This is the standing reference for the Mission-Bound Authorization handbook. It is written to be linked, quoted, and shared. The parts carry the argument. This page carries the definition, the litmus test, the landscape, and the vocabulary. The top of the page is the citation kit: the definition, the terminology, the one-sentence Mission, the five laws with their violations, the numbers, the layer vocabulary, the protocol MVP formula, the honest deployment claim, the what-not-to-claim list, the revocation statement and its matrix, the vendor test, and the canonical picture, each written to be copied whole, with Mission-Bound Authorization on the Wire as the companion exhibits. The litmus test and everything deeper follow. This page tracks the draft family’s editor’s copies as of July 11, 2026.
| Use this page to | Start at |
|---|---|
| Get the mental model first | What the Corporate Card Already Solved, then the bridge into the architecture |
| Define the category | The bottom line and the litmus test |
| Evaluate a vendor or deployment claim | The vendor test, then the implementation checklist and what not to claim |
| Implement the protocol MVP | The formula and the wire exhibits |
| Define the primitive, its roles, and its name | The object model, trust boundaries and roles, and why “Mission” |
| See what changes and what never does | The object model’s aggregate and mutability rules |
| Price revocation by path | The statement and the matrix |
| Place the record in the estate | Where the Mission record lives and the division of labor |
| Check the record’s own privacy | The Mission record is itself sensitive |
| Compare to scopes, sessions, PDPs, IGA, PAM | The landscape and the objections |
| Cite the draft family | The catalog and how to cite |
Mission-based authorization in brief
Mission-based authorization governs the approved task, not just the credential, session, or individual request.
It is a category, not one product. Mission-Bound Authorization, the draft family this handbook explains, is one concrete instance of it, carried on three substrate bindings with OAuth 2.0 as the flagship.
The vocabulary has a strict hierarchy:
| Term | What it names |
|---|---|
| Delegated authority management | The missing layer of the stack |
| Mission-based authorization | One design pattern for that layer, and the category this page defines |
| Mission-Bound Authorization | This draft family: one instance of the category, with OAuth 2.0 as the flagship binding, and the standalone Mission Authority Server and AAuth as the others |
| Mission | The concrete approved-task object in this draft family |
| Mandate | A portable, verifiable statement about a Mission. Evidence, not a second object |
A mission-based authorization system has a durable approved task object, derives authority from it, checks consequential actions against it, and binds audit evidence back to it.
Why existing objects are not enough: a token authorizes a request, a session preserves runtime continuity, a scope names requested authority, a task/trace ID correlates activity. None of them is the approved task with a lifecycle that authority is derived from and gated on. That object is the Mission.
The triad that makes it work:
Tokens carry authority. Missions govern purpose. PDPs enforce actions.
And the hard truth that keeps it honest:
A mission-bound token without runtime enforcement is governance metadata, not agent safety.
The bottom line
Mission-based authorization is the missing layer between user intent and per-request authorization. It makes the approved task a first-class governance object, then binds tokens, runtime decisions, delegation, lifecycle, and audit back to that object.
And the positioning line, for the slide:
Identity says who. Credentials say what may be accessed. The Mission says what the work is, who approved it, and when it ends.
The Mission, in one sentence
The Mission is the durable, integrity-anchored, lifecycle-governed governance object for a user-approved task. In a Mission-Bound deployment, credential issuance, runtime decisions, and audit records project from it.
And the questions, laddered, because each generation of the stack answered one and the last never became first-class:
| Layer | The question it answers |
|---|---|
| Identity | Who? |
| OAuth | Who delegated? |
| Scopes | Roughly what? |
| Policy | Whether, right now. |
| Mission | Why does this authority exist, and does it still? |
And the shorthand contrasts, for the same slide:
| Concept | Answers |
|---|---|
| Prompt | What was requested? |
| Workflow | How will it execute? |
| Token | Is this credential currently valid? |
| Policy | Is this request permitted right now? |
| Mission | What authority exists, why, for how long, on whose approval? |
The five laws of delegated authority
The layer’s invariants, stated to be quoted. They hold on any substrate, and the handbook is an enforcement mechanism for all five.
- Durability. Authority must outlive credentials.
- Attribution. Every action must remain attributable, and the approval record commits exactly what the approver was shown.
- Narrowing. Authority can only narrow as work fans out.
- Termination. Revocation must end authority, not merely tokens.
- Containment. Execution must continuously remain inside approved purpose.
Each law is easiest to remember by its violation:
| Law | The failure when violated |
|---|---|
| Durability | The 02:00 resume: every credential valid, the approved task gone |
| Attribution | The blurred principal: nobody can say who acted under whose authority, through what chain |
| Narrowing | The borrowed card: the delegate inherits everything the delegator had |
| Termination | The gym that bills the replacement card: the ending that does not end |
| Containment | The deleted production database: nothing the agent did was outside what its credentials allowed |
The names are stable across the handbook: Durability is always Law 1, Containment is always Law 5. The specification family operationalizes them as the Architecture document’s seven Mission Invariants: the five laws plus two wire-level mechanics, enforcement fails closed, and the integrity anchors commit what was approved rather than prove its semantics.
And the design stance beneath all five, inherited from the Mission Shaping series:
Survivable incorrectness: the system remains governable and limits damage even when the agent’s semantics are partial or wrong. Perfect fidelity is not achievable at agent scale. Survivable failure is.
The numbers
The handbook counts several things, and each count has one job:
| Artifact | Job | Count | Relation |
|---|---|---|---|
| The five laws | Architectural invariants | 5 | What must remain true on any substrate |
| The litmus properties | The category gate | 6 | What a system must implement to claim the category |
| The vendor questions | The gate as an interview | 6 | One question per property |
| The Mission Assurance Levels | Deployment claims | 4 | How much of the architecture is deployed |
| The adoption stages | The build order | 3 | Crawl, walk, run |
| The bindings | Substrates | 3 | Where the Mission record lives |
The six questions are the six properties in interview form, and the laws are what the properties enforce.
The layer vocabulary
Four functions any implementation of the layer must supply, whatever it names its governance object:
- Authority compilation: approved intent becomes bounded, integrity-anchored authority.
- Authority projection: that authority reaches instances, credentials, domains, and delegates without ever exceeding its source.
- Authority containment: every consequential action is checked against the approved purpose at the point of use.
- Authority continuity: reliance stays conditioned on the current state of the task, across time and across the runtime.
The protocol MVP formula
Protocol MVP = issuance core + runtime enforcement + AuthZEN binding + a freshness source (Status, or issuer introspection)
Every dependency in the formula is a ratified OAuth RFC or a finalized OpenID specification, with one tracked exception scoped out of the wedge: the issuance core’s single Internet-Draft reference, the Actor Profile, is confined to its OPTIONAL delegation capability. Lifecycle Signals, the stable push complement, sits outside the formula. The architecture chapter carries the adoption-wedge argument, and Adopting Mission-Bound Authorization carries the staged build order.
