I want to stop these emails On Fri, Dec 26, 2025, 3:59 PM <[email protected]> wrote:
> Send OAuth mailing list submissions to > [email protected] > > To subscribe or unsubscribe via email, send a message with subject or > body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > Today's Topics: > > 1. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension > for AI Model Access > (Warren Parad) > 2. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension > for AI Model Access > (Hemanth H.M) > 3. Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension > for AI Model Access > (Hemanth H.M) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 26 Dec 2025 06:55:31 +0000 > From: Warren Parad <[email protected]> > Subject: [OAUTH-WG] Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - > OAuth 2.0 Extension for AI Model Access > To: "Hemanth H.M" <[email protected]> > Cc: oauth <[email protected]> > Message-ID: > <CAJot-L001m_FAJt06dLyKXgNDvVS7=_AHqUS+M1J9So+MYsi= > [email protected]> > Content-Type: multipart/alternative; > boundary="000000000000a513c00646d56152" > > Authorization to specific models doesn't need to live inside the the oauth2 > generated JWT. OAuth is not the appropriate place for that. > > On Thu, Dec 25, 2025, 21:36 Hemanth H.M <[email protected]> wrote: > > > Hey Warren, > > > > Good question. Current OAuth doesn't have a standard way to scope access > > *to specific models* or attach usage limits (spend/rate) directly to the > > token metadata without heavy custom extensions, right? This ID tries to > > standardize that delegation layer. > > > > Justin, We can leverage RAR type for this? > > > > > > -- > > Thank you, > > Hemanth.HM <http://www.h3manth.com> > > > > > > > > On Thu, Dec 25, 2025 at 1:31 PM Justin Richer <[email protected]> wrote: > > > >> It is an extremely terrible idea to create a structure for scopes. I've > >> done this several times in different ecosystems and it always starts > out ok > >> but falls apart quickly. Do not repeat this mistake. > >> > >> If you need structure for access, define a RAR type, that's what it's > >> there for. > >> > >> - Justin > >> ------------------------------ > >> *From:* Hemanth H.M <[email protected]> > >> *Sent:* Wednesday, December 24, 2025 4:41 PM > >> *To:* [email protected] <[email protected]> > >> *Subject:* [OAUTH-WG] [New I-D] draft-hemanth-oauth-ai-scopes-00 - OAuth > >> 2.0 Extension for AI Model Access > >> > >> Hi OAuth WG, > >> > >> I've submitted a new Internet-Draft for your consideration: > >> > >> draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension for AI Model > Access > >> > >> Problem: AI model APIs (OpenAI, Anthropic, Google, etc.) require API key > >> delegation, but current practices involve sharing master keys directly > with > >> third-party applications—no scoping, no revocation, no usage limits. > >> > >> Proposal: Extend OAuth 2.0 with: > >> > >> > >> 1. Standard scope syntax: ai:<provider>:<model>:<capability> > >> 2. Token metadata for spend/rate limits > >> 3. Token introspection extensions for usage tracking > >> 4. Security considerations (DPoP/mTLS for high-security deployments) > >> > >> > >> GitHub: https://github.com/hemanth/oauth-ai-scopes > >> > >> I'd welcome feedback on the scope syntax, alignment with existing OAuth > >> extensions (RFC 8707, RFC 9449), and whether this is something the WG > would > >> consider adopting. > >> > >> P.S: I also started https://okap.dev as a separate protocol, in case... > >> > >> -- > >> Thank you, > >> Hemanth.HM <http://www.h3manth.com> > >> > >> _______________________________________________ > > OAuth mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > -------------- next part -------------- > A message part incompatible with plain text digests has been removed ... > Name: not available > Type: text/html > Size: 4562 bytes > Desc: not available > > ------------------------------ > > Message: 2 > Date: Fri, 26 Dec 2025 02:28:21 -0800 > From: "Hemanth H.M" <[email protected]> > Subject: [OAUTH-WG] Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - > OAuth 2.0 Extension for AI Model Access > To: Warren Parad <[email protected]> > Cc: oauth <[email protected]> > Message-ID: > <CAFfGx61g35o1aCYDe==XAN5H2a7wv0Oq7oG69U=x= > [email protected]> > Content-Type: multipart/alternative; > boundary="000000000000f54c820646d85acb" > > Maybe