TACO Security

Authentication & Delegation Flow

How a GC orchestrator discovers, authenticates to, and delegates tasks to agents across companies in a construction project.

GC Orchestrator
Discovers agents, delegates tasks, narrows tokens per hop
Auth Server
Issues tokens, validates credentials, handles token exchange
Target Agent(s)
Validates tokens, enforces scope, executes tasks
0
Agent Registration
Registry
Agents publish their Agent Cards to the TACO Registry. Each card declares securitySchemes (what auth the agent requires) and x-construction.security (trust tier, offered scopes, delegation support). The registry verifies the agent's domain ownership and assigns a trust tier.
Published fields
securitySchemes — auth type + token URL + scopes
security — which schemes are required
x-construction.security.trustTier — 0/1/2
Trust tiers
Tier 0: Unverified (self-published)
Tier 1: Org verified (domain ownership)
Tier 2: Cert attested (SOC2/ISO27001 confirmed)
GET /.well-known/agent.json
1
Agent Card Discovery
A2A
The GC orchestrator fetches the target agent's card. From it, the orchestrator learns which auth scheme to use, the token endpoint URL, and the required scopes. If x-construction.security.projectScoped is true, a project-specific token will be needed.
// Key fields the orchestrator reads: "securitySchemes"."tacoOAuth"."flows"."clientCredentials": "tokenUrl": "https://auth.buildright.io/oauth/token" "scopes": "taco:trade:mechanical": "Access mechanical workflows" "taco:task:estimate": "Submit estimate tasks" "x-construction"."security": "trustTier": 1 "projectScoped": true "delegationSupported": false
POST /oauth/token (client_credentials)
2
Token Acquisition
OAuth 2.0
The orchestrator authenticates to the auth server using client_credentials and requests scopes matching the target agent's requirements. The auth server returns a JWT scoped to this specific task and project.
Request
grant_type = client_credentials
scope = taco:task:estimate taco:project:PRJ-0042:write
Response (JWT)
sub = orchestrator-gc-01
aud = api.buildright.io
scope = taco:task:estimate taco:project:PRJ-0042:write
exp = +3600s
Project-scoped. The token is not a blanket API key — it is locked to project PRJ-0042 and only the estimate task type. The orchestrator's broad authority does not leak to the target agent.
POST / (JSON-RPC + Authorization: Bearer)
3
Task Execution — Estimating Agent
A2A + TACO
The orchestrator sends a message/send JSON-RPC call with the Bearer token in the HTTP header. The estimating agent validates the token before processing.
Result: Agent processes the BOM, returns estimate-v1. Token is not stored or forwarded.
Token Exchange (RFC 8693)
4
Token Exchange — Sub-Delegation
RFC 8693
The estimating agent needs to call a supplier quote agent. Instead of forwarding its own token (prohibited), it exchanges it at the auth server for a narrower token scoped to only taco:task:material-procurement.
POST /oauth/token grant_type=urn:ietf:params:oauth:grant-type:token-exchange subject_token=<estimating agent's JWT> subject_token_type=urn:ietf:params:oauth:token-type:access_token scope=taco:task:material-procurement taco:project:PRJ-0042:write audience=https://api.supplier.io/a2a
Input token (broad)
scope = taco:task:estimate taco:project:PRJ-0042:write
aud = api.buildright.io
Output token (narrow)
scope = taco:task:material-procurement taco:project:PRJ-0042:write
aud = api.supplier.io — exp = +300s
POST / (JSON-RPC + Bearer narrow token)
5
Task Execution — Supplier Quote Agent
A2A + TACO
The supplier agent receives the narrow token. It validates scope includes taco:task:material-procurement and the audience matches itself. The token cannot be used to call any other agent — it is audience-locked and scope-narrowed.
Result: Supplier processes the BOM, returns quote-v1. Each agent in the chain only held authority for its own task, on this specific project.
TACO Scope Taxonomy
Machine-readable scopes mapped to trades, CSI divisions, task types, and projects
Registry Trust Tiers
Three-level verification model: unverified, org-verified, cert-attested
Token Delegation
Narrowing tokens at each hop via RFC 8693 — no token passthrough
Reference: Full specification in spec/security.md. Agent Card extension fields in spec/agent-card-extensions.md.