The honest deployment claim
A conformance claim names its assurance level and its enforcement
scope, and every line can be verified against the
implementation checklist below. The
architecture’s Mission Deployment Profile is the spec-level form of
this claim: a publishable manifest of level, binding, state sources,
PEP coverage, custody, evidence, and residual_risks. The coverage
split is the load-bearing part: which paths are mediated per action,
which are issuance-gated only with revocation bounded by the token
lifetime, and which are unmediated and named as exclusions.
| Claim line | Example |
|---|---|
| Claim | Runtime-Enforced (the protocol MVP) |
| Scope | Finance, docs, and workflow APIs |
| Enforcement | PEP at MCP tools/call and at the resource APIs |
| Mediated paths | Finance and docs APIs, and every tools/call |
| Issuance-gated only | Workflow API: revocation bounded by a 10-minute token lifetime |
| Unmediated paths | None claimed |
| Freshness | Mission Status within 30 seconds on mediated paths |
| Signals | Workflow-domain push revocation |
| Evidence | Decision Evidence for all consequential calls, denials included |
| Exclusions | No runtime-enforcement claim for direct shell egress |
What not to claim
The negative space of the claim, stated to be quoted:
- A mission-bound token alone is not agent safety. It is governance metadata until a PEP checks each consequential action against it.
- Status without PEP coverage is not runtime enforcement. Freshness feeds a gate. It does not replace one.
- Signals without a fail-closed state source is not revocation safety. A missed event must read as stale state, never as still active.
- Harness logs without mediated execution paths are not containment. A record of the resume is not a boundary on it.
- Audit transparency is evidence, not prevention. It makes a false record permanent and attributable. It stops nothing.
- A renewed charter is not a governed standing agent. Renewal is a review only when the prior cycle’s record is in front of the reviewer, and a ceiling whose renewals carry no evidence review is a blank check with a calendar.
Revocation, in one statement
Revocation changes the Mission’s authoritative state immediately. Enforcement latency is path-dependent: runtime-gated actions stop within the published freshness bound, new derivation stops when the issuer observes state, and outstanding offline-valid tokens run to expiry unless the path checks Mission state.
When revocation bites
Termination is a law, and its implementation burden lives in this table. Revocation ends authority only where enforcement consults live Mission state within a published bound. What a deployment runs determines what it may claim:
| Enforcement path | Worst-case revocation latency | What you may claim |
|---|---|---|
| PEP + Status polling (or issuer introspection, or the swarm-scale Status List) | Staleness bound + permit validity window + the class’s execution bound | Runtime revocation within a published freshness bound |
| PEP + Signals push, with Status fallback | Seconds, degrading to the polling bound when the stream goes quiet | Prompt revocation that never fails open |
| Issuance gating only, no PEP | The outstanding token lifetime | Bounded-staleness revocation at the token lifetime: the legacy-estate bridge, a conforming freshness source when the bound is published, for classes below high-consequence |
| Short-lived tokens alone | The token lifetime, renewed forever | Nothing: a revoked task keeps deriving fresh tokens unless issuance is gated on task state |
| An unmediated path | Never | Nothing. Name it in the enforcement scope |
The vendor test
The test is its own page, built to be linked and pasted into an evaluation: The Mission-Based Authorization Vendor Test. Six questions, the litmus property each one probes, and what failing answers sound like. A vendor that passes all six should be able to write the honest deployment claim above, and the implementation checklist is how you verify it.
The canonical picture
One diagram for the whole model: the six stages, and the actors that own each.
OAuth AS] M[("Mission record
intent_hash, authority_hash,
state")] end subgraph S3["Authority"] AG[Agent instance
+ act chain] end subgraph S4["Enforcement"] PEP[PEP] PDP[PDP] RS[Resource Server] end subgraph S5["Lifecycle"] ST[Status pull /
Signals push] H[Harness] end subgraph S6["Evidence"] AUD([Auditor]) end U --> SH SH -->|Mission Intent via PAR| MI MI -->|renders derived authority| U U -->|approves| MI MI --> M M -->|state-gated issuance,
mission-bound token| AG AG -->|action + parameters| PEP PEP -->|evaluate| PDP PDP -->|permit / deny| PEP PEP --> RS PDP -.->|current state| ST ST -.-> M ST --> H H -.->|stop on non-active| AG M -->|lifecycle events| AUD PDP -->|decision evidence| AUD PEP -->|execution evidence| AUD
Everything below is the detail behind the bottom line: what qualifies as mission-based (litmus), how it differs from what you already run (landscape), the smallest useful deployment (stages), the checkable claim (checklist), what it does not solve (non-goals), the glossary, and one worked example.
Mission-based authorization as a category
The field has converged on the same gap from several directions: agent IAM, intent-based access control, capability systems, the lethal trifecta. The shared answer is to elevate the approved task to a first-class object. That move is the category. A system is in the category whether it calls the object a Mission, a mandate, or a governed task, and whether it rides on OAuth, on a clean-slate agent protocol, or on something else. The decisive distinction from every task-shaped record nearby is not the fields: the object is the authorization root, with authority derived from it, execution enforced against it, and lifecycle and evidence joined on it. In infrastructure terms the category is the control plane for delegated authority: the layer that holds the desired state of the work, with credentials and enforcement as the data plane reconciled against it.
Identity was the control plane for human access. The Mission layer is the control plane for delegated authority.
The category is not enterprise-shaped either, even though this handbook’s examples deliberately are. A vacation-planning agent’s Mission has the same anatomy as the board packet’s (an approved task, authority derived from it, an expiry, and evidence that joins), and the same is true for the smart-home agent or the assistant booking a dinner. The handbook’s examples stay in the enterprise because that is where the adoption pressure, the estates, and the approval workflows live, not because the object knows the difference.
This handbook is about one instance: Mission-Bound
Authorization, the draft family where the object is the Mission
and enforcement uses a PEP/PDP contract. Its flagship binding is OAuth
2.0, where authority is derived as Rich Authorization Requests and the
token binding is the mission claim. The standalone Mission Authority
Server and AAuth bindings carry the same object on other substrates.
Where this page says “mission-based,” it means the category. Where it
says “the Mission” or names a draft, it means this instance.
The category does not depend on OAuth. OAuth is the substrate used here because it is the dominant deployment reality, and it already supplies the derivation, exchange, sender-constraint, and revocation machinery a Mission binds to. The family itself now demonstrates the independence: the AAuth binding hosts the same governance object at the AAuth Person Server, and Mission Substrate Requirements consolidates what any further binding must provide. The reference model is the six properties. OAuth is the flagship binding of it.
Mission-based authorization and IBAC
Intent-Based Access Control (IBAC) is the property: authorize by what the user approved, not by what an agent infers at runtime. Mission- based authorization is the mechanism that makes IBAC practical, by moving interpretation to admission, before any authority exists, where an accountable approver (the user in the common case, an authorized policy tracing to one otherwise) decides against committed inputs, and committing the result so enforcement consumes approved intent instead of reconstructing it. The distrust of runtime-stated intent is shared ground now: the proposed CB4A credential broker meets the same threat and resolves it by demoting the agent’s stated justification to audit evidence, excluded from authorization. The Mission resolves it the other way, by making approved intent the authorization root. IBAC is the property. The Mission is the object that carries it.
What counts: the litmus test
A system is mission-based only if it has all six:
- Approved task object: a durable record of the task a human (or authorized policy) approved. Not a prompt, trace ID, session, ticket, or token.
