Open Protocol
StepAuth is an open protocol that adds review to any sensitive action — whether triggered by a person, a service, or an AI agent. The action is described in plain language, reviewed by humans or AI, and only executes after a cryptographically signed approval.
Traditional authorization answers a simple question: does this principal have the right role? But having a role doesn't mean a specific action is a good idea right now. An MDM admin can wipe any device. An HR admin can disable any account.
And with AI agents, the problem is even sharper. Agents are capable enough to handle real work — refunds, infrastructure changes, account management — but you can't give them broad API access and hope for the best. Restricting them to narrow, safe operations throws away most of their value.
Roles grant capability. They don't verify intent.
When any principal — human, service, or AI agent — triggers a sensitive action, the service provider describes exactly what will happen in plain language and sends it to an external authorizer. The authorizer routes it to the right reviewers — human or AI, via Slack, email, push notification, or a policy engine — and the action only executes after a signed approval.
For AI agents, this changes what's possible. The agent can attempt any action the service exposes. It isn't blocked by lacking a role — it's blocked until a human says yes to this particular thing. The result: capable agents with humans in the loop exactly where it matters.
Before StepAuth, these actions required either giving an agent dangerous permissions or building custom approval workflows from scratch. Now they're just requests.
“Issue a $2,847 refund to john.smith@example.com for order #ORD-55912. The customer reported a defective product and I verified return eligibility.”
“Remotely wipe the MacBook Pro assigned to Jane Doe (serial C02ZX1ABCDEF). All local data will be permanently erased. This is not reversible.”
“Grant marc@acme.com AdministratorAccess to the production AWS account for 2 hours to investigate incident INC-4821.”
“Initiate a $4.2M SWIFT wire transfer from the operating account (ACME-OPS-001) to Matsuda Electronics (MUFG, BOTKJPJT) for invoice #INV-2026-0847. Funds will be irrevocably debited within one SWIFT processing cycle.”
The service provider constructs a human-readable summary of what will happen if the action is approved, along with structured details about who is requesting it and what it affects.
The request is signed with the SP's private key and sent to the authorizer. The authorizer can approve instantly via policy, or route it to designated reviewers.
The authorizer returns a cryptographically signed approval or denial. The SP verifies the signature and only then executes — or blocks — the action.
The summary is the core of the protocol. It must describe the consequence of approval, not just the operation name.
If approved, the corporate laptop assigned to Jane Doe (MacBook Pro 16", serial C02ZX1ABCDEF) will be remotely wiped. All local data will be permanently erased and the device will be returned to factory settings. This action is not reversible.
StepAuth is generic. If your system can describe what will happen, it can use the protocol.
Remote wipe, lock, or reset any managed device — only after a human confirms the target and reason.
Temporary admin access to production accounts, approved in real time with automatic expiry.
Suspend or disable user accounts across your IdP, with review before the action takes effect.
Bulk exports of PII or sensitive business data, approved by the right people before the file is generated.
High-value refunds, payment reversals, and credit adjustments reviewed before execution.
Production deployments, database migrations, and configuration changes with human sign-off.
Every principal has a type — human, service, or agent. The operator field traces who is behind the action: an agent operated by a human,
a service triggered by an agent, or any chain in between.
The authorizer can apply agent-specific routing rules — for example, requiring human review for all agent-initiated actions regardless of severity, or auto-approving low-value refunds while escalating high-value ones.
No new concepts needed. No separate "agent mode." The same protocol that handles a human admin wiping a device handles an AI agent issuing a refund.
"principal": {
"type": "agent",
"attributes": [
{ "key": "name",
"label": "Name",
"value": "Acme Support Agent (v3)" },
{ "key": "model",
"label": "Model",
"value": "claude-opus-4-6" }
],
"operator": {
"type": "human",
"attributes": [
{ "key": "name",
"label": "Name",
"value": "Support Trigger" },
{ "key": "ticket",
"label": "Ticket",
"value": "TK-90421" }
]
}
}Both sides hold Ed25519 keypairs. The SP signs requests. The authorizer signs decisions. No bearer tokens, no HMAC secrets, no passwords.
Both sides verify each other via Ed25519 signatures. Every request is signed by the SP. Every decision is signed by the authorizer.
Every request has a unique ID and an expiry. The SP never accepts a decision for a request it didn't generate, and never accepts the same decision twice.
The signed envelope format supports multiple algorithms and key IDs. Rotate keys or migrate to post-quantum algorithms without downtime.
Only public keys are exchanged during setup. Nothing that can be leaked, logged, or accidentally committed to a repository.
Every authenticated message uses the same signed envelope. The payload is base64-encoded JSON. Signatures sit alongside, tagged with algorithm and key ID.
{
"payload": "eyJyZXF1ZXN0SWQiOiJyZXFfYTFiMm...",
"signatures": [
{
"algorithm": "ed25519",
"keyId": "sp-key-2024",
"signature": "TG9yZW0gaXBzdW0gZG9sb3Igc2l0..."
}
]
}Every field carries both a machine-readable key and a
human-readable label. The SP describes what it knows.
The authorizer decides what to do with it. One wire format, any
consumption pattern.
{
"requestId": "req_a1b2c3d4e5f6",
"spId": "sp_acme_mdm",
"timestamp": "2026-02-18T14:30:00Z",
"callbackUrl":
"https://mdm.acme.com/stepauth/cb",
"expiresAt": "2026-02-18T15:00:00Z",
"principal": {
"type": "human",
"attributes": [
{ "key": "name",
"label": "Name",
"value": "Marc Tremblay" },
{ "key": "email",
"label": "Email",
"value": "it-admin@acme.com" },
{ "key": "department",
"label": "Department",
"value": "IT" },
{ "key": "role",
"label": "Role",
"value": "MDM Administrator" }
]
},
"action": {
"type": "device.wipe",
"category": "infra.destroy",
"summary": "If approved, the MacBook
Pro assigned to Jane Doe
(C02ZX1ABCDEF) will be remotely
wiped. All local data will be
permanently erased. This action
is not reversible.",
"details": [
{ "key": "device",
"label": "Device",
"value": [
{ "key": "name",
"label": "Name",
"value":
"Jane's MacBook Pro 16\"" },
{ "key": "serial",
"label": "Serial",
"value": "C02ZX1ABCDEF" }
]},
{ "key": "target_user",
"label": "Target user",
"value": [
{ "key": "email",
"label": "Email",
"value":
"jane.doe@acme.com" },
{ "key": "department",
"label": "Department",
"value": "Engineering" }
]},
{ "key": "reason",
"label": "Reason",
"value":
"Employee offboarding" },
{ "key": "reversible",
"label": "Reversible",
"value": "No" }
]
}
}If approved, the MacBook Pro assigned to Jane Doe (C02ZX1ABCDEF) will be remotely wiped. All local data will be permanently erased. This action is not reversible.
StepAuth is a protocol, not a product. Read the specification, review the JSON schemas, and integrate it into your service.