ATH is designed for incremental adoption. Services and agent platforms can adopt at three levels, with the trusted handshake preserved at every level.

Level 1: Gateway Mode (Zero Service Changes)

Agent → ATH Gateway → OAuth Bridge → Service Provider
AspectDetail
App-side authorizationATH Gateway checks agent against its registry
User-side authorizationStandard OAuth via the gateway’s OAuth bridge
Service provider effortNone
Best forImmediate deployment, proof of concept
The OAuth bridge is an implementation choice. Implementations MAY use any OAuth 2.0 client library or multi-provider integration platform.

Level 2: Agent-Aware OAuth (Minimal Service Changes)

Services extend their existing OAuth client registration to include ATH agent metadata: 
{
  "client_name": "TravelBot",
  "grant_types": ["authorization_code"],
  "ath_agent_id": "https://travel-agent.example.com/.well-known/agent.json",
  "ath_agent_type": "autonomous",
  "ath_capabilities_requested": ["mail:read"]
}
AspectDetail
App-side authorizationService reviews agents via existing developer console + agent metadata
User-side authorizationStandard OAuth with agent context shown on consent page
Service provider effortAdd ath_* fields to client registration, update consent page
Best forPopular services that want tighter control over agent access

Level 3: Native ATH (Full Implementation)

Services implement ATH endpoints directly:
  • .well-known/ath-app.json discovery
  • Agent registration with capability-level approval
  • Scope intersection enforcement
  • Agent-aware consent pages showing trusted handshake status
Consent Page:
┌─────────────────────────────────────────┐
│  TravelBot wants to access your Mail    │
│                                         │
│  ✅ Read emails                         │
│     (approved by service for this agent)│
│                                         │
│  ⚠️  Send emails                        │
│     (not approved for this agent)       │
│                                         │
│  [Allow Selected]    [Deny All]         │
└─────────────────────────────────────────┘
AspectDetail
App-side authorizationFull per-agent, per-capability approval with scope intersection
User-side authorizationEnhanced consent page showing which capabilities the service has approved
Service provider effortFull ATH implementation
Best forLong-term goal for major platforms

Choosing Your Level

Level 1

Start here. Deploy a gateway, protect existing services immediately.

Level 2

Upgrade when you want service-side visibility into agent registrations.

Level 3

Full native support for maximum security and user transparency.