Summary
Tier 3 of the v3-identity / round-2 SDK roadmap. Net-new on both Python and JS: per-request "is this agent authorized for this brand?" check via brand.json/agents[] array with eTLD+1 binding.
Blocked on adcp#3690 closing — design provisional until spec lands.
Design
Full design lives in the RFC — see docs/proposals/v3-identity-bundle-design.md.
Naming finalized per #346: BrandAuthorizationResolver (not AdagentsResolver).
Surface
BrandAuthorizationResolver Protocol with is_authorized(agent_url, brand_domain, agent_type?) method- eTLD+1 helper using
tldextract (host eTLD+1 must match brand_url eTLD+1)
authorized_operators[] delegation logic — host appears in this array for SaaS-as-operator multi-tenancyidentity.key_origins.{purpose} consistency check on the verifier- Diff #3690's seven new
request_signature_* error codes against existing 17
- Shares
_BrandJsonFetcher with Tier 1's BrandJsonJwksResolver (factor out during implementation)
Cross-references
🤖 Generated with Claude Code
Summary
Tier 3 of the v3-identity / round-2 SDK roadmap. Net-new on both Python and JS: per-request "is this agent authorized for this brand?" check via
brand.json/agents[]array with eTLD+1 binding.Blocked on adcp#3690 closing — design provisional until spec lands.
Design
Full design lives in the RFC — see docs/proposals/v3-identity-bundle-design.md.
Naming finalized per #346:
BrandAuthorizationResolver(notAdagentsResolver).Surface
BrandAuthorizationResolverProtocol withis_authorized(agent_url, brand_domain, agent_type?)methodtldextract(host eTLD+1 must matchbrand_urleTLD+1)authorized_operators[]delegation logic — host appears in this array for SaaS-as-operator multi-tenancyidentity.key_origins.{purpose}consistency check on the verifierrequest_signature_*error codes against existing 17_BrandJsonFetcherwith Tier 1'sBrandJsonJwksResolver(factor out during implementation)Cross-references
🤖 Generated with Claude Code