PE
Protocol Explorer
Client Instance Assertion

Client Instance Assertion — User Delegation (authorization_code)

A user authorizes an AI agent via OAuth authorization code. When the agent redeems the code, it presents its Client Instance Assertion as the actor_token. The resulting access token carries user delegation: sub=user, act.sub=agent instance. This is the 'delegation' case.

IETF Draft
User / BrowserAgent InstanceInstance IssuerAuthorization ServerResource Server1GET /authorize (User Consen…2002302 Redirect + Auth Code3Request Instance Assertion4Instance Assertion JWT5POST /token (authz_code)6200 OK + Access Token7GET /api/repos (Delegated)8200 OK + Resource
GET https://as.example.com/authorize?response_type=code&client_id=https%3A%2F%2Fopenai.example.com%2Fcodex&scope=openid+repo.write&redirect_uri=https%3A%2F%2Fagent.example.com%2Fcallback&state=xyz&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256200

The user visits the authorization endpoint (redirected from the agent's frontend). The AS authenticates the user, displays a consent screen, and the user grants the agent access to their repositories. PKCE code_challenge is included for security.

This is a standard OAuth 2.1 authorization_code flow. The instance assertion is NOT involved at this stage.

PKCE (code_challenge) protects against authorization code interception attacks.

The client_id here is the logical OAuth client (the agent service), not any specific instance.

§8.4: The instance assertion presented at step 5 MUST go to the same AS that issued this authorization code.

1 / 8
speed

Step 1: GET /authorize (User Consent)

Request / response
GEThttps://as.example.com/authorize?response_type=code&client_id=https%3A%2F%2Fopenai.example.com%2Fcodex&scope=openid+repo.write&redirect_uri=https%3A%2F%2Fagent.example.com%2Fcallback&state=xyz&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256
Host

as.example.com

Cookie

session=user_session_token