- Authority derivation: credentials and decisions are derived from that approved task, not minted independently of it.
- Narrow-only delegation: derived authority, child tasks, and sub-agents can only narrow. Exceeding the parent requires a fresh approval.
- Runtime enforcement: consequential actions are checked against the current task state at the point of use, not just at issuance.
- Lifecycle: the task can expire, be revoked, expand (via fresh approval), and complete. Only an active task permits reliance.
- Evidence: decisions and lifecycle events bind back to the task, so audit can reconstruct it.
Drop any one and you have something weaker: scopes without a task, sessions without approval, a PDP without an approved object, or a claim without enforcement.
What looks like a Mission but is not
The object-level version of the same test, useful when someone points at an artifact and asks “is that the Mission?”
| Object | Why it is not a Mission |
|---|---|
| Prompt | What the user typed: free-form, untrusted, upstream of every governance object. The Shaper turns it into a proposal, and approval turns the proposal into a Mission. |
| Workflow | How the agent will execute, not what was approved. Two workflows for the same task share nothing at the protocol layer. |
| Ticket | Human work tracking. It references a task without bounding, deriving, or revoking authority. |
| Access token | A short-lived projection. jti identifies the token, not the task. |
| Scope / authorization detail | Expresses authority, not the approved task or its lifecycle. |
| Consent record | Proves an approval event. Does not govern the resulting work over time. |
| Session | Preserves runtime continuity. Commits no maximum authority. |
| Policy | Evaluates requests. It is not the user’s approved task. |
purpose URI | Labels a task class. Has no instance lifecycle. |
| Task / trace ID | Correlates activity. Carries no authority or approval. |
| OAuth grant | Records a delegation event. It carries no task, no lifecycle, and no purpose. |
| Relationship (a ReBAC tuple) | Encodes who relates to what, timelessly. No approval, no task, no end. |
| Delegation chain | Records actors, not the mandate they act under. |
What becomes possible only with a Mission
The case for the Mission as a primitive, not just a useful design pattern, is concrete. The following all require a shared, integrity-anchored task object, and none is reliably achievable through disciplined use of existing OAuth primitives alone:
- Cross-audience revocation of a long-running task. Without a shared task identifier, revoking an agent’s work requires hunting credentials at every audience independently. With the Mission, revocation at one state authority terminates future derivation across every audience that ever projected from it.
- Cross-hop audit join on the user-approved task. Without a shared identifier, audit reconstruction stitches per-AS logs by timestamp and client identifier. With the Mission, every record across every audience and substrate joins through
mission.idandmission.issuer. - Cryptographic commitment to the approved record. Without integrity anchors over a canonical Mission Intent and Authority Set, the authority’s record of approval is reconstructed from per-token
authorization_detailsand consent-system logs. Withintent_hashandauthority_hash, the approved intent and the derived authority are committed at activation and can be checked for later modification, and the Consent Evidence companion’sconsent_rendering_hashcommits the presented disclosure where that profile is deployed. The hashes do not prove that a renderer displayed those objects faithfully or that a human understood them. - Lifecycle as an authorization input. Without a Mission state machine, refresh and exchange gate on token validity alone. With a Mission, refresh, exchange, ID-JAG issuance, and PDP decisions all consult Mission state. A suspended or revoked Mission stops future derivation regardless of credential expiry.
- Governance without changing the issuer. Without a Mission service, a deployment that cannot modify its Authorization Server has no governance object at all. With the Mission Authority Server, the Mission record and its lifecycle live in a standalone service that serves the status and lifecycle surfaces itself, and a PDP joins ordinary tokens to the Mission at the point of use.
Each of these can be approximated with deployment-specific extensions. None is interoperable across vendors without a standardized object. That is the difference between a useful design pattern and a primitive.
The Mission object model
The approved task is a typed object, not a label, and it is an aggregate of three logically separate components plus a stable identity:
The approval commitment, immutable after approval:
- Purpose: an optional task-class URI, not the instance.
- Mission Intent: the structured, approved task description, committed
by
intent_hash. - Consent reference: a pointer to the canonical disclosure behind the approval, hashed by the optional Consent Evidence companion so an auditor can verify the stored disclosure has not changed.
The authority ceiling, immutable after approval:
- Authority Set: the maximum grantable authority derived from the
Intent, committed by
authority_hash. Authority is one component of the Mission, not the whole. - Delegation context: credentials derived for delegated actors stay
bounded by the same Mission and preserve authenticated actor context
(the RFC 8693
actchain where an adopted profile supplies it). Token Exchange never creates a child Mission, and broader authority is a separately approved successor via Mission Expansion.
The lifecycle state, mutable and versioned:
- Lifecycle state: owned by the issuer, with a state version for
concurrency control. Only
activepermits reliance.
The identity, immutable:
- Identity:
idandissuer, the same pair on the record and on themissionclaim that every projection carries.
The mutability rules answer the questions the aggregate raises. The hashes commit the approval side and never change afterward, so a lifecycle transition moves the state and its version, never a hash. Suspension changes reliance, not the approved task. Completion records fulfillment and retires reliance. Widening anything committed is a separately approved successor Mission, never a mutation. And a Child Mission inherits a subset of the parent’s ceiling under the subset rule, with its own lifecycle bounded by the parent’s.
“Consent” here names the Mission-layer authorization anchor, the legitimacy source that approved this specific Mission. That is a narrower technical use than GDPR-style data-processing consent, and deployments subject to those regimes still owe their own consent contracts on top. Where no user is present at approval time, the anchor is a prior human-approved template Mission, a standing organizational policy in a formal auditable language, or a verifiable standing delegation from a service owner. LLM inference about organizational intent, runtime configuration supplied by the agent, and pre-existing general-purpose scope grants anchor nothing, because they do not establish authority for a specific Mission.
Everything an agent touches is a projection of this object: a Mission-bound token, a runtime decision, a child Mission, a lifecycle signal, an evidence record. Each carries the Mission reference and derives from, never exceeds, the Authority Set.
The subset rule, compactly. Every derivation, delegation, exchange, and attenuation yields authority that is:
- the same or a narrower resource set (exact match by default, or the
opt-in
prefixcontainment), - the same or a smaller action set,
- the same or tighter constraints,
- expiry no later than the Mission’s
expires_at, - per-entry delegation policy no broader (
max_depthno greater,allowed_delegatesno wider), - and the same
missionclaim, because re-binding to a different Mission is refusal, and crossing a trust domain rides a separately approved, audience-scoped projection.
Widening anything on that list is a fresh approval, never an inference.
One precision keeps the rule honest. What the machinery tests is representational narrowing: the child’s authority is formally no broader under the comparison relation the entries define. Semantic narrowing, that the child cannot produce effects outside the parent’s approved boundary, is a stronger property that representation alone cannot always prove, especially where constraints are contextual, quantitative, or translated across domain vocabularies. Where the two can diverge, the family’s answer is conservative refusal or a separately approved projection, never an optimistic mapping.
The Mission contains the Authority Set. The Authority Set does not define the Mission. A bundle of permitted actions with no approved task, lifecycle, or evidence is just authority, which OAuth already had.
