§45 · Lane 8 — Agent Infrastructure Standards & Toolchain
IETF RFC 9635 — GNAP scoped, revocable grants for delegated agents
Richer, Imbault (2024) · RFC 9635
Bibliographic data
- Title
- IETF RFC 9635 — Grant Negotiation and Authorization Protocol (GNAP) (October 2024)
- Authors / Issuing body
- Justin Richer, Fabien Imbault
- Venue / Publisher
- Internet Engineering Task Force (IETF) / RFC Editor
- Year
- 2024
- Designation
- Specification
- Licence
- DOI — refer to publisher for full licence terms.
- Canonical link
- https://doi.org/10.17487/RFC9635
How to cite
Richer, Imbault (2024). IETF RFC 9635 — Grant Negotiation and Authorization Protocol (GNAP) (October 2024). Internet Engineering Task Force (IETF) / RFC Editor. https://doi.org/10.17487/RFC9635.
IETF protocol defining a mechanism for delegating authorisation to a piece of software and conveying the resulting grant artefacts, covering API access and subject information. Published October 2024, Proposed Standard status, 187 pages.
Why it matters for NETEVO
GNAP is the IETF answer to the question OAuth 2.0 did not fully solve: how does a piece of software — an agent, a service, a delegated client — negotiate, obtain and exercise authorisation that is scoped to a specific task, time-bounded and revocable? RFC 9635 specifies the protocol-level mechanics, and its direct architectural surface is agent identity and scoping.
From wire protocol to operational record. Any governance regime for delegated agents must keep an auditable register of what each agent has been granted: identity, scope, expiry, revocation handle and audit trail. GNAP specifies how a wire protocol exchanges the grant artefacts that carry exactly that information. The two layers are complementary: an operational register names what must be tracked about every delegated grant, and RFC 9635 gives that record a published IETF specification at the protocol level rather than leaving it to bespoke convention.
Standards status matters. RFC 9635 is a Proposed Standard — a stable, citable specification with a DOI — distinct from the two Internet-Drafts in the adjacent agent-authorisation space, which are mutable individual submissions.
Where NETEVO applies this
- Agent Infrastructure Whitepaper — load-bearing — Dimension 1 (identity and scoping)