AuthProof SDK is a robust cryptographic delegation protocol designed specifically for agentic AI, effectively bridging the user-to-operator trust gap that traditional IETF frameworks fail to address. By establishing a secure and verifiable system of delegation, AuthProof allows users to define and enforce the precise capabilities and limitations of AI agents.

Understanding the Problem

Existing IETF frameworks like AIP, draft-klrc-aiagent-auth, and WIMSE primarily facilitate service-to-agent trust but overlook the critical aspect of user-to-operator trust.

In conventional agent systems, the delegation flow resembles the following structure:

User → Operator → Agent → Services

In this chain, the user instructs the operator, who then instructs the agent. Unfortunately, this process lacks a cryptographic record that captures the user’s intent at the moment of delegation, placing unchecked authority in the hands of the operator. This poses several risks:

• Users cannot verify what they authorized.
• Regulators are left without an audit trail.
• Courts lack a solid evidence foundation.
• Agents struggle to differentiate between valid and illegitimate operator instructions.

AuthProof is designed to mitigate these risks effectively.

Introducing the Delegation Receipt

At the core of AuthProof SDK is the Delegation Receipt, a cryptographically signed Authorization Object that is anchored in a decentralized, append-only log before any action by the agent occurs. This receipt includes four essential components:

1. Scope
   An explicit allowlist that defines allowed operations, using structured formats rather than ambiguous natural language. The operation classes include:

   Class	Description
   reads	Read access to specified resources
   writes	Write access to specified resources
   deletes	Deletion of specified resources
   executes	Execution of specific programs, validated by their static capability signature hash

   The executes class is particularly critical; it must point to a cryptographic hash of a Safescript program’s static capability DAG, ensuring that no unintended execution occurs.

2. Boundaries
   Explicit user-defined prohibitions that cannot be overridden by the operator, maintaining hard limits regardless of subsequent directives.

3. Time Window
   This indicates the validity period of the authorization, verified against the log timestamp, independent of the client clock.

4. Operator Instruction Hash
   A cryptographic hash of the operator’s instructions at the time of delegation, allowing for discrepancies between the operator's later instructions and the original to be identified and assessed.

Users securely sign the Delegation Receipt with their private key using WebAuthn/FIDO2 technology, ensuring that each signed action is anchored in the log, with subsequent activities consistently referencing the receipt hash.

Trust Stack Architecture

AuthProof leverages a three-layer protocol architecture to eliminate reliance on various trusted third parties:

• Layer 1 — Signed Capability Manifest: This layer ensures tool servers publish a cryptographically signed capability manifest, thereby removing trust in the operator’s representation of what the server can perform.
• Layer 2 — Delegation Receipt: This layer secures the user's original intent and proves any operator deviations before the agent obtains instructions.
• Layer 3 — Safescript Execution: Safescript serves as a secure language for AI agent execution, ensuring that the full capability signature is computable prior to execution, thus preventing unintended actions.

Quick Example

The AuthProof SDK can be quickly initiated as follows:

import { AuthProof, Scope, KeyCustody } from 'authproof-sdk';

const authproof = new AuthProof({
  custody: KeyCustody.HARDWARE,
  log: 'https://log.authproof.dev',
});

const scope = new Scope()
  .allow('reads', ['resource://calendar/events', 'resource://email/inbox'])
  .allow('writes', ['resource://calendar/events'])
  .deny('deletes', '*')
  .execute('sha256:a3f1c9d8...', { program: 'scheduler-v1.sg' });

const boundaries = {
  never: ['external-network', 'credential-store', 'payment-methods'],
};

const receipt = await authproof.delegate({
  scope,
  boundaries,
  window: { duration: '8h' },
  operatorInstructions: instructionText,
});

Dynamic Authorization with Micro-Receipts

AuthProof introduces micro-receipts for dynamic authorization of actions not covered by the original Delegation Receipt, imposing a user sign-off requirement for any out-of-scope capability requests. This enhances transparency and user agency over AI operations.

Conclusion

AuthProof SDK represents a significant advancement in establishing trust and control in AI agents through its unique Delegation Receipt mechanism and multi-layered architecture. By implementing this protocol, users can confidently manage AI capabilities, ensuring their instructions are executed precisely as intended.