As AI agents become primary API consumers, OpenAPI needs a way to describe agent-specific authentication requirements.
Current gap: securitySchemes supports apiKey, http, oauth2, openIdConnect -- all designed for human users or static services. None capture agent identity, trust level, or behavioural authorization.
Proposed securityScheme: agentAuth
securitySchemes:
agentTrust:
type: agentAuth
description: Agent must present cryptographic identity with minimum trust level
properties:
identityMethod: challengeResponse
minimumTrustLevel: L2
sanctionsScreeningRequired: true
spendLimit: 10000This enables API providers to declare: "this endpoint requires a verified agent with trust level L2+ and sanctions screening clearance."
Every API gateway (Kong, Apigee, AWS API Gateway) could enforce this natively.
Reference: IETF draft-sharif-agent-payment-trust-00 defines the trust level framework.
As AI agents become primary API consumers, OpenAPI needs a way to describe agent-specific authentication requirements.
Current gap:
securitySchemessupports apiKey, http, oauth2, openIdConnect -- all designed for human users or static services. None capture agent identity, trust level, or behavioural authorization.Proposed securityScheme: agentAuth
This enables API providers to declare: "this endpoint requires a verified agent with trust level L2+ and sanctions screening clearance."
Every API gateway (Kong, Apigee, AWS API Gateway) could enforce this natively.
Reference: IETF draft-sharif-agent-payment-trust-00 defines the trust level framework.