A concrete Mission record
The running example as a record. Its intent_hash and authority_hash
are the ones reproduced byte-for-byte in
Reproducible test vector below.
| |
Derived tokens carry the record’s id and issuer in the mission
claim alongside authority_hash. subject and approver
are {iss, sub} pairs, authoritative for principal equality, and they
may differ when an administrator approves on a user’s behalf. The record
also carries its issuance context: the agent’s client_id, the
policy_version the Authority Set was derived under (so a derivation can
be re-checked), the approval_event_id, created_at, and a top-level
expires_at mirroring the Intent’s. The consent disclosure the
Approver saw is committed separately by the Consent Evidence companion
(From a Request to an Approved Mission).
Lifecycle states
The issuer owns the state machine. The core defines three states.
Companion profiles add more, and the one rule a consumer always applies
is that only active permits reliance. Every other state,
recognized or not, is treated as non-active, so the model fails safe as
it evolves.
active(core): approved. Derivation and reliance permitted.revoked(core): terminated by user, admin, or policy. Terminal.expired(core):expires_atpassed. Terminal.suspended(Status companion): paused. Reversible toactive.completed(Status companion): finished. Terminal. Legal fromactiveorsuspended.superseded(Expansion companion): replaced by an approved successor. Terminal.cascaded(Child Delegation companion): a child terminated because its parent reached a terminal state. Terminal, and distinct fromrevokedso audit can tell a cascade from a direct termination.
A consumer that has never heard of suspended, superseded, or
cascaded still refuses to rely on them, because they are not active. New states are
therefore safe to add. (One exception, by design: an unrecognized
entry-level terminal_when discharge condition must fail closed, not
be ignored. See Mission Lifecycle and Change.)
Trust boundaries and roles
Mission-Bound Authorization spans multiple parties. Each is trusted for a specific bounded responsibility, and explicitly not trusted for adjacent ones. This is the canonical role map, and the profiles populate it for their substrate.
| Activity | Trusted party | Trusted for | NOT trusted for |
|---|---|---|---|
| Shaping Mission Intent | Mission Shaper (client-side) | Producing a structured proposal from user input. | Authorizing anything. The Shaper’s output is untrusted until the state authority validates it. |
| Validating Mission Intent | State authority (OAuth AS, or the MAS in the AS-optional mode) | Admitting or refusing the Mission Intent against deployment policy and requester bounds. Narrowing applies to the authority derived from it, never to the Intent. | Originating the user’s task. The proposal comes from the Shaper or orchestrator. Validation accepts or refuses what is submitted. |
| Deriving Authority Set | State authority | Translating an approved Mission Intent into the maximum permitted Authority Set, scoped to resources and actions registered with the state authority. | Inventing authority not anchored in the Intent. The Authority Set is derived from approval, not enlarged by issuer policy alone. |
| Rendering consent | State authority (in the AS-optional mode, the MAS renders it itself) | Presenting the validated Intent and derived Authority Set to the approving principal, and committing to the rendered disclosure via the Consent Evidence companion’s consent_rendering_hash where deployed. | Proving that the principal understood the disclosure. Consent UX assurance, language clarity, and human comprehension live above the protocol layer. |
| Storing Mission state | State authority | Committing the Mission record (Intent, Authority Set, integrity anchors, lifecycle state, consent reference). Owns the lifecycle state machine. | Owning credential issuance independently. Issuance gates on Mission state. The Mission record does not become an access credential by itself. |
| Projecting authority into credentials | Credential issuer (the OAuth AS for access tokens and ID-JAGs, with other substrates’ issuers as future work) | Issuing audience-bound credentials that carry the Mission reference and stay inside the Authority Set. | Enlarging authority beyond the Authority Set. Every projection is a subset of the approved authority. |
| Enforcing policy at runtime | PDP (consulted by the Resource Server’s PEP, or by an orchestrator PEP) | Evaluating each consequential action against current Mission state, the audience-relevant Authority Set projection, authenticated actor context, and Resource policy. | Replacing the state authority’s authority commitment. The Authority Set is the upper bound. The PDP narrows, never widens. |
| Emitting evidence | Every party that makes a decision (admission, consent, lifecycle, runtime) | Producing a record bound to mission.id and mission.issuer, carrying the integrity anchors and binding evidence. | Mutating the Mission record. Evidence records reference the Mission. They do not modify it. |
The division of labor across domains is worth one plain statement. The Mission Issuer governs the approved objective and its global ceilings. The resource authority defines resource-local actions and constraints. The PDP evaluates the intersection of the two. And translation across authority vocabularies is trusted, verified, or separately approved, never assumed.
The most important boundary is the first one: the Mission Shaper is never an authorization component. It produces a proposal the state authority can validate or refuse. Diagrams that place the Shaper inside the authorization trust envelope are wrong.
Where the Mission record lives
By default, the Mission record lives at the substrate’s state authority. On the OAuth substrate that is the Authorization Server, which validates Intents, runs approval events, stores the record, and gates issuance on its state. The substrate-local default keeps the minimum profile coherent, since a deployment can claim the Baseline Issuance level without introducing a new server component.
The Mission Authority Server (MAS)
is the standalone binding, the AS-optional mode: beyond serving
deployments whose Authorization Server cannot yet change, it is the
estate control plane for approved-task authority, one Mission Issuer
spanning many Authorization Servers, SaaS systems, APIs, and agent
runtimes, with an Enterprise Mission Authority Profile above its
conformance floor. The MAS is a standalone service that implements the
Mission Issuer role without being an OAuth AS. It validates Mission
Intents, runs approval events, records Missions, operates the
lifecycle, and serves Mission state. It derives no tokens. Access
tokens remain ordinary OAuth tokens with no mission claim, and a
Policy Decision Point joins each presented credential to its Mission at
the point of use, enforcing through the runtime profile.
That difference is architectural, not just topological. The MAS mode buys Mission governance and per-action enforcement with no change to the deployment’s Authorization Server, at the cost of Mission-bound credentials and issuance gating. Without that join, revoking a Mission stops nothing at the token layer, so enforcement rests entirely on PEP coverage. The issuance grant is the middle path that restores the token-layer chokepoint: estate Authorization Servers redeem MAS-minted grants for Mission-bound, state-gated tokens without moving approval into the AS, so one canonical Mission record gates credentials minted across many issuers.
