v0.4.0 Release Notes¶
Release Date: May 24, 2026
Highlights¶
This release focuses on token parsing, verification, and IETF compliance across all three protocols:
- AIMS: Token parsing and cryptographic verification with
WITVerifierandWPTVerifier - AAuth: JWT typ header validation and context-aware verification methods
- ID-JAG: IETF-compliant token types and IdP authorization server
Breaking Changes¶
This release includes breaking API changes in the AAuth package:
Context Parameter Required¶
The following methods now require a context.Context parameter for proper cancellation and timeout handling:
// Before (v0.3.0)
agentToken, err := rs.VerifyAgentToken(tokenString)
authToken, err := rs.VerifyAuthToken(tokenString)
// After (v0.4.0)
agentToken, err := rs.VerifyAgentToken(ctx, tokenString)
authToken, err := rs.VerifyAuthToken(ctx, tokenString)
Migration: Add context.Context as the first parameter to all VerifyAgentToken and VerifyAuthToken calls. Use context.Background() if no specific context is needed.
New Features¶
AIMS Token Parsing and Verification¶
Parse tokens for inspection without cryptographic verification:
import "github.com/aistandardsio/agent-protocols/aims"
// Parse WIT for inspection
wit, err := aims.ParseWIT(tokenString)
fmt.Println("Subject:", wit.Subject)
fmt.Println("Audience:", wit.Audience)
// Parse WPT for inspection
wpt, err := aims.ParseWPT(proofString)
fmt.Println("Method:", wpt.HTM, "URI:", wpt.HTU)
Verify tokens with cryptographic signature validation:
// Verify WIT with public key
verifier := aims.NewWITVerifier(publicKey).
WithExpectedIssuer("https://example.com").
WithExpectedAudience("https://api.example.com")
wit, err := verifier.Verify(tokenString)
// Verify WPT matches HTTP request
verifier := aims.NewWPTVerifier(publicKey)
wpt, err := verifier.VerifyRequest(proofString, httpRequest)
AAuth Token Type Validation¶
Token parsers now validate the JWT typ header to prevent token confusion attacks:
// ParseAgentToken rejects tokens with wrong typ header
// Accepts: missing typ, "JWT", or "aa-agent+jwt"
agentToken, err := aauth.ParseAgentToken(tokenString)
// ParseAuthToken validates for "aa-auth+jwt"
authToken, err := aauth.ParseAuthToken(tokenString)
// ParseResourceToken validates for "aa-resource+jwt"
resourceToken, err := aauth.ParseResourceToken(tokenString)
ID-JAG IETF Compliance¶
New IETF-compliant token type constants and IdP authorization server:
import "github.com/aistandardsio/agent-protocols/idjag"
// Use IETF-compliant token type
assertion := idjag.NewAssertion(issuer, subject, audience, ttl,
idjag.WithClientID("agent-client"),
idjag.WithJTI(idjag.GenerateJTI()),
)
// IdP authorization server for token exchange
idp := idjag.NewIdPAuthServer(issuer, privateKey, keyID)
Integration Testing¶
New script for running all protocol examples:
# Run all examples
./scripts/integration-test.sh
# Quick mode (core protocols only)
./scripts/integration-test.sh --quick
Bug Fixes¶
SharkAuth DPoP Verification¶
Fixed parseJWKPublicKey to properly handle RSA, ECDSA, and Ed25519 keys in DPoP proof verification. Previously returned "not implemented" errors.
AAuth Memory Safety¶
Added request body size limit (1MB) to AuthServer to prevent memory exhaustion from large payloads.
Documentation¶
- AIMS: Added documentation for
ParseWIT,ParseWPT,WITVerifier,WPTVerifier - AAuth: Updated documentation for context-aware verification methods
- README: Added Development section with test, lint, and integration commands
- ROADMAP: Added project roadmap documenting release history and future plans
Tests¶
- AIMS: Comprehensive tests for parsing and verification
- AAuth: Tests for typ header validation and backward compatibility
- SharkAuth: Tests for DPoP proof verification with EC and RSA keys
Installation¶
What's Next¶
Phase 6 (v0.5.0) will focus on production demos:
- Docker Compose infrastructure with Zitadel
- Observability with Jaeger and Prometheus
- Kubernetes integration with SPIRE
- End-to-end scenario testing
Changelog¶
See the full changelog for all changes.