > OAuth mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> >
> -- next part --
> A message part incompatible with plain text digests has been removed ...
> Name: not available
> Type: text/html
> Size: 4562 bytes
> Desc: not available
>
> --
>
> Message: 2
> Date: Fri, 26 Dec 2025 02:28:21 -0800
> From: "Hemanth H.M" 
> Subject: [OAUTH-WG] Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 -
> OAuth 2.0 Extension for AI Model Access
> To: Warren Parad 
> Cc: oauth 
> Message-ID:
>  [email protected]>
> Content-Type: multipart/alternative;
> boundary="f54c820646d85acb"
>
> Maybe off topic, but https://okap.dev sounds ok?
>
> --
> Thank you,
> Hemanth.HM 
>
>
>
> On Thu, Dec 25, 2025 at 10:55 PM Warren Parad  wrote:
>
> > Authorization to specific models doesn't need to live inside the the
> > oauth2 generated JWT. OAuth is not the appropriate place for that.
> >
> > On Thu, Dec 25, 2025, 21:36 Hemanth H.M  wrote:
> >
> >> Hey Warren,
> >>
> >> Good question. Current OAuth doesn't have a standard way to scope access
> >> *to specific models* or attach usage limits (spend/rate) directly to the
> >> token metadata