Your AI Agent Has No Permission Slip — So We Built One

Your agent can post on your LinkedIn, delete your emails, and buy things on your behalf. There is no standard for who said it could.

Not OpenAI's function calling. Not LangChain. Not Browser-Use. Not Bardeen.

None of them have a standardized answer to: who authorized this action, what was the limit, and how do you revoke it?

The agent acts. The receipts don't exist. The damage is done.

So we built OAuth3.

The gap nobody is talking about

The IETF has four active drafts trying to solve agent authorization:

• OBO (On-Behalf-Of) — how an agent proves it's acting for you
• Transaction Tokens — how context propagates between services
• Target Audience — how a token scopes which service can use it
• AAuth (Agent Authorization) — how an agent gets identity in the first place

These are serious work. The OBO draft expires February 27, 2026.

But here's what every single one of them misses:

What happens AFTER the agent has authority?

Phase 1: Who is this agent? — covered. Phase 2: Can it act for me? — covered. Phase 3: How does context flow between services? — covered. Phase 4: What happens during and after the action? — nothing.

That's the gap. That's where the real damage happens.

ClawHavoc already proved the cost

In 2024, researchers discovered 1,184 malicious OpenClaw skills running in production.

No audit trail. No revocation. No limit on what those skills could do once loaded.

"The agent did it" is not a legal defense.

FDA Part 11 requires evidence trails for regulated industries. HIPAA requires them for healthcare. SOX requires them for finance.

Your AI agent is an unsigned check with no spending limit.

The IETF drafts tell you how to sign the check. None of them tell you what the spending limit is, who can cancel it, or where to find the receipts.

What OAuth3 actually is

OAuth3 is not a replacement for OAuth 2.0. It's the governance layer that sits on top of it.

It fills Phase 4 of the lifecycle:

Phase 1: Identity       → AAuth (who is this agent?)
Phase 2: Authorization  → IETF OBO (can this agent act for me?)
Phase 3: Propagation    → Transaction Tokens (context between services)
Phase 4: Governance     → OAuth3 (what happens during and after?)

The IETF covers Phases 1-3. We cover Phase 4. Together, the stack is complete.

The six things OAuth3 adds

Scoped, time-bound delegation tokens — Not "act as me." Act as me only on LinkedIn, only for 24 hours, only for reading.

Step-up re-consent — Before the agent posts publicly, it pauses. It shows you the action. You confirm. No silent surprises.

Evidence bundles per action — Every action produces a signed artifact with SHA-256 integrity. Not "the agent said it worked." Proof that it worked.

Action limits as token fields — max_actions: { read: 100, write: 1 }. The agent can read 100 posts, write exactly one. Once the limit is hit, the token is exhausted.

Synchronous revocation — You press stop. The agent stops within one second. Not eventually. Now.

DPoP proof-of-possession — A stolen OAuth3 token is useless without the agent's private key. Man-in-the-middle attacks are structurally blocked.

The spec

OAuth3 is open source. 1,181 lines. Schneier-reviewed. Three companion documents:

• Key management and DPoP binding
• Agent wallet specification
• IETF complementarity (how OAuth3 integrates with the four existing drafts)

# Read the spec
git clone https://github.com/phuctruong/stillwater
cat stillwater/papers/oauth3-spec-v0.1.md

This is not a whitepaper. It is a working specification with a reference implementation.

Why this should be owned by everyone

Token-revenue vendors cannot implement OAuth3.

Synchronous revocation reduces token usage. Action limits reduce token usage. Evidence bundles reduce token usage.

Every feature of OAuth3 cuts into the business model of vendors who charge per token.

That's why they won't build it. That's why we did.

An open standard for AI delegation has to be owned by the community or it will be owned by the platforms — and the platforms have a financial incentive to make it optional.

This is the same fight as SSL vs. proprietary encryption. Same fight as HTTP vs. CompuServe. The open standard has to exist and it has to be free.

The call

Comment "PERMISSION" and I'll send you the OAuth3 one-pager — the six fields, the lifecycle diagram, and the minimal Python implementation in one page.

Or: read the spec, open an issue, submit a pull request.

The standard should be owned by everyone who has an agent acting in the world. That is you.

Receipts aren't optional. They're the whole point.

— Phuc Vinh Truong

OAuth3 is part of the Stillwater OS project. GitHub: github.com/phuctruong/stillwater Spec: stillwater/papers/oauth3-spec-v0.1.md

tags: #AI #OAuth3 #AIAgents #Security #OpenSource #IETF #Authorization #LLM #AgentSecurity #Software50