Loading...
Conceptual specification. This protocol is a pre-submission draft, not a finalized standard. The specification describes intended behavior and design intent. It has not been adopted by any IETF Working Group and is subject to change. Cred implements the delegation pipeline described here as a reference implementation, but full protocol conformance is a work in progress.
open standard for credential delegation in multi-agent systems
MCP standardizes how agents connect to tools. A2A standardizes agent-to-agent communication. No open standard governs how credentials flow through these connections. The Cred Protocol fills this gap — a profile of existing OAuth 2.0 standards that defines secure, auditable credential delegation for AI agents.
sequenceDiagram participant S as Subject participant DS as Delegation Server participant V as Credential Vault participant A as Agent participant RS as Resource Server Note over S,V: Phase 1 - Setup once per OAuth service S->>DS: Authorize Google OAuth DS->>S: Redirect to provider consent S->>DS: OAuth callback with auth code DS->>DS: Exchange code for refresh token DS->>V: Encrypt and store token AES-256-GCM DS-->>S: Connection confirmed Note over A,DS: Phase 2 - Agent identity bootstrap A->>A: Generate Ed25519 keypair A->>A: Derive did:key from public key A->>A: Sign JWT Bearer assertion exp 5 min Note over A,DS: Phase 3 - Delegation request A->>DS: POST /delegate JWT Bearer plus capabilities DS->>DS: Validate JWT Bearer and jti replay check DS->>S: CIBA backchannel consent push S-->>DS: Approve with scoped capabilities DS->>DS: Issue DelegationToken DPoP-bound 15 min TTL DS->>DS: Sign prf receipt for chain integrity DS-->>A: DelegationToken issued Note over A,A: Agent holds DT only - not the credential Note over A,RS: Phase 4 - Credential exercise A->>DS: POST /exercise with DT and DPoP proof DS->>DS: Validate DT signature and expiry DS->>DS: Verify DPoP binding to htm and htu DS->>DS: Check operation within authorization_details DS->>V: Retrieve credential by credential_handle V-->>DS: Decrypted token in-process only DS->>RS: API call with stored access token RS-->>DS: API response DS-->>A: API response only - credential not returned DS->>V: Wipe decrypted credential from memory Note over S,DS: Phase 5 - Revocation S->>DS: DELETE /delegation/jti DS->>DS: Invalidate root DT within 1 second DS->>DS: Cascade to child DTs within 5 seconds DS-->>A: HTTP 401 delegation_revoked on next request
Agents receive DelegationTokens, not credentials. Raw OAuth tokens never cross the agent trust boundary. Prompt injection cannot exfiltrate what the agent does not hold.
Sub-delegation can only narrow capabilities — never widen. Enforced by the DS at issuance time, not by trusting agents. Authority flows downward and only shrinks.
Not "access Google Drive" but drive.files.get on folder:abc123 with max_calls: 10 until time T. Eliminates ambient authority — the confused deputy exploit surface.
Root DT invalidated in <1s. Full delegation tree cascade in <5s. Eventual consistency is not acceptable for adversarially-promptable systems.
Each hop produces a DS-signed prf receipt cross-referencing parent and child jti values. Closes the RFC 8693 §2.1-2.2 vulnerability disclosed to the OAuth WG, February 2026.
Agents derive identity from an ephemeral Ed25519 keypair at instantiation via did:key. The DS accepts any DID it has not seen before. Zero admin provisioning required.
The full pre-submission draft is on GitHub. Issues, security analysis, and PRs welcome — particularly from implementers and IETF participants.