Scenario Example: Gateway Proxy Mode

Scenario Description

An enterprise has multiple legacy systems (without ATH protocol support). Employees use an AI Office Assistant (agent/client) to access these systems. An ATH Gateway is deployed as a unified access layer, and all agent requests are forwarded through the gateway to backend services. Mode Characteristics: Backend services require no code modifications. The ATH Gateway provides ATH protocol support, enabling zero-intrusion integration.

Participating Roles

RoleDescription
UserAn enterprise employee, using the AI Office Assistant
AgentAI Office Assistant, accessing internal enterprise systems on behalf of the employee
ATH GatewayUnified access layer that proxies all requests and implements ATH protocol logic
Backend ServicesInternal enterprise legacy systems (e.g., OA, CRM, financial systems, etc.), without ATH support

Architecture Diagram

┌──────────┐     ┌──────────┐     ┌─────────────┐
│  Agent   │────▶│   ATH    │────▶│   Backend   │
│ (Client) │     │ (Gateway)│     │  (No ATH)   │
└──────────┘     └──────────┘     └─────────────┘

Process Description

Prerequisite: User Pre-Authorization

  1. The user opens the AI Office Assistant and authorizes it to access OA and CRM systems on their behalf
  2. The user signs an authorization credential with scope: oa:read, crm:write, valid for 8 hours
  3. The AI assistant securely stores the user’s authorization credential

Complete 9-Step Handshake Process

Step 1: Agent Initiates Handshake Request

The AI assistant sends a handshake request to the ATH Gateway: 
{
  "type": "handshake_request",
  "client_did": "did:ath:ai_office_assistant_001",
  "client_pubkey": "-----BEGIN PUBLIC KEY-----...",
  "versions": ["0.1"],
  "capabilities": ["ES256", "TLS1.3"],
  "nonce": "random_abc123",
  "timestamp": 1717200000
}

Step 2: ATH Gateway Returns Handshake Response

The gateway validates the request format and returns its identity information: 
{
  "type": "handshake_response",
  "server_did": "did:ath:enterprise_gateway_001",
  "server_pubkey": "-----BEGIN PUBLIC KEY-----...",
  "version": "0.1",
  "capabilities": ["ES256", "TLS1.3"],
  "nonce": "random_def456",
  "signature": "signature_of_random_abc123",
  "timestamp": 1717200001
}

Step 3: Agent Sends Identity Proof

The AI assistant signs random_def456 with its private key and sends the identity proof: 
{
  "type": "identity_proof",
  "signature": "signature_of_random_def456",
  "timestamp": 1717200002
}

Step 4: ATH Gateway Returns Identity Verification Result

The gateway verifies the signature successfully and returns the list of supported scopes: 
{
  "type": "identity_result",
  "success": true,
  "metadata": {
    "scopes_supported": ["oa:read", "oa:write", "crm:read", "crm:write", "finance:read"],
    "token_max_ttl": 28800
  },
  "timestamp": 1717200003
}

Step 5: Agent Sends Scope Request

The AI assistant requests OA read and CRM write permissions, attaching the user’s authorization credential: 
{
  "type": "scope_request",
  "scopes": ["oa:read", "crm:write"],
  "ttl": 28800,
  "user_authorization": {
    "credential": "jwt_token_signed_by_user",
    "signature": "signature_by_ai_assistant"
  },
  "context": "User needs to query OA approvals and update CRM customer information",
  "timestamp": 1717200004
}

Step 6: ATH Gateway Confirms Authorization with User

The gateway sends an authorization confirmation to the user via enterprise messaging: 
[Authorization Confirmation] The AI Office Assistant is requesting access to your enterprise account. Permissions: read OA, write CRM.
Do you approve? [Approve/Deny]

Step 7: User Returns Authorization Confirmation Result

The user replies “Approve”, and the gateway receives the user’s confirmation result.

Step 8: ATH Gateway Returns Scope Approval Result

The gateway approves the request based on its permission policies and returns the scope information: 
{
  "type": "scope_result",
  "scopes_granted": ["oa:read", "crm:write"],
  "ttl_granted": 28800,
  "restrictions": {
    "ip_whitelist": ["10.0.0.0/8"],
    "access_time": "9:00-18:00"
  },
  "timestamp": 1717200007
}

Step 9: Handshake Complete, Session Established

Both parties complete key negotiation. The gateway issues an access token, and the AI assistant begins accessing the APIs: 
# Query OA approvals (gateway automatically forwards to OA system)
response = ai_assistant.request(
  "GET /oa/api/approval/list",
  headers={"Authorization": "Bearer <access_token>"}
)
# Update CRM customer info (gateway automatically forwards to CRM system)
response = ai_assistant.request(
  "POST /crm/api/customer/123",
  json={"status": "following_up"},
  headers={"Authorization": "Bearer <access_token>"}
)

Gateway Core Functions

  1. Protocol Translation: Converts ATH protocol requests into the protocol formats supported by backend services
  2. Access Control: Centrally manages access permissions for all backend services
  3. Audit Logging: Records all agent access activity, supporting security audits
  4. Traffic Management: Centrally implements rate limiting, circuit breaking, and other traffic governance features

Mode Advantages

  1. Zero Intrusion: Backend services require no code modifications to support the ATH protocol
  2. Unified Management: All access and permission controls are configured centrally at the gateway layer
  3. Rapid Deployment: No need to modify existing systems; full ATH support across all systems can be achieved in a short time
  4. Legacy System Compatible: Very friendly to older systems

Applicable Scenarios

  • Large number of existing legacy systems where refactoring costs are high
  • Need to centrally manage access permissions for all services
  • Scenarios requiring rapid ATH protocol deployment
  • Scenarios requiring unified multi-system integration