Design specification — Draft, June 2026
Companion to the SADAR Trust Models. This addendum addresses how authentication credentials are selected and carried when SAI invokes a component (agent, tool, or resource), and how that relates to the authority on which an action is permitted. It states the current default behavior and records the intended direction for finer-grained, per-step selection.
When SAI invokes a component, an authentication credential must be presented at that component's endpoint. This addendum specifies:
This addendum does not define organizational authorization policy, role design, or access-control lists. Those are the deploying organization's responsibility and are out of scope (§4).
At invocation, SADAR's default behavior is to present the application (platform) credentials, while the originator's verified identity and the originator's scope of authority (SoA) are carried within the SCT.
Concretely:
originating_user) and the functional scope of authority (the RFC 9396 / RAR authority claim) are carried inside the SCT, propagated faithfully across the chain.This model is chosen because it is the most broadly workable default for agentic flows: it does not require every originator (user) to hold a standing credential in every component a flow might reach, and it does not require per-agent provisioning at each target. The originator's identity and authority are still present and attributable at every hop — carried by the substrate rather than by the credential.
Why the application credential is sufficient as a default. The instant a flow invokes its first agent, the flow is no longer a fixed, fully-predetermined sequence — the agent may act in ways not statically enumerable in advance. From that point, the credential's role is to establish standing to attempt actions within the calling context, not to enumerate or gate the specific actions that will occur. The determination of whether a specific action is appropriate is made elsewhere (§3). Presenting the application credential, with the originator and SoA carried in the SCT, gives every downstream component and enforcement layer exactly the information it needs to make that determination, without over-burdening the credential layer with a job it cannot do in an emergent agentic flow.
A foundational premise of SADAR is that authentication and authorization, as traditionally implemented, are not sufficient to govern actions in agentic flows. The appropriateness of an action is frequently contextual — dependent on the specific data, the moment, and the surrounding flow — in ways that static, pre-issued credentials and entitlements cannot express.
SADAR therefore distinguishes two questions that traditional access control tends to conflate:
The credential is authority to attempt; the enforcement layer's contextual decision is authority to perform. SADAR's role is to carry the information both layers need — faithfully and across trust boundaries — not to make the access decision itself.
Important deployment condition. Because the credential layer in this model establishes standing rather than gating each action, the model depends on a runtime enforcement layer being present in the action path. Where no enforcement layer is present, deployments should treat credentials in the traditional manner (as gating authority) and scope standing accordingly. Role-scoped standing (above) provides a bounded fail-safe: absent an enforcement layer, the reachable surface is still bounded by the role the credential carries, not unbounded.
SADAR's sole responsibility is the informational substrate supporting transparency, discovery, and enforcement. It defines neither the organization's authorization scopes nor the enforcement decision. (Registry-based discovery may reasonably be regarded as adjacent to the pure substrate role; this addendum does not take a purist position on that boundary.)
For the current revision of the specification:
originating_user) and the functional scope of authority (RAR authority claim) within the SCT.This default is intentionally simple. It is sufficient for the common case and provides every downstream layer with the originator and authority context required for enforcement.
SADAR is the layer that handles authentication at invocation, so it requires a default behavior and, in time, a means for a flow to request a particular delegation model. This revision specifies only the default (§5). A future revision is intended to add per-step selection of delegation models, in which:
These mechanics — the model vocabulary, the matching and intersection semantics, the per-step prescription field, and the handling of an empty intersection — will be specified in a later revision. They are recorded here as intent so that the current default (§5) is understood as the first model of several, not the only model SADAR will support.
Until that revision, the default model of §5 applies.
Terminology note: "authority to attempt" denotes the standing established by a presented credential; "authority to perform" denotes the contextual determination, made by an enforcement layer, that a specific action is appropriate. SADAR carries the information both rely upon; it makes neither determination itself.