{"protocol":"delegation","protocol_family":"delegated-authority","compatibility_protocol":"delegation-proof","spec":"http-delegation-authority-draft-02","spec_scope":"Delegation HTTP authentication for bounded authority proofs; software agents are a motivating deployment case, not the applicability boundary.","version":"1","implementation_version":"0.2.2","enabled":true,"bridge_mode":false,"min_amount":"5.00","currency":"USD","accepted_rails":["mpp","x402","l402"],"attestation_required":true,"verifier_required":true,"operator_registration_uri":"/v1/operators/self-register","operator_self_registration_uri":"/v1/operators/self-register","operator_admin_registration_uri":"/v1/operators/register","public_operator_bootstrap":{"mode":"byok-self-register","uri":"/v1/operators/self-register","operator_id":"server-generated","requires":["primary ML-DSA public key","macaroon_root_key_b64"],"settlement_rails":"disabled until admin/operator-authenticated SLH-DSA registration"},"default_rails":["api_key","free","l402"],"settlement_rails":["mpp","x402"],"settlement_rail_upgrade_uri":"/v1/operators/register/slh-dsa","settlement_rail_signature_required":"SLH-DSA-SHA2-256f","envelope_signature_required":"ML-DSA-65","envelope_signature_supported":["ML-DSA-65","ML-DSA-87"],"envelope_signature_high_assurance":"ML-DSA-87","envelope_signature_cose_algorithm_ids":{"ML-DSA-65":-49,"ML-DSA-87":-50},"carriage_strategies":["authorization-delegation-header","delegation-proof-header-sf-byte-sequence","body-json-delegation-proof","body-cose","delegation-preflight-compact-credential"],"credential_media_types":["application/delegation-proof+cose"],"max_header_bytes":8192,"cross_references":{"x402":"/.well-known/x402","l402":"/.well-known/l402","mpp":"/.well-known/mpp","issuer_keys":"/.well-known/delegation-issuer-keys","delegation_authority":"/.well-known/delegation-authority","delegation_issuer_keys":"/.well-known/delegation-issuer-keys","delegation_preflight":"/delegation/preflight"},"ietf_status":"draft-mcgraw-httpapi-agent-budget-02 published 2026-06-15 (https://datatracker.ietf.org/doc/draft-mcgraw-httpapi-agent-budget/); active individual Internet-Draft and individual submission discussed on the HTTPAPI list. No IETF working-group adoption or standards approval is claimed. The mechanism is Delegation authority. The public reference path is BYOK self-registration plus caller-side proof signing; managed signing is deployment-gated and not public self-service.","applicability":{"motivating_case":"autonomous software agents","mechanism":"client presents signed bounded authority before protected request processing","not_limited_to_agents":true,"other_clients":["service workload","CI/CD job","fleet device","batch process"]},"merchant_id":"governance.taskhawktech.com","endpoints":{"verify":"https://governance.taskhawktech.com/governance/verify","attest":"https://governance.taskhawktech.com/governance/attest","delegation_preflight":"https://governance.taskhawktech.com/delegation/preflight","preflight":"https://governance.taskhawktech.com/delegation/preflight","operator_register":"https://governance.taskhawktech.com/v1/operators/self-register","operator_self_register":"https://governance.taskhawktech.com/v1/operators/self-register","operator_admin_register":"https://governance.taskhawktech.com/v1/operators/register","settlement_rail_upgrade":"https://governance.taskhawktech.com/v1/operators/register/slh-dsa","audit_ledger_head":"https://governance.taskhawktech.com/protocol/427/health","well_known_self":"https://governance.taskhawktech.com/.well-known/delegation-authority","delegation_authority":"https://governance.taskhawktech.com/.well-known/delegation-authority","issuer_keys":"https://governance.taskhawktech.com/.well-known/delegation-issuer-keys","delegation_issuer_keys":"https://governance.taskhawktech.com/.well-known/delegation-issuer-keys"},"verify_endpoint":"https://governance.taskhawktech.com/governance/verify","attestation_endpoint":"https://governance.taskhawktech.com/governance/attest","health_endpoint":"https://governance.taskhawktech.com/protocol/427/health","managed_signing_endpoint":"https://governance.taskhawktech.com/v1/attestations/issue","managed_signing":{"status":"deployment_gated","public_self_service":false,"auth":"admin-or-future-operator-proof","detail":"BYOK self-registration is the public bootstrap path; managed signing is not public self-service."