Skip to content

v0.3.0 Release Notes

Release Date: June 2026

v0.3.0 introduces the Unified SDK with multi-protocol support, bringing together AAuth and ID-JAG authentication under a single, policy-driven interface.

Highlights

  • Unified Client SDK - Single interface for multi-protocol agent authentication
  • Unified Verifier - Multi-protocol token verification with automatic protocol detection
  • Agent Provider - Server-side agent registration, key management, and token issuance
  • SQLite Store Extensions - Full AgentProviderStorer implementation

New Features

Unified Client (client/unified.go)

The UnifiedClient provides a single interface for agent authentication that automatically routes to the appropriate protocol (AAuth or ID-JAG) based on configurable policies:

import "github.com/plexusone/agentauth/client"

c, _ := client.NewUnified(
    client.WithAgentID("aauth:my-agent@example.com"),
    client.WithPrivateKey(privateKey, "key-1"),
    client.WithPolicy(client.PolicyConfig{
        Default:     client.ProtocolIDJAG,
        AAuthScopes: []string{"write:*", "delete:*", "admin:*"},
    }),
)

// Automatic protocol selection based on scopes
result, _ := c.Authorize(ctx, &client.AuthRequest{
    Scopes: []string{"read:email"},  // Uses ID-JAG
})

result, _ := c.Authorize(ctx, &client.AuthRequest{
    Scopes: []string{"write:profile"}, // Uses AAuth
})

Key features:

  • Policy-based protocol routing with wildcard scope patterns
  • Built-in token caching with automatic expiration handling
  • HTTP client with automatic authorization header injection
  • Support for both AAuth (human consent) and ID-JAG (automated) flows

Unified Verifier (verifier/)

The new verifier package provides multi-protocol token verification with automatic protocol detection:

import "github.com/plexusone/agentauth/verifier"

v, _ := verifier.New(
    verifier.WithTrustedIssuers("https://auth.example.com"),
    verifier.WithProtocols(verifier.ProtocolAAuth, verifier.ProtocolIDJAG),
    verifier.WithJWKSCache(time.Hour),
)

claims, err := v.Verify(ctx, tokenString)
// claims.Protocol: "aauth" or "idjag"
// claims.TokenType: "aa-agent+jwt", "aa-auth+jwt", "id-jag", etc.

Key features:

  • Automatic protocol and token type detection from JWT headers and claims
  • JWKS caching with configurable TTL
  • Support for AAuth (aa-agent+jwt, aa-auth+jwt) and ID-JAG tokens
  • HTTP middleware for protected resources
  • Scope-based access control middleware

Agent Provider (server/agentprovider/)

The Agent Provider implements the AAuth server role for agent lifecycle management:

import "github.com/plexusone/agentauth/server/agentprovider"

provider, _ := agentprovider.New(
    store,
    "https://auth.example.com",
    signingKey, "key-1",
)

mux := http.NewServeMux()
provider.RegisterHandlers(mux)

Endpoints:

  • GET /.well-known/aauth-agent-provider - Discovery metadata
  • GET /.well-known/jwks.json - Public signing keys
  • POST /agents - Register new agent
  • GET /agents/{id} - Get agent info
  • DELETE /agents/{id} - Revoke agent
  • POST /agents/{id}/keys - Add key to agent
  • DELETE /agents/{id}/keys/{kid} - Revoke key
  • POST /token - Issue agent token

Store Extensions

New AgentProviderStorer interface with SQLite implementation:

type AgentProviderStorer interface {
    Storer
    RegisterAgent(ctx context.Context, agent *RegisteredAgent) error
    GetRegisteredAgent(ctx context.Context, id string) (*RegisteredAgent, error)
    ListRegisteredAgents(ctx context.Context, ownerID string) ([]*RegisteredAgent, error)
    RevokeRegisteredAgent(ctx context.Context, id string) error
    CreateAgentKey(ctx context.Context, key *AgentKey) error
    GetAgentKey(ctx context.Context, agentID, keyID string) (*AgentKey, error)
    ListAgentKeys(ctx context.Context, agentID string) ([]*AgentKey, error)
    RevokeAgentKey(ctx context.Context, agentID, keyID string) error
    CreateIssuedAgentToken(ctx context.Context, token *IssuedAgentToken) error
    GetIssuedAgentToken(ctx context.Context, jti string) (*IssuedAgentToken, error)
    RevokeIssuedAgentToken(ctx context.Context, jti string) error
}

New types:

  • RegisteredAgent - Agent registration with lifecycle status
  • AgentKey - Agent public keys with rotation support
  • IssuedAgentToken - Issued token tracking for revocation

Breaking Changes

None. v0.3.0 is backward compatible with v0.2.x.

Migration Guide

Using the Unified Client

If you're using the legacy client.Client, you can continue to use it. The UnifiedClient is a new addition:

// Legacy (still works)
c := client.New("https://authz.example.com")
token, _ := c.ExchangeIDJAG(ctx, assertion, "read:email")

// New unified client
c, _ := client.NewUnified(
    client.WithAgentID("aauth:my-agent@example.com"),
    client.WithPrivateKey(key, "key-1"),
    client.WithTokenEndpoint("https://authz.example.com/token"),
)
result, _ := c.Authorize(ctx, &client.AuthRequest{Scopes: []string{"read:email"}})

Using the Unified Verifier

The new verifier package complements the existing TokenVerifier:

// New verifier package
import "github.com/plexusone/agentauth/verifier"

v, _ := verifier.New(verifier.WithTrustedIssuers("https://auth.example.com"))
claims, _ := v.Verify(ctx, token)

Dependencies

Updated:

  • github.com/golang-jwt/jwt/v5 - JWT parsing and signing
  • github.com/aistandardsio/agent-protocols - Protocol implementations

What's Next (v0.4.0)

The v0.4.0 release will focus on enterprise server architecture:

  • Person Server and Access Server separation
  • SCIM Agent Resource integration
  • Cedar policy engine with AuthZEN API
  • Comprehensive audit logging

See ROADMAP.md and PLAN.md for details.