2026-05-15 / 8 min / Agents + Authorization + Protocol Design
Mandate Protocol and agent-to-agent authorization
A draft protocol for giving autonomous agents narrow, auditable authority without leaking private user intent.
Mandate started from a gap I kept seeing in agent demos: the agent can act, the service can authenticate a client, but the system still has to answer whether this specific action is covered by a current user-approved delegation. Agent identity is not enough. The important object is the mandate: a signed, scoped statement of what the agent is allowed to do, for whom, against which service, and under what constraints.
The draft treats agent commerce as a chain of evidence rather than a conversational state. A service should be able to verify the agent credential, the user mandate, the sender-bound token, the service audience, the nonce, and local policy before accepting a privileged request. The calling agent should also verify signed service metadata before sending sensitive instructions. That bilateral check matters because a fake counterparty is just as dangerous as a fake caller.
The design deliberately composes existing rails instead of trying to invent a full new network. OAuth-style scoped tokens, proof-of-possession binding, verifiable credentials, signed metadata, A2A and MCP-style service surfaces, and optional public hash anchoring can work together if the binding rules are explicit. The protocol draft is mostly about making those boundaries machine-checkable.
The privacy line is the part I care about most. Public infrastructure can be useful for registries, revocation, reputation, or receipt-hash anchoring, but private mandates and receipts should stay off-chain. A user asking an agent to hold a flight, negotiate a quote, or prepare a payment should not accidentally publish intent details just to get auditability.
The Manim animation is meant to make that flow visible: principal, agent, service, mandate, receipt, and optional anchor. The long-term question is whether this can become a practical profile that agent builders can adopt without forcing every service into one identity stack, one payment rail, or one blockchain assumption.
takeaways.
- Agent commerce needs verifiable delegation, not just authenticated clients.
- The calling agent and the service both need to verify each other before sensitive instructions move.
- Public anchors should carry hashes and status, not private mandates or receipts.
related project.
Mandate Protocol - Agent-to-agent authorization protocol draft for delegated AI commerce. Defines signed mandates, bound tokens, service metadata, receipts, and optional public hash anchoring so agents can prove what they are allowed to do.