v0.3.0 Release Notes¶
Release Date: June 2026
v0.3.0 introduces the Unified SDK with multi-protocol support, bringing together AAuth and ID-JAG authentication under a single, policy-driven interface.
Highlights¶
- Unified Client SDK - Single interface for multi-protocol agent authentication
- Unified Verifier - Multi-protocol token verification with automatic protocol detection
- Agent Provider - Server-side agent registration, key management, and token issuance
- SQLite Store Extensions - Full AgentProviderStorer implementation
New Features¶
Unified Client (client/unified.go)¶
The UnifiedClient provides a single interface for agent authentication that automatically routes to the appropriate protocol (AAuth or ID-JAG) based on configurable policies:
import "github.com/plexusone/agentauth/client"
c, _ := client.NewUnified(
client.WithAgentID("aauth:my-agent@example.com"),
client.WithPrivateKey(privateKey, "key-1"),
client.WithPolicy(client.PolicyConfig{
Default: client.ProtocolIDJAG,
AAuthScopes: []string{"write:*", "delete:*", "admin:*"},
}),
)
// Automatic protocol selection based on scopes
result, _ := c.Authorize(ctx, &client.AuthRequest{
Scopes: []string{"read:email"}, // Uses ID-JAG
})
result, _ := c.Authorize(ctx, &client.AuthRequest{
Scopes: []string{"write:profile"}, // Uses AAuth
})
Key features:
- Policy-based protocol routing with wildcard scope patterns
- Built-in token caching with automatic expiration handling
- HTTP client with automatic authorization header injection
- Support for both AAuth (human consent) and ID-JAG (automated) flows
Unified Verifier (verifier/)¶
The new verifier package provides multi-protocol token verification with automatic protocol detection:
import "github.com/plexusone/agentauth/verifier"
v, _ := verifier.New(
verifier.WithTrustedIssuers("https://auth.example.com"),
verifier.WithProtocols(verifier.ProtocolAAuth, verifier.ProtocolIDJAG),
verifier.WithJWKSCache(time.Hour),
)
claims, err := v.Verify(ctx, tokenString)
// claims.Protocol: "aauth" or "idjag"
// claims.TokenType: "aa-agent+jwt", "aa-auth+jwt", "id-jag", etc.
Key features:
- Automatic protocol and token type detection from JWT headers and claims
- JWKS caching with configurable TTL
- Support for AAuth (
aa-agent+jwt,aa-auth+jwt) and ID-JAG tokens - HTTP middleware for protected resources
- Scope-based access control middleware
Agent Provider (server/agentprovider/)¶
The Agent Provider implements the AAuth server role for agent lifecycle management:
import "github.com/plexusone/agentauth/server/agentprovider"
provider, _ := agentprovider.New(
store,
"https://auth.example.com",
signingKey, "key-1",
)
mux := http.NewServeMux()
provider.RegisterHandlers(mux)
Endpoints:
GET /.well-known/aauth-agent-provider- Discovery metadataGET /.well-known/jwks.json- Public signing keysPOST /agents- Register new agentGET /agents/{id}- Get agent infoDELETE /agents/{id}- Revoke agentPOST /agents/{id}/keys- Add key to agentDELETE /agents/{id}/keys/{kid}- Revoke keyPOST /token- Issue agent token
Store Extensions¶
New AgentProviderStorer interface with SQLite implementation:
type AgentProviderStorer interface {
Storer
RegisterAgent(ctx context.Context, agent *RegisteredAgent) error
GetRegisteredAgent(ctx context.Context, id string) (*RegisteredAgent, error)
ListRegisteredAgents(ctx context.Context, ownerID string) ([]*RegisteredAgent, error)
RevokeRegisteredAgent(ctx context.Context, id string) error
CreateAgentKey(ctx context.Context, key *AgentKey) error
GetAgentKey(ctx context.Context, agentID, keyID string) (*AgentKey, error)
ListAgentKeys(ctx context.Context, agentID string) ([]*AgentKey, error)
RevokeAgentKey(ctx context.Context, agentID, keyID string) error
CreateIssuedAgentToken(ctx context.Context, token *IssuedAgentToken) error
GetIssuedAgentToken(ctx context.Context, jti string) (*IssuedAgentToken, error)
RevokeIssuedAgentToken(ctx context.Context, jti string) error
}
New types:
RegisteredAgent- Agent registration with lifecycle statusAgentKey- Agent public keys with rotation supportIssuedAgentToken- Issued token tracking for revocation
Breaking Changes¶
None. v0.3.0 is backward compatible with v0.2.x.
Migration Guide¶
Using the Unified Client¶
If you're using the legacy client.Client, you can continue to use it. The UnifiedClient is a new addition:
// Legacy (still works)
c := client.New("https://authz.example.com")
token, _ := c.ExchangeIDJAG(ctx, assertion, "read:email")
// New unified client
c, _ := client.NewUnified(
client.WithAgentID("aauth:my-agent@example.com"),
client.WithPrivateKey(key, "key-1"),
client.WithTokenEndpoint("https://authz.example.com/token"),
)
result, _ := c.Authorize(ctx, &client.AuthRequest{Scopes: []string{"read:email"}})
Using the Unified Verifier¶
The new verifier package complements the existing TokenVerifier:
// New verifier package
import "github.com/plexusone/agentauth/verifier"
v, _ := verifier.New(verifier.WithTrustedIssuers("https://auth.example.com"))
claims, _ := v.Verify(ctx, token)
Dependencies¶
Updated:
github.com/golang-jwt/jwt/v5- JWT parsing and signinggithub.com/aistandardsio/agent-protocols- Protocol implementations
What's Next (v0.4.0)¶
The v0.4.0 release will focus on enterprise server architecture:
- Person Server and Access Server separation
- SCIM Agent Resource integration
- Cedar policy engine with AuthZEN API
- Comprehensive audit logging
See ROADMAP.md and PLAN.md for details.