Competitive landscape
Each of these is real and useful, and none is a substitute for an approved task object. Mission-based authorization composes with them rather than replacing them.
| Approach | What it solves | What it misses (for a governed task) | Law it breaks alone | How Mission composes with it | Enough on its own when |
|---|---|---|---|---|---|
| OAuth scopes / RAR | Expresses requested authority | No durable task lifecycle | Durability, Termination | Authority is derived from the Mission into RAR-shaped entries and projected into tokens with the mission claim | The credential’s lifetime is the task (one grant, one resource) |
| Agent identity (WIMSE, SPIFFE, instance attestation) | Who is acting, provably | Not what the acting is for, or until when | Containment | Attested instances and actor chains are the substrate Mission authority binds to | The risk is impersonation, not ungoverned work |
| Sessions | Runtime continuity | Not approval or authority | Durability | The harness binds resumable session state to Mission state and re-checks before continuing | A human drives every consequential action |
| Workflow / task IDs | Operational tracking | Not interoperable authority | Termination, Containment | Workflow steps and unwind plans reference the Mission as the governed subject, not merely a work item | You need orchestration, not authorization |
| Trace IDs | Correlation | Not governance | Attribution | Evidence and logs carry the Mission reference so correlation joins to approved authority and lifecycle | You only need to join logs, not gate actions |
| PDP / ABAC / ReBAC | Per-request decisions | No approved task object by default | Durability | The PDP evaluates each consequential action against current Mission state, derived authority, actor context, and resource policy | Per-request attributes fully capture intent |
| Agent approval prompts | Human checkpoint | Often fragmentary and unauditable | Attribution | Consent Evidence and action-bound approval turn prompts into recorded decision input linked to the Mission | Volume is low enough to vet each action |
| Read-only agents + human-in-the-loop writes | Caps mutation blast radius while agents are piloted | The value ceiling: reads still steer and leak the agent, and the human executing the writes becomes the fatigued, unmediated enforcement point | Containment | The Mission makes write authority grantable: right-sized derivation, per-action permits, and exposure discipline replace the blanket deny | The work is genuinely read-only and the exposure surface is bounded |
| IGA access requests | Governed approval of entitlements | The grant it produces is standing authority: no task binding, no runtime enforcement, no automatic end | Termination, Containment | Deferred Approval is deliberately shaped like an IGA review, and the approval’s output is a bounded, enforced, self-terminating Mission instead of a standing entitlement | Access is to durable roles, not tasks, and humans exercise it |
| PAM / just-in-time elevation | Time-boxed privileged access with check-out and recording | Elevates an identity, not a task. Session recording is evidence after the fact, not a permit before the action | Containment | A Mission is task-scoped elevation: authority derives from the approved work, each action needs a permit, and revocation ends the task everywhere | The privileged principal is a human whose session ends when they log off |
| Credential brokers (the proposed CB4A) | No real credentials on agents: just-in-time, short-lived, sender-constrained leases minted per request, with custody done properly | The lease is not the task: no durable approved object, revocation ends tokens rather than authority, enforcement happens at issuance, and multi-agent composition is detected rather than structurally narrowed | Durability, Termination, Containment | The broker becomes a Mission-gated credential plane: issuance consults Mission state, and its policy point evaluates each request against the approved task rather than policy alone | The credential lease is the whole task and detection suffices for composition |
| MCP Tasks | Held / long-running work | Not approved purpose | Containment | MCP tool discovery and invocation can carry a Mission reference so each tool call is checked against approved work | You need a work handle, not a mandate |
| Capability tokens (macaroons, biscuits, UCAN) | Attenuable, offline-verifiable authority | No approval event, lifecycle, or task object | Durability, Termination | Attenuated tokens carry the same Mission binding and remain subject to runtime Mission-state checks | Offline attenuation is the whole need and revocation is not |
| AAuth Mission (first-class in the proposed protocol since its 01 revision) | A native task object on a clean-slate agent substrate | (a sibling instance of the category, not a competitor) | None. An instance of the category | The family’s AAuth binding hosts the Mission model at the AAuth Person Server, with issuance gating intact | You are on AAuth and need no cross-substrate governance |
The pattern is consistent. The credential and decision layers are well-served. The approved task is the missing object. Mission-based authorization supplies it and lets the others bind to it: RAR derives from it, the PDP decides against it, sessions and traces reference it. And the “Law it breaks alone” column is the precise sense in which the category is forced rather than preferred. Used alone, every row breaks at least one of the five laws, so an architecture that satisfies all five contains a Mission-shaped object, whatever it is called. The one row that breaks none is not an alternative but an instance.
When it is the wrong tool. If there is no durable task to govern (a single user-driven request, a machine-to-machine service credential, a short-lived consumer authorization where the credential lifetime is the task), a Mission adds cost without value. Do not read the standing agent out through this door: a service credential’s work is fixed at integration time, while a standing agent exercises delegated judgment on every unit of work, which is exactly what needs a charter and cycling authority (the standing agent at scale). And do not read small tasks out either: one resource, one approver, and one afternoon is a perfectly formed Mission, because what disqualifies is never size, it is the absence of a durable task. The category earns its keep whenever authorization must outlive a single request and stay bound to a task, however small, and whoever the actor is: a Mission governs a human’s task access as readily as an agent’s. And note that AAuth Mission is itself an instance of this category on a different substrate, not a rival to it. The interesting question there is shared governance across substrates, not which one wins.
Minimum viable mission-based authorization
The smallest useful deployment, and the path up:
- Stage 0: Substrate only. Ordinary OAuth, no Mission. Fine for single-request, non-agentic flows.
- Stage 1: Mission-bound issuance. A
missionclaim on derived tokens, with state-gated issuance: a possession-independent kill switch for future derivation. Audit and derivation control, not action-time defense. - Stage 2: State and revocation freshness. Status / introspection so consumers can check current Mission state.
- Stage 3: Runtime enforcement. Per-action PDP checks for consequential actions. This is the stage that turns governance metadata into agent safety.
- Stage 4: Lifecycle. Signals, expansion, and completion: prompt revocation, governed growth, and monotonic narrowing.
- Stage 5: Delegation. Child Missions and offline attenuation: strict-subset authority for sub-agents, without ambient inheritance.
- Stage 6: Operational assurance. Harness binding, safe unwinding, and audit transparency.
Most AI agents that touch private data, untrusted content, or external side effects need at least Stage 3, and Stages 5–6 for fan-out and full governance. Stages 1–2 alone are not enough for consequential autonomy.
The stages roll up into the four claimable Mission Assurance Levels, one line each:
| Level | One line |
|---|---|
| Baseline Issuance | Governance metadata and a derivation kill switch, not action safety |
| Runtime-Enforced (the protocol MVP) | Per-action enforcement plus state freshness, on ratified substrate |
| Governed Agent | Consent evidence, harness binding, and operational controls |
| High-Assurance Agent | Mediated custody, no unmediated path, action-bound approval, active freshness, and agent-isolated approval rendering |
Naming the Baseline level is honest. Claiming the category from it is not: Baseline alone cannot pass the six-property litmus, whose runtime-enforcement property arrives one level up.
The level is one axis. The binding (OAuth AS, standalone Mission Authority Server, or AAuth Person Server) is orthogonal, and a deployment names both. Read the levels as an unlock ladder too: Baseline governs the read-only pilot, Runtime-Enforced makes reversible writes defensible (the read-only ceiling breaks here), Governed Agent makes unattended operation and delegation defensible, and High-Assurance covers the irreversible, external-commitment, and privileged classes. The adoption path carries that reading in full.
