Features
Pre-Authorization Protocol (PAP)
Cryptographically signed human authorization artifacts for critical actions, validated before execution.
Pre-Authorization Protocol (PAP)
PAP is a pre-execution authorization protocol that ensures critical actions are explicitly approved by an authorized human before any AI agent or automated system can execute them.
Key Difference: PAAT vs PAP
PAAT carries the rules (policy logic) in a signed JWT for offline evaluation. PAP carries the human authorization for a specific action, with a cryptographic signature and time-bounded validity.
How It Works
sequenceDiagram
participant Human as Authorized Human
participant System as Authorization System
participant Agent as AI Agent / ERP
participant Shield as ABS Shield (PAP Validator)
participant Engine as Policy Engine
Human->>System: Approve action (sign intent)
System->>Agent: Deliver