Authority Tokens · the receipt
The token is the receipt. The receipt is the record.
Authority Tokens are RS256-signed JWS objects issued only when verification passes. They are single-use, TTL-bounded, scoped to one action, and verified against the tenant’s kid-pinned public key — per-tenant JWKS verification is shipping soon.
Authority Token · RS256 · issued — LOCALtyp: AUTH
..
Header · the JWS algorithm + token type
contents{ "alg": "RS256", "typ": "AUTH" }
algRS256 · RSA-SHA256, 2048-bit, tenant-scoped key
typAUTH · authority-scoped, single-use
Live · single-use · 10 min ttl
02 · What the token guarantees
Verification happened
The token’s existence is proof that policy, conformance, and risk all permitted this exact action.
One action, one actor
The token claims bind it to a specific action, actor, and target. The connector refuses scope mismatches.
Signed by tenant authority
RS256 signature with the tenant-scoped private key. Verified against the kid-pinned tenant public key.
Verified at the gate
The connector — not Intended — verifies. If the gate refuses, nothing executes. If Intended disappeared, the receipt would still stand.