Required areas
| Category | What it tests |
|---|---|
| Challenge | 401 challenge shape, nonce entropy, timestamp, origin, content type |
| Sign | JCS canonicalization, Ed25519 signature, base64url transport |
| Nonce | single-use nonce behavior, unknown nonce rejection, expiry |
| Timestamp | TTL, skew behavior, future timestamp rejection |
| Trust | anonymous, identified, and sovereign tier behavior |
| Session | session token issuance, validation, expiry, and headers |
| Error | stable JSON error envelope and machine-readable codes |
| Header | Authorization, WWW-Authenticate, session, DID, trust headers |
| Interop | raw Ed25519 agents, SDK-free HTTP, cross-runtime JCS output |
Current alignment
OpenAgent Core v1.1.0 uses:- canonical
Authorization: OpenAgent <base64url(sig)>.<base64url(pubkey)>, X-OpenAgent-Key-Typeand nonce metadata as separate headers,- challenge JSON containing
type,nonce,timestamp,origin, and optionalrealm, - day-one trust tiers: anonymous, identified, sovereign,
- HTTP as the normative launch binding.
Some older fixtures describe alternative key-value authorization syntax or five trust tiers. Those are compatibility or future-facing tests, not the launch-required path.
Implementation checklist
An implementation should be able to:- issue and validate fresh challenges,
- JCS-canonicalize challenge JSON,
- verify Ed25519 signatures,
- derive the DID from the public key,
- consume nonces on success and failure,
- issue bounded session tokens,
- reject revoked or expired DIDs,
- return stable error codes,
- pass JSON vectors in Rust and TypeScript runners.