A2A delegation

Agent-to-agent and on-behalf-of authorization between agents, scoped per agent.

When one agent calls another, the second agent should act on behalf of the first — and the original user — without inheriting more authority than it needs. oauth.work issues delegated, on-behalf-of tokens scoped down at every hop.

The delegation chain

User ──grants──▶ Agent A ──on-behalf-of──▶ Agent B ──DPoP token──▶ MCP tool

Each arrow is a real token exchange. Agent A holds a token the user consented to; to call Agent B it exchanges that token for a narrower one.

Token exchange (RFC 8693)

POST /token
  grant_type=urn:ietf:params:oauth:grant-type:token-exchange
  subject_token=<agent-a-token>
  subject_token_type=urn:ietf:params:oauth:token-type:access_token
  audience=agent-b
  scope=mcp:tools.invoke
# → a token for Agent B, scoped down, with an act claim naming Agent A

The issued token carries an act (actor) chain so every downstream resource can see who is acting for whom:

{
  "sub": "user:u_123",
  "act": { "sub": "agent:a", "act": { "sub": "agent:b" } },
  "scope": "mcp:tools.invoke"
}

Why it’s safe

• Scopes only ever shrink along the chain — never widen.
• Every token is sender-constrained (DPoP); a leaked delegated token is useless.
• The full actor chain is recorded in the audit log, so a misbehaving agent is attributable.