},"issuer_key_discovery_uri":"https://governance.taskhawktech.com/.well-known/delegation-issuer-keys","enforcement_mode":"enforce_soft","delegation":{"mechanism":"delegation","authority_profiles":["bounded-authority"],"auth_scheme":"Delegation","version_header":"Delegation-Version","proof_fields":["Delegation-Proof"],"proof_media_types":["application/delegation-proof+cose"],"status_modes_supported":["delegation_401_403"],"active_status_mode":"delegation_401_403","challenge_responses":{"delegation_401_403":[401,403]},"settlement_signal":false,"preflight":{"status":"available","issue_uri":"https://governance.taskhawktech.com/delegation/preflight","proof_media_type":"application/delegation-proof+cose","target_headers":["Delegation-Target-Method","Delegation-Target-URI","Delegation-Target-Body-SHA256"],"credential_type":"delegation-compact","authorization":"Delegation kdc1.<base64url-token>","ttl_seconds":60,"route_allowlist":["/governance/verify"],"settlement_signal":false,"reduced_authorization_overhead":true}},"delegation_preflight":{"status":"available","feature_state":{"preflight":true,"compact_credentials":true},"deployment_requirements":["route allowlist","short TTL","server-side verifier key","shared atomic one-time store for production"],"store_production_safe":true,"credential_type":"delegation-compact","authorization_prefix":"kdc1.","target_headers":["Delegation-Target-Method","Delegation-Target-URI","Delegation-Target-Body-SHA256"],"settlement_signal":false,"claim_boundary":"reduces protected-request authorization overhead after preflight; does not signal settlement or revenue"},"cryptographic_capabilities":{"envelope_signatures":["ML-DSA-65","ML-DSA-87"],"preferred_envelope_signature":"ML-DSA-65","high_assurance_envelope_signature":"ML-DSA-87","cose_algorithm_ids":{"ML-DSA-65":-49,"ML-DSA-87":-50},"jose_cose_ml_dsa":{"reference":"RFC 9964","alg_registry_status":"rfc9964-registered","key_type":{"name":"AKP","cose_kty":7,"jose_kty":"AKP","public_parameter":"pub","public_parameter_label":-1,"private_parameter":"priv","private_parameter_label":-2,"private_material_published":false},"cose_algorithm_ids":{"ML-DSA-65":-49,"ML-DSA-87":-50}},"rail_signatures":["SLH-DSA-SHA2-256f"],"macaroon_hmac":"HMAC-SHA-256","envelope_format":"COSE_Sign1(additive)+direct-CBOR(transition)","credential_profiles":{"legacy_direct_cbor":{"status":"transition","wire":"base64url(CBOR(integer-keyed-map-with-signature_set))","signature_preimage":"canonical Protocol 427 claims CBOR fields 1-13"},"cose_sign1":{"status":"additive","wire":"Authorization: Delegation base64url(COSE_Sign1), Delegation-Proof Byte Sequence, or application/delegation-proof+cose body","signature_preimage":"COSE Sig_structure over canonical Protocol 427 claims CBOR fields 1-13","cose_algorithm_ids":{"ML-DSA-65":-49,"ML-DSA-87":-50},"settlement_rails":"use legacy direct-CBOR or future COSE_Sign profile"},"compact_delegation":{"status":"available","wire":"Authorization: Delegation kdc1.<base64url-token>","issue_flow":"POST /delegation/preflight with application/delegation-proof+cose full proof body","signature_preimage":"verifier-issued compact Delegation credential bound to target method, origin, path, query, body digest, and attestation hash","mac":"HMAC-SHA-256 with verifier-side key","settlement_rails":"not a settlement signal"}},"nonce_minimum_bytes":16,"nonce_encoding":"base64url"},"ietf":{"internet_draft_name":"draft-mcgraw-httpapi-agent-budget-02","datatracker_url":"https://datatracker.ietf.org/doc/draft-mcgraw-httpapi-agent-budget/","archive_url":"https://www.ietf.org/archive/id/draft-mcgraw-httpapi-agent-budget-02.txt","public_datatracker_revision":"draft-mcgraw-httpapi-agent-budget-02","local_implementation_target":"draft-mcgraw-httpapi-agent-budget-02","local_runtime_preview":"draft-mcgraw-httpapi-agent-budget-03 Delegation preflight and compact credential","publication_status":"draft-02 published as an active individual Internet-Draft; no IETF working-group adoption or standards approval is claimed","expires":"2026-12-17","wg":"httpapi","status":"individual-submission","published_at":"2026-06-15"},"compliance_attestations":{"fips_204_ml_dsa":true,"fips_205_slh_dsa":true,"rfc_9964_ml_dsa_jose_cose":true,"rfc_9457_problem_details":true,"rfc_9110_www_authenticate":true,"rfc_8949_cbor":true,"draft_sd_jwt":"draft-ietf-oauth-selective-disclosure-jwt"},"hardening_status":{"level":"phase_1_closed","phases_complete":["phase_1"],"current_phase":"phase_2_swarm_driven_hardening","last_pressure_test":"2026-05-08","findings_open":4,"findings_closed":3,"internal_spec_version":"1","implementation_version":"0.2.2"},"_well_known_revision":7,"_serialized_at":1782119117280,"_cache_ttl_seconds":3600}