Skip to content

v0.4.0 Release Notes

Release Date: May 24, 2026

Highlights

This release focuses on token parsing, verification, and IETF compliance across all three protocols:

  • AIMS: Token parsing and cryptographic verification with WITVerifier and WPTVerifier
  • AAuth: JWT typ header validation and context-aware verification methods
  • ID-JAG: IETF-compliant token types and IdP authorization server

Breaking Changes

This release includes breaking API changes in the AAuth package:

Context Parameter Required

The following methods now require a context.Context parameter for proper cancellation and timeout handling:

// Before (v0.3.0)
agentToken, err := rs.VerifyAgentToken(tokenString)
authToken, err := rs.VerifyAuthToken(tokenString)

// After (v0.4.0)
agentToken, err := rs.VerifyAgentToken(ctx, tokenString)
authToken, err := rs.VerifyAuthToken(ctx, tokenString)

Migration: Add context.Context as the first parameter to all VerifyAgentToken and VerifyAuthToken calls. Use context.Background() if no specific context is needed.

New Features

AIMS Token Parsing and Verification

Parse tokens for inspection without cryptographic verification:

import "github.com/aistandardsio/agent-protocols/aims"

// Parse WIT for inspection
wit, err := aims.ParseWIT(tokenString)
fmt.Println("Subject:", wit.Subject)
fmt.Println("Audience:", wit.Audience)

// Parse WPT for inspection
wpt, err := aims.ParseWPT(proofString)
fmt.Println("Method:", wpt.HTM, "URI:", wpt.HTU)

Verify tokens with cryptographic signature validation:

// Verify WIT with public key
verifier := aims.NewWITVerifier(publicKey).
    WithExpectedIssuer("https://example.com").
    WithExpectedAudience("https://api.example.com")
wit, err := verifier.Verify(tokenString)

// Verify WPT matches HTTP request
verifier := aims.NewWPTVerifier(publicKey)
wpt, err := verifier.VerifyRequest(proofString, httpRequest)

AAuth Token Type Validation

Token parsers now validate the JWT typ header to prevent token confusion attacks:

// ParseAgentToken rejects tokens with wrong typ header
// Accepts: missing typ, "JWT", or "aa-agent+jwt"
agentToken, err := aauth.ParseAgentToken(tokenString)

// ParseAuthToken validates for "aa-auth+jwt"
authToken, err := aauth.ParseAuthToken(tokenString)

// ParseResourceToken validates for "aa-resource+jwt"
resourceToken, err := aauth.ParseResourceToken(tokenString)

ID-JAG IETF Compliance

New IETF-compliant token type constants and IdP authorization server:

import "github.com/aistandardsio/agent-protocols/idjag"

// Use IETF-compliant token type
assertion := idjag.NewAssertion(issuer, subject, audience, ttl,
    idjag.WithClientID("agent-client"),
    idjag.WithJTI(idjag.GenerateJTI()),
)

// IdP authorization server for token exchange
idp := idjag.NewIdPAuthServer(issuer, privateKey, keyID)

Integration Testing

New script for running all protocol examples:

# Run all examples
./scripts/integration-test.sh

# Quick mode (core protocols only)
./scripts/integration-test.sh --quick

Bug Fixes

SharkAuth DPoP Verification

Fixed parseJWKPublicKey to properly handle RSA, ECDSA, and Ed25519 keys in DPoP proof verification. Previously returned "not implemented" errors.

AAuth Memory Safety

Added request body size limit (1MB) to AuthServer to prevent memory exhaustion from large payloads.

Documentation

  • AIMS: Added documentation for ParseWIT, ParseWPT, WITVerifier, WPTVerifier
  • AAuth: Updated documentation for context-aware verification methods
  • README: Added Development section with test, lint, and integration commands
  • ROADMAP: Added project roadmap documenting release history and future plans

Tests

  • AIMS: Comprehensive tests for parsing and verification
  • AAuth: Tests for typ header validation and backward compatibility
  • SharkAuth: Tests for DPoP proof verification with EC and RSA keys

Installation

go get github.com/aistandardsio/agent-protocols@v0.4.0

What's Next

Phase 6 (v0.5.0) will focus on production demos:

  • Docker Compose infrastructure with Zitadel
  • Observability with Jaeger and Prometheus
  • Kubernetes integration with SPIRE
  • End-to-end scenario testing

Changelog

See the full changelog for all changes.