AAuth Explorer

Pre-rewrite scenario. This walkthrough was written against an earlier draft of draft-hardt-aauth-bootstrap. As of -01 the document is informational AP-side enrollment guidance; the PS /bootstrap endpoint, bootstrap_token, and aa-bootstrap+jwthave been removed. PS-binding now happens lazily on the agent's first interaction with the PS. See the bootstrap overview for current framing.

bootstrap

Self-Hosted Bootstrap

Agent and agent provider co-located under a user-controlled domain. Self-issues agent tokens; PS binding is optional. No platform attestation required — the user controls the entire stack and can establish trust through other means (mTLS, domain ownership, etc.).

§ Bootstrap / Self-Hosted
UserAgent + Agent ProviderPerson Server1Deploy agent provider2002Generate signing key3Publish JWKS metadata4Initiate PS binding (option…5Verify domain ownership6Record binding7Notify agent provider of bi…8Self-issue agent token9Bootstrap complete
DEPLOY https://agent.user-domain.example200

User deploys their own agent provider under a domain they control.

The agent and agent provider are co-located (same machine/container).

User configures the server with signing keys and metadata.

No platform attestation needed — the user controls the infrastructure.

1 / 9
speed

Step 1: Deploy agent provider

Request / response
DEPLOYhttps://agent.user-domain.example

No headers