The Trust Chain
What ATH Protects Against
| Threat | How ATH prevents it |
|---|---|
| Agent accesses service without service’s permission | Phase A — registration + approval required |
| Agent acts without user consent | Phase B — user must approve in browser |
| Agent gets more scopes than approved | Scope intersection (3-way minimum) |
| Stolen ATH token used by different agent | Token bound to agent_id |
| Stolen ATH token used for different provider | Token bound to provider_id |
| Replayed attestation JWT | jti uniqueness check |
| Stale attestation JWT | iat must be within 5 minutes |
| Token lives forever | expires_in (default 1 hour) |
| Agent sees upstream OAuth token | Gateway holds it server-side; agent only gets opaque ATH token |
What You Must Do Right
Required (protocol breaks without these)
- HTTPS in production — ATH requires TLS 1.2+
- PKCE on all OAuth URLs — the SDK does this automatically
- Validate attestation — enable signature verification in production
- Check jti for replays — use the built-in
InMemoryJtiCacheor Redis - Token expiration — enforce
expires_in
Recommended (significantly improves security)
- Persistent key storage — don’t use ephemeral keys in production
- Audit logging — log all registrations, authorizations, and proxy calls
- Rate limiting — prevent brute-force on registration and token endpoints
- Scope-to-route mapping — don’t let
products:readaccess order endpoints - Encrypt stored provider tokens — they’re sensitive OAuth credentials
The skipAttestationVerification Flag
You’ll see this in the demo:
- Any string passed as
agent_attestationis accepted - The server doesn’t fetch the agent’s public key
- The server doesn’t verify the JWT signature