off topic, but https://okap.dev sounds ok? > > -- > Thank you, > Hemanth.HM <http://www.h3manth.com> > > > > On Thu, Dec 25, 2025 at 10:55 PM Warren Parad <[email protected]> wrote: > > > Authorization to specific models doesn't need to live inside the the > > oauth2 generated JWT. OAuth is not the appropriate place for that. > > > > On Thu, Dec 25, 2025, 21:36 Hemanth H.M <[email protected]> wrote: > > > >> Hey Warren, > >> > >> Good question. Current OAuth doesn't have a standard way to scope access > >> *to specific models* or attach usage limits (spend/rate) directly to the > >> token metadata without heavy custom extensions, right? This ID tries to > >> standardize that delegation layer. > >> > >> Justin, We can leverage RAR type for this? > >> > >> > >> -- > >> Thank you, > >> Hemanth.HM <http://www.h3manth.com> > >> > >> > >> > >> On Thu, Dec 25, 2025 at 1:31 PM Justin Richer <[email protected]> wrote: > >> > >>> It is an extremely terrible idea to create a structure for scopes. I've > >>> done this several times in different ecosystems and it always starts > out ok > >>> but falls apart quickly. Do not repeat this mistake. > >>> > >>> If you need structure for access, define a RAR type, that's what it's > >>> there for. > >>> > >>> - Justin > >>> ------------------------------ > >>> *From:* Hemanth H.M <[email protected]> > >>> *Sent:* Wednesday, December 24, 2025 4:41 PM > >>> *To:* [email protected] <[email protected]> > >>> *Subject:* [OAUTH-WG] [New I-D] draft-hemanth-oauth-ai-scopes-00 - > >>> OAuth 2.0 Extension for AI Model Access > >>> > >>> Hi OAuth WG, > >>> > >>> I've submitted a new Internet-Draft for your consideration: > >>> > >>> draft-hemanth-oauth-ai-scopes-00 - OAuth 2.0 Extension for AI Model > >>> Access > >>> > >>> Problem: AI model APIs (OpenAI, Anthropic, Google, etc.) require API > key > >>> delegation, but current practices involve sharing master keys directly > with > >>> third-party applications—no scoping, no revocation, no usage limits. > >>> > >>> Proposal: Extend OAuth 2.0 with: > >>> > >>> > >>> 1. Standard scope syntax: ai:<provider>:<model>:<capability> > >>> 2. Token metadata for spend/rate limits > >>> 3. Token introspection extensions for usage tracking > >>> 4. Security considerations (DPoP/mTLS for high-security deployments) > >>> > >>> > >>> GitHub: https://github.com/hemanth/oauth-ai-scopes > >>> > >>> I'd welcome feedback on the scope syntax, alignment with existing OAuth > >>> extensions (RFC 8707, RFC 9449), and whether this is something the WG > would > >>> consider adopting. > >>> > >>> P.S: I also started https://okap.dev as a separate protocol, in > case... > >>> > >>> -- > >>> Thank you, > >>> Hemanth.HM <http://www.h3manth.com> > >>> > >>> _______________________________________________ > >> OAuth mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> > > > -------------- next part -------------- > A message part incompatible with plain text digests has been removed ... > Name: not available > Type: text/html > Size: 5759 bytes > Desc: not available > > ------------------------------ > > Message: 3 > Date: Fri, 26 Dec 2025 02:28:26 -0800 > From: "Hemanth H.M" <[email protected]> > Subject: [OAUTH-WG] Re: [New I-D] draft-hemanth-oauth-ai-scopes-00 - > OAuth 2.0 Extension for AI Model Access > To: Warren Parad <[email protected]> > Cc: oauth <[email protected]> > Message-ID: > < > caffgx626qrq7akp9jv-pvcjdmedcbzih8ehgtqff1mmg-3l...@mail.gmail.com> > Content-Type: multipart/alternative; > boundary="000000000000356acb0646d85bb0" > > 👍 > > Hemanth reacted via Gmail > < > https://www.google.com/gmail/about/?utm_source=gmail-in-product&utm_medium=et&utm_campaign=emojireactionemail#app > > > -------------- next part -------------- > A message part incompatible with plain text digests has been removed ... > Name: not available > Type: text/vnd.google.email-reaction+json > Size: 37 bytes > Desc: not available > -------------- next part -------------- > A message part incompatible with plain text digests has been removed ... > Name: not available > Type: text/html > Size: 283 bytes > Desc: not available > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > ------------------------------ > > End of OAuth Digest, Vol 206, Issue 62 > ************************************** >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