The implementation checklist
The claim a deployment makes should be checkable. This is the field checklist for the protocol MVP, with the deeper treatments linked.
| Dimension | What must be true | Defined in |
|---|---|---|
| Surfaces | PAR accepts mission_intent. The approval event renders the derived Authority Set. A Mission Status endpoint and the lifecycle verbs are served at the issuer. The Signals push where revocation must bite in seconds | The Mission, Approval integrity, Lifecycle |
| Claims carried | Every derived token carries mission (id, issuer, authority_hash) and its derived authorization_details, sender-constrained, with exp capped by the Mission’s expires_at. Delegated work carries the act chain, and platforms running many instances carry attested instance identity | The Mission, Delegation |
| PEP placement | A PEP sits at the last controllable boundary before every consequential action in scope: the resource API, the MCP tools/call, the egress proxy, the orchestrator for local side effects | Runtime enforcement |
| Evidence | Decision Evidence for every consequential decision, including denials. Execution Evidence for high-consequence and duration-metered actions. Consent Evidence where the Governed Agent level is claimed | Approval integrity, Runtime enforcement, Agent runtime |
| Freshness | Only active permits reliance, within a published staleness bound. High-consequence classes require an active freshness mechanism: issuer introspection or Mission Status as the fail-closed source, with the Signals push as acceleration | Runtime enforcement, Lifecycle |
| Honest claim | Name the assurance level and the enforcement scope: which resources, action classes, and execution paths are covered, and which are not | Runtime enforcement |
Conformance is scoped, not global. A deployment that cannot prevent an action class on some path must not claim runtime enforcement for that class, and must name the paths it does mediate. A claim worth trusting reads like this:
This deployment claims the Runtime-Enforced level (the protocol MVP) for the finance, docs, and workflow APIs, with PEP coverage at MCP
tools/calland the resource APIs, Mission Status freshness within 30 seconds, push revocation for the workflow domain through the Signals profile, and no runtime-enforcement claim for direct shell egress.
Every clause maps to a row above and can be verified. A claim that cannot be written in this form is not a conformance claim. It is marketing. The honest deployment claim in the citation kit is the same claim as a reusable template, and what not to claim is its negative space.
Adversary model
The non-goals below say what this does not solve. This is the complementary view: the adversaries it does constrain, the layer that constrains each, and the residual it leaves. The reasoning is developed across the parts. This table is the consolidated map, and the Mission Security Model draft (Informational) is its spec-level counterpart: the trusted base, the cross-cutting assumptions, and the consequence of each component’s compromise.
| Adversary capability | What the layers deny it | Residual |
|---|---|---|
| Compromised agent (controls the model and loop) | Mediated custody keeps the sender-constraint key off the agent. The PDP checks every consequential action. Delegation only narrows (Delegation, Runtime enforcement) | It can still misuse authority within the approved scope. Keep scope tight |
| Prompt injection / untrusted content steering the task | Authority comes from the approved task, not runtime inference. The PDP checks against that task, not the prompt (Approval integrity, Runtime enforcement) | Cannot make the model’s reasoning trustworthy. A mis-shaped Intent the Approver accepts is still approved |
| Stolen or exfiltrated token | State-gated issuance, the kill switch, and runtime freshness stop use once the Mission is revoked or expired. Sender-constraint binds the holder (The Mission, Runtime enforcement, Lifecycle) | A non-sender-constrained token used inside its window before revocation |
| Confused deputy / parameter swap (TOCTOU) | parameter_digest binds the permit to concrete parameters. Mismatched execution fails closed (Runtime enforcement) | Only as good as the parameters the digest covers |
| Stale or poisoned capability (a tool redefined under the agent) | The capability is bound to the source digest recorded at derivation. Drift fails closed as capability_drift (Runtime enforcement) | The deployment must actually record and check source digests |
| Over-broad approval | (nothing technical denies it) | Explicit non-goal: breadth approved is breadth granted. Mitigated, never denied, by consent rendering, shaping discipline, templates and organizational priors, and policy ceilings with a human floor |
| Runaway fan-out / sub-agent sprawl | Fan-out controls, bounded depth, cascade revocation. Children are strict subsets (Delegation) | Offline-minted breadth is unobserved by the issuer and must be bounded by policy |
| Equivocating or tampered audit | SCITT transparency makes evidence tamper-evident and, with multiple independent services, non-equivocating (Agent runtime) | A single transparency service is trusted, not proven, not to equivocate. Completeness is checkable only against an expected schedule |
The Mission record is itself sensitive
The object that makes agent work governable is also a record of
business intent: purpose, targets, constraints, approver identities,
and the evidence that joins them. The same mission.id join that
makes reconstruction possible is a correlation surface. The core
already keeps the token-side claim a reference (id, issuer,
authority_hash), never the Intent’s contents, and deployments should
hold that line: resource servers and intermediate PEPs need the
identifier and anchors, not the task description. Where a party outside
the issuing domain needs some committed facts and not all of them, the
Mandate’s selective disclosure is the built tool. The rest is
deployment discipline: evidence stores behind the same access control
as the systems they describe, retention set deliberately because the
evidence chain outlives the task by design, and awareness that a
Mission reference projected across domains is a correlation handle in
someone else’s logs.
The honest reading: the strong adversary, a fully compromised agent, is contained at the boundary (custody, per-action checks, narrow-only delegation, the kill switch), never by trusting what the agent says. The residual column is the part no claim should paper over.
Threats and non-goals
The Mission is the declared governance envelope, and the runtime layer is what keeps the system survivable when the envelope turns out to be incomplete: a deployment with the object but no runtime layer is unprotected, and one with enforcement but no shared approved object is ungovernable. Mission Shaping Is Not Enough makes that two-layer argument in full. And one sentence bounds the whole claim: Mission compliance is evaluated against the approved representation of purpose, not against an independent oracle of human intent. A sufficiently broad or badly derived Authority Set can permit an action that is syntactically compliant and purpose-inconsistent, which is why shaping, disclosure integrity, authority derivation, and runtime enforcement are all load-bearing rather than redundant.
Mission-based authorization is credible because it is precise about its edges. It does not:
- make an LLM’s reasoning trustworthy
- replace resource-local policy (the resource remains authoritative for its own decisions)
- provide full information-flow control
- prove that every side channel has been mediated
- eliminate the need for human step-up on high-risk actions
- make a broad, over-scoped Mission safe (breadth approved is breadth granted)
- lean on deterrence as a compensating control. Human delegation quietly does, because people fear the audit that follows. An agent has no career to protect, and its judgment can be rewritten mid-task by content it reads, so the runtime boundary must carry the weight that deterrence carries for people.
What it does:
It gives policy, credentials, lifecycle, delegation, and audit a common object (the approved task) and a runtime layer that checks each consequential action against it.
The safety properties most people assume from “Mission-bound agents”
(action-time defense, prompt revocation, safe unwinding, evidence) come
from the runtime and operational layers, not from the mission claim
alone.
Noun distinctions
Keep these stable. Do not let “task,” “mission,” “workflow,” and “session” blur.
- Mission Intent: the proposed task (untrusted until validated).
- Mission: the approved, governed task (durable, lifecycle-owned).
- Authority Set: the derived, grantable authority the Mission bounds.
- Projection: any substrate-specific, audience-bounded credential or assertion derived from the Authority Set: a Mission-bound token, an ID-JAG, a downstream grant, or another substrate’s native credential. Every projection carries the Mission reference.
- Mission-bound token: a credential projection carrying the
missionclaim. - Runtime decision: a per-action permit or deny.
- Evidence: an audit artifact (approval, consent, decision, lifecycle).
- Harness: the runtime continuity and mediation layer, not authority.
The canonical sequence behind these nouns: Mission Intent → Authority Set → Mission → Projection → Runtime Decision → Evidence. The state authority derives the Authority Set from the validated Intent before consent, the approved Mission commits both, and every profile specifies one or more of the transitions.
Why “Mission”?
The name was deliberate, and alternatives were considered. Each captured a piece of the object without doing justice to the whole:
mandatecarries political and legal connotations the protocol object does not. A mandate is an instruction. A Mission is a governance container that includes intent, authority, lifecycle, and evidence.delegation_contextmuddles with OAuth’s existing notion of delegation, which sits at the credential layer (one principal authorizing another). The Mission is above credential delegation. Both the original credential and any delegated credential project from the same Mission.task_authorizationdescribes a credential, not a governance object. The Mission is what task authorization derives from. Calling the governance object “task authorization” reduces the layer above to the layer below.purpose_bound_authorizationcorrectly names one aspect (purpose) but presents the object as a flavor of authorization rather than as the durable container that authorization projects from.authorization_contextis too generic. “Context” in OAuth-adjacent specifications means many different things. The Mission has a specific structural commitment to integrity, lifecycle, and consent that “context” does not imply.
“Mission” captures the durable, purpose-bound, lifecycle-governed
quality of the object without overloading any existing OAuth term. It
signals that this is not a refinement of scope,
authorization_details, grant, or session, and it implies purpose
plus duration plus boundedness in one word, which is what the
governance object actually is.
A standards-track adoption could use a more neutral on-the-wire name
(the OAuth claim could be mbo or authorization_mission rather than
mission) while preserving “Mission” as the conceptual term. The
family uses mission as the claim name to keep the conceptual and wire
terminology aligned, and deployments may rename if a working-group
consensus settles on a different label.
Reproducible test vector
The credibility of this model is its hashing, so here is one anchor you
can reproduce byte for byte. Every integrity anchor is a SHA-256 over a
domain-separated, issuer-bound envelope ({ "typ", "iss", "value" }),
canonicalized with JCS (RFC 8785),
encoded as sha-256: followed by base64url with no padding. For
intent_hash, typ is mission-intent and value is the approved
Mission Intent.
The JCS canonical bytes of the envelope, for the running example, are exactly:
| |
Hash those bytes and you get the anchor. Reproduce it from a shell:
| |
So intent_hash = sha-256:jjx06KDh_TpWYhzSAvzEBH_lMz32eRj1tjgjNvt-crE.
The same procedure with typ = mission-authority-set and value = the
Authority Set array yields
authority_hash = sha-256:4hRwrGkW9Jdjbkj1oHJ3opg9HRvmRe30k7TQmUfiIpY.
Two rules make this interoperable: JCS sorts object keys but preserves
array order (so the Authority Set’s entry order is part of the canonical
form), and the typ value domain-separates the anchors so a digest of
one object can never be read as the other. A verifier reproduces the
digest from the recorded object alone.
Glossary
Intent step
- Mission Shaper: a client-side component that turns a prompt or trigger into a candidate Mission Intent. Proposes only. Grants no authority.
- Mission Intent: the structured proposal:
goal,resources, andexpires_at(required), with optionalconstraints,proposed_authority,success_criteria,purpose, andcontrols. Closed at the top level: unknown members are rejected, and machine-actionable extensions ride incontrols. Submitted via themission_intentparameter through PAR. - Shaping Evidence: an optional record of how the proposal was produced. Audit material, not authority.
Mission step
- Approval event: the AS validates the Intent and derives the
Authority Set, the Approver consents to the rendered Intent + derived
Authority Set, and the AS commits the anchors and creates the Mission
active, atomically. - Authorization Server (Mission Issuer): holds the Mission record, derives authority, runs the approval event, gates issuance.
missionclaim: the object on every issued token:id,issuer,authority_hash, plus the OPTIONALexpires_atthe issuance grant profile defines.intent_hash: canonical hash of the approved Mission Intent.- Consent Evidence /
consent_rendering_hash: a companion artifact committing the structured disclosure the AS recorded as rendered (not the pixels, not comprehension). - Subject / Approver:
{iss, sub}principals: the user the task is for, and the principal who approved it. They may differ. The Approver may be a human or an authorized policy authority, and a non-human approval traces to a human-consented ceiling or policy (who may approve).
Authority step
- Authority Set: the maximum authority committed by
authority_hash, asmission_resource_accessentries (resource,actions,constraints, per-entrydelegation), plus any other RFC 9396 types a deployment registers. authority_hash: canonical hash of the Authority Set.authorization_details: the RFC 9396 wire shape for derived authority.actchain: the RFC 8693 actor chain. A delegated token carries the samemissionclaim with subset authority.
Enforcement step
- PEP / PDP: the Policy Enforcement Point obtains a permit from the Policy Decision Point before each consequential action. The PDP evaluates against the live Mission.
parameter_digest: binds a permit to concrete request parameters, closing the time-of-check-to-time-of-use gap.- Decision Evidence / Execution Evidence: per-decision and per-outcome audit records.
Lifecycle, roles, delegation
- Core states
active/revoked/expired. Companion statessuspended/completed(Status),superseded(Expansion), andcascaded(Child Delegation). Unknown states are treated as non-active. - Mission Status (pull, signed,
mission_id-keyed) and Lifecycle Signals (SET events, delivered push or poll). Expansion widens via a fresh approval that supersedes the predecessor. Completion /terminal_whenis monotonic, per-entry discharge. - Child Mission: a strict-subset Mission a parent authorizes for a sub-agent, with cascade revocation. Offline attenuation: minting a narrower child token off the AS hot path, kept safe by the runtime re-checking Mission state.
The handbook’s named artifacts
- The five laws: Durability, Attribution, Narrowing, Termination, and Containment, the layer’s substrate-neutral invariants, quoted above.
- The claim gate / litmus test: the six properties a system must have to claim mission-based authorization, expanded above.
- The vendor test: the same six properties as questions to ask a vendor, with what failing answers sound like.
- The protocol MVP: the adoption wedge, per the formula: issuance core, runtime enforcement, AuthZEN binding, and Status.
- The Mission Assurance Levels: Baseline Issuance, Runtime-Enforced (the protocol MVP), Governed Agent, and High-Assurance Agent, with the binding (OAuth AS, standalone Mission Authority Server, or AAuth Person Server) as the orthogonal axis, staged as crawl, walk, run in Adopting Mission-Bound Authorization, and read as an unlock ladder: each level makes a broader class of write authority defensible.
- The control plane for delegated authority: the operational reading of the layer: the Mission record is desired state, issuance and the runtime gate are the data plane consulting it, the freshness dial is propagation, and the discovery loop is reconciliation for authority. The strategic case is in the architecture chapter, and the structural mapping is the Authority Control Plane part.
- The read-only ceiling: the posture most estates start from (read-only agents, humans approving or executing the writes, permanent pilots), what it costs, and the graduation path off it, named in Adopting.
- The discovery loop: deny, request, approve, expand, retry: how the open world arrives under governance, named in Adopting.
- Survivable incorrectness: the design stance beneath the laws, inherited from the Mission Shaping series: assume the agent will sometimes be wrong and keep the system governable when it is, with least exposure as the input arm and the laws and runtime gate as the action arm.
