AAuth 0.8.0-alpha.4

This is a prerelease version of AAuth.
dotnet add package AAuth --version 0.8.0-alpha.4
                    
NuGet\Install-Package AAuth -Version 0.8.0-alpha.4
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="AAuth" Version="0.8.0-alpha.4" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="AAuth" Version="0.8.0-alpha.4" />
                    
Directory.Packages.props
<PackageReference Include="AAuth" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add AAuth --version 0.8.0-alpha.4
                    
#r "nuget: AAuth, 0.8.0-alpha.4"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package AAuth@0.8.0-alpha.4
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=AAuth&version=0.8.0-alpha.4&prerelease
                    
Install as a Cake Addin
#tool nuget:?package=AAuth&version=0.8.0-alpha.4&prerelease
                    
Install as a Cake Tool

AAuth SDK for .NET

The AAuth protocol SDK for .NET — agent-to-resource authorization with cryptographic proof-of-possession. Every HTTP request carries an RFC 9421 signature; there are no bearer tokens.

🚧 Draft Specification — The AAuth protocol is under active development. APIs and wire formats may change as the spec evolves.

Install

dotnet add package AAuth --prerelease

Quick Start

The simplest mode is pseudonymous (HWK) — the agent signs every request with an inline public key. No Agent Provider, no Person Server, no registration.

using AAuth.Crypto;
using AAuth;

var key = AAuthKey.Generate(); // Ed25519 keypair

using var client = new AAuthClientBuilder(key)
    .UseHwk() // Pseudonymous mode: inline public key in Signature-Key header
    .Build();

var response = await client.GetAsync("https://resource.example/data");
// Request is signed per RFC 9421 — the resource verifies the signature
// using the public key from the Signature-Key: sig=hwk;jkt="...";jwk="..." header

Access Modes

AAuth supports four resource access modes. Each adds parties and capabilities, and they build on one another — adoption is incremental.

Mode Parties When to Use Signing
Identity-Based Agent + Resource Replacing API keys with cryptographic identity hwk / jwks_uri
Resource-Managed (two-party) Agent + Resource Resource manages authorization itself (interaction, OAuth/OIDC, internal policy) Any
PS-Asserted (three-party) Agent + Resource + PS Resource accepts identity claims (sub, email, tenant, groups, roles) from any Person Server jwt
Federated (four-party) Agent + Resource + PS + AS Cross-domain access with the resource's own Access Server enforcing policy jwt

Three-Party Flow (Agent → Resource → Person Server)

The PS-Asserted flow is the primary authorization model. The resource delegates authorization to the agent's Person Server, which prompts the user for consent. Add WithChallengeHandling when building the client and the entire 401 → exchange → retry cycle becomes automatic:

using AAuth.Crypto;
using AAuth;

var key = AAuthKey.Generate();

// A hosted service acts as its own Agent Provider (self-issuing).
using var client = AAuthClientBuilder.SelfIssuing(key)
    .As("https://my-service.example", "aauth:my-service@my-service.example")
    .WithKid("svc-key-1")
    .WithPersonServer("https://ps.example")
    .WithChallengeHandling() // automatic 401 → PS exchange → retry
    .Build();

var response = await client.GetAsync("https://resource.example/data");
// 1. Agent signs GET with agent token → Resource verifies, returns 401 + resource_token
// 2. ChallengeHandler POSTs resource_token to PS token endpoint
// 3. PS validates agent, prompts user for consent, issues auth_token
// 4. Agent retries GET signed with auth_token → Resource verifies → 200 OK

For CLI/desktop agents that enroll with an external Agent Provider, and for the resource- and Person-Server-side code, see the full Getting Started guide.

Features

  • All four signing modes: hwk, jwks_uri, jwt, jkt-jwt
  • Two-party resource-managed access with opaque AAuth-Access tokens
  • Full three-party challenge/exchange flow (autonomous and deferred user-consent)
  • Four-party federated access with an Access Server
  • Signature verification middleware for resources
  • Resource & auth token builders, JWKS / metadata discovery
  • Self-hosted and enrolled (external Agent Provider) agent models

Documentation

Full documentation, tutorials, samples, and an interactive protocol explorer:

License

MIT

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on AAuth:

Package Downloads
AAuth.R3

Experimental AAuth Rich Resource Requests (R3) preview helpers — vocabulary-agnostic operations (OpenAPI, MCP, …). Depends on AAuth.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.8.0-alpha.4 64 7/3/2026
0.8.0-alpha.3 47 6/29/2026
0.8.0-alpha.2 54 6/28/2026
0.8.0-alpha.1 56 6/27/2026
0.2.0-alpha.2 63 6/27/2026
0.2.0-alpha.1 63 6/10/2026
0.1.0-alpha.12 153 6/7/2026
0.1.0-alpha.11 54 6/3/2026
0.1.0-alpha.10 59 6/1/2026
0.1.0-alpha.9 54 5/31/2026
0.1.0-alpha.8 56 5/28/2026
0.1.0-alpha.7 54 5/27/2026
0.1.0-alpha.6 62 5/27/2026
0.1.0-alpha.5 64 5/26/2026
0.1.0-alpha.4 51 5/25/2026
0.1.0-alpha.3 56 5/24/2026
0.1.0-alpha.2 51 5/23/2026
0.1.0-alpha.1 63 5/23/2026