The model survives without OAuth, and this part is where it sits when OAuth is exactly what you have: the two chokepoints the binding stacks, the pattern space of bindings between them, and the structural reading platform engineers reach for unprompted.

Two chokepoints, and the patterns they allow

The OAuth binding stacks two independent chokepoints, and the Architecture’s deployment patterns are combinations of them.

Issuance gating acts at the token layer. A revoked or expired Mission stops all further derivation and refresh, and short-lived tokens age out. Runtime enforcement acts at the action layer. Each consequential action is re-checked against current state at the point of use. Together they are strictly stronger than either alone: a gap in PEP coverage is still bounded at the token layer, and an outstanding token is still stopped at the action layer. This split is also the layer’s control-plane contract, mapped in full in the authority control plane below.

Two newer documents extend the pattern space:

  • The Mission Authority Server (Standards Track: the estate control plane of the layer, and its PDP join is the family’s newest mechanism) is the standalone binding. A dedicated service implements the Mission Issuer role, derives no tokens, and the PDP joins each ordinary OAuth token to its Mission at the point of use. It serves the Status and lifecycle surfaces itself and is the deployment’s freshness source, and expansion and Child Mission creation ride its own submission surface with an authenticated-client binding in place of token possession. It is a peer binding with its own rationale (governance deliberately decoupled from token issuance, and one Mission Issuer can govern across many Authorization Servers) that also serves as the adoption bridge where the AS cannot yet change. The trade is explicit: Mission governance and per-action enforcement with zero AS change, at the cost of the token-layer chokepoint. Revoking a Mission in this mode stops nothing at the token layer, so enforcement rests entirely on PEP coverage, until estate Authorization Servers adopt the issuance grant and redeem MAS-minted grants for Mission-bound, state-gated tokens, restoring the token-layer chokepoint without moving approval into the AS.
  • The Mission Mandate (an advanced profile: its dependencies are ratified, and it is design to adopt when the cross-domain proof case arrives) answers that proof question. A Mission’s committed facts live on the record at its issuer, and a party outside that domain cannot verify what was approved short of a token-exchange hop or trust in the issuer’s records. The Mandate is a signed, portable, independently verifiable statement of those facts, minted by the Mission Issuer, with optional selective disclosure. The design line is the one this handbook has drawn everywhere: a Mandate is evidence, not a credential. Presenting one authorizes nothing.

The two bindings, side by side. The embedded binding holds both chokepoints. The standalone binding trades the token-layer chokepoint for zero AS change, and the issuance grant is the join that restores it:

flowchart TB subgraph EMB["Embedded binding: the AS is the Mission Issuer"] direction LR M1[("Mission record")] AS1["Authorization Server
(Mission Issuer)"] AG1([Agent]) PEP1["PEP + PDP:
the action-layer chokepoint"] AS1 --- M1 AS1 -->|"mission-bound, state-gated tokens:
the token-layer chokepoint"| AG1 AG1 -->|per action| PEP1 M1 -.->|current state| PEP1 end subgraph STA["Standalone binding: the Mission Authority Server"] direction LR M2[("Mission record")] MAS["Mission Authority Server:
approval, lifecycle, Status"] AS2["Estate Authorization Servers,
unchanged, one or many"] AG2([Agent]) PEP2["PEP + PDP:
the action-layer chokepoint"] MAS --- M2 AS2 -->|"ordinary tokens:
no token-layer chokepoint"| AG2 AG2 -->|per action| PEP2 PEP2 -.->|"joins each token to its Mission
at the point of use"| M2 MAS -.->|"issuance grant: MAS-minted grants
redeemed for Mission-bound,
state-gated tokens"| AS2 end

The third extension of the pattern space is Mission Cross-Domain Projection, one Mission honored in another trust domain through a single-hop, audience-scoped cross-domain grant. Mission-Bound Authority covers it in full, because the multi-domain agent task is the common case, not the exotic one. It sits with the advanced profiles rather than in the protocol MVP, with its dependencies tracked honestly: the identity-chaining work it profiles is approved and in the RFC Editor queue, and ID-JAG is a working-group document.

The authority control plane

One more reading of the framework earns its place, because platform engineers reach for it unprompted: the layer is the control plane for delegated authority, with the split that vocabulary always implies. The architecture chapter makes the strategic case, and the mapping here is structural, not rhetorical:

Control-plane conceptThe layer’s realization
Desired stateThe Mission: the approved task, its authority, its lifecycle and expiry
The storeThe Mission Issuer’s records and integrity anchors
ReconcilersLifecycle and gating, the ceiling review, orphaned-evidence reconciliation
Distributed configurationAudience-scoped, versioned policy views the PDPs load
The data planeTokens, PEPs, and PDPs, enforcing per action at the boundary
The sync channelMission Status as the pull surface, Signals as the push complement
Optimistic concurrencyThe state version, with compare-and-set on lifecycle mutations
Object metadataThe management profile’s owner, administrative domain, and labels
The fleet APIEnumeration and bulk lifecycle
ObservabilityDecision, execution, and consent evidence, joined on the Mission

The estate view of the same mapping: desired state above, per-action enforcement below, the sync channel between them, and the evidence joining back on the Mission:

flowchart TB AG([Agent]) subgraph CP["Control plane: the Mission Issuer"] REC["Reconcilers:
lifecycle and gating,
the ceiling review"] M[("Desired state:
the Mission record
and its integrity anchors")] FLEET["Fleet API:
enumeration,
bulk lifecycle"] REC --> M FLEET --> M end subgraph DP["Data plane: enforcing per action at the boundary"] TK["Tokens:
state-gated issuance,
the token-layer chokepoint"] PEP["PEP:
the action-layer chokepoint"] PDP[PDP] end OBS["Observability:
decision, execution, and consent evidence,
joined on the Mission"] M -->|state-gated issuance| TK M -->|"the sync channel:
Status pull, Signals push,
audience-scoped policy views"| PDP TK --> AG AG -->|action + parameters| PEP PEP -->|evaluate| PDP PDP -->|permit / deny| PEP M -.->|consent evidence| OBS PDP -.->|decision evidence| OBS PEP -.->|execution evidence| OBS

Three disciplines keep the framing honest. The noun is scoped: this is the control plane for delegated authority, never an agent control plane, because it governs what an agent may do and never how the agent runs (the harness and the orchestrator keep operations). The category is unchanged: mission-based authorization remains the claim and the six-property litmus remains its gate, and control plane names where the layer sits operationally, not a new name for the layer. And a control plane is only as real as its data-plane contract, which is why the enforcement adapter contract, the deployment manifest, and the evidence envelope carry the interoperability weight on the list the community still has to standardize.

The model is stated, and its operational seat is named. What remains is judgment: the outside evidence for the shape, and the bets underneath it. The Convergence and the Wagers closes the handbook with both.