- Least exposure: bound what the agent may see as deliberately as what it may do, the exposure discipline whose enforceable slice today is the edges the trifecta-containment claim names.
- The honest deployment claim: the claim template naming level, enforcement scope, freshness, evidence, and exclusions, published at spec level as the architecture’s Mission Deployment Profile.
- Open world: the deployment condition the architecture assumes: tools and resources discovered at runtime rather than pre-registered, trust relationships that form after authorization time, delegation to actors unknown at approval, untrusted content in the working set, and authorization decisions made with incomplete knowledge of what the task will need. The Open-World OAuth series is the published treatment, and the discovery loop is how the open world arrives under governance.
The running example, end to end
The handbook follows one task. This is the canonical walkthrough, each part picks up its step, and Mission-Bound Authorization on the Wire shows the same steps as actual protocol exhibits.
Scenario. Alice asks an agent: “Put together the Q3 board packet for
the audit committee and let them know it’s ready.” The Mission’s
Authority Set is query_financials (finance, Q3 2026), create_doc
(docs, board-packet template), and notify_reviewer (workflow,
audit-committee group), bounded to an expiry.
- Derive. The AS validates and narrows the Intent and derives the Authority Set it will ask Alice to approve. (The Mission)
- Approve. The AS renders the validated Intent + derived Authority
Set. Alice consents. The AS commits
intent_hashandauthority_hashand creates the Missionactive, atomically. (Approval integrity) - Issue. The agent gets a Mission-bound token carrying the
missionclaim. (The Mission) - Permit a read. The agent reads Q3 financials. The PDP permits
query_financialsagainst the live Mission. (Runtime enforcement) - Gate a write. Drafting the document is a write. The
create_docpermit is bound to concrete parameters and checked at the point of use. (Runtime enforcement) - Attempt expansion. Mid-task the agent decides it “needs” CRM customer data (outside the Authority Set). It cannot widen in place. Widening requires a fresh approval (a successor Mission). (Lifecycle)
- Deny the expansion. Policy declines the CRM expansion. The original Mission is untouched and the agent does not get CRM access. (Lifecycle)
- Delegate, narrowed. A sub-agent gathers the financials under a
Child Mission scoped to
query_financialsonly, expiry ≤ parent, nocreate_docornotify_reviewer. (Delegation) - Revoke. The board meeting is cancelled. An admin revokes the
Mission. Status reports the new state and the Signals
push announces it. All further
derivation stops, and the child transitions to the terminal
cascadedstate. (Delegation, Lifecycle) - Stop the work. The harness, which bound the session and queue to Mission state, halts the paused draft (session continuity is not authority), and orchestration unwinds the half-written document. (Agent runtime)
- Reconstruct. The SCITT audit feed for this Mission shows one verifiable, append-only history (approval → consent → the permitted read → the denied CRM expansion → revocation), committed by hash so the financial contents stay out of the log. (Agent runtime)
And run the ending the other way, because most Missions do not die,
they finish. No cancellation: the sub-agent returns the financials,
the packet is published, and the notice goes to the audit committee.
Each entry’s terminal_when condition fires as its step completes
(Completion),
so create_doc and notify_reviewer retire themselves, the Mission
closes as completed, and the same evidence feed reads clean end to
end: proposed, approved, exercised inside bounds, finished. Alice got
her packet, and the deployment can prove exactly how.
That is the whole category in one task: an approved object, authority derived from it, every consequential action checked against it, delegation that only narrows, a lifecycle that can stop it or let it finish, and evidence that reconstructs it either way.
What this replaces, and what it does not
Mission-based authorization adds one object. It does not displace the stack around it.
- Not OAuth. The Mission rides OAuth issuance, exchange, and sender constraint. The core is an OAuth profile, not a successor.
- Not AuthZEN or your PDP. The runtime contract binds to the AuthZEN Authorization API. The Mission is a new input to the decision, not a new decision engine.
- Not resource policy. The resource stays authoritative for its own objects. A Mission permit is an upper bound, never a command.
- Not session management. The harness keeps owning execution continuity. It consults Mission state before resuming, and that is the whole change.
- Not model alignment. Nothing here makes an LLM’s reasoning trustworthy. The Mission bounds what a drifted or injected agent can reach, and the runtime layer enforces the bound.
What it adds is the piece those layers keep routing around: the governed task object they all bind to. The objections below answer the sharper versions of “isn’t this just X.”
Common objections
The recurring pushbacks live on their own page, built to be linked into the thread where the objection was raised: Common Objections to Mission-Based Authorization. The answers, for the people who run today’s control planes, organized by the plane the reader operates, from “isn’t this just RAR” and “we run Zero Trust” through the state tax, the consent screen, and the standing agent, each with the short answer and where the long one lives.
The draft family at a glance
Every part links its drafts inline. This table is the whole family in
one place. All of these are individual Internet-Drafts published as
editor’s copies and proposed for discussion. None is adopted by a
working group. The names reflect the architecture: substrate-neutral
profiles carry draft-mcguinness-mission-* names, while the OAuth
bindings keep oauth in the name and “for OAuth 2.0” in the title.
The Maturity column follows the repository’s adoption order. Adopt first is the Architecture and the core. Minimum is what agents that act add for the Runtime-Enforced level, the protocol MVP. Recommended is what AI agents add for the Governed Agent level. By binding profiles carry the standalone Mission Authority Server, the issuance grant join, the AAuth Person Server, and the substrate requirements, adopted where the estate calls for them. Advanced profiles are stable design to adopt when the use case arrives. Experimental profiles are for evaluation only: each depends on an unratified substrate or defines a newer, less-exercised model, and each names a stable path to prefer where one exists.
For AI agents, the README is explicit that consent evidence and the harness are not optional extras. They are the Recommended maturity, the Governed Agent level.
How to cite this handbook
Link the piece that matches what you are referencing:
- The whole handbook: the cover, the front door with the introduction and the chapter map.
- The category and definition: this Reference.
- The evaluation tool and the blueprint: the vendor test (Appendix D), and the blueprint.
- The mental model for non-specialists: What the Corporate Card Already Solved.
- The missing layer and its laws: the five laws of delegated authority above, or the architecture chapter for the full argument.
- The argument for why the Mission is the missing object: The Mission Is the Missing Abstraction.
- The primitive’s definition, roles, and name: the object model, trust boundaries and roles, and why “Mission”, on this page.
- The safety claim (runtime is load-bearing): Mission-Bound Runtime Enforcement.
- The adoption path (crawl, walk, run): Adopting Mission-Bound Authorization.
- The OAuth wire implementation: the draft family.
- The MCP application: Least-Privilege MCP Tool Calls Need a Mission.
- The wire exhibits: Mission-Bound Authorization on the Wire.
- To discuss or object: issues on the draft repository.
One-line definition to quote:
Mission-based authorization is the layer between user intent and per-request authorization. It makes the approved task a first-class governance object, then binds credentials, runtime decisions, delegation, lifecycle, and audit back to it.
A note on requirement language
The handbook quotes requirement keywords such as MUST, SHOULD, and MAY with their BCP 14 meanings (RFC 2119, RFC 8174) when they appear in all capitals. Conformance applies to the profile section each requirement appears in. The drafts are the normative text.