Preview documentation. The full protocol reference (OAAP spec, state machine, wire formats for HTTP/WebSocket/gRPC/Weave) lands in the next docs release.

OpenAgent Auth Protocol (OAAP)

A four-step mutual authentication handshake. Transport-agnostic — the same protocol runs over HTTP, WebSocket, gRPC, and libp2p.
1

PRESENT

Initiator sends its DID document, lineage proof, and an ephemeral X25519 public key.
2

CHALLENGE

Responder verifies the lineage, returns a nonce, its own DID, and its ephemeral X25519 public key.
3

PROVE

Initiator signs the nonce with its Ed25519 key, computes a shared secret via ECDH, sends signature and its own challenge to the responder.
4

ESTABLISHED

Responder verifies, signs back, returns an encrypted session token. Both sides now share a session key derived via HKDF-SHA256.

Integration paths

OIDC bridge

Map Okta, Auth0, Keycloak, Azure AD tokens into agent DIDs.

SCIM provisioning

Auto-provision and deprovision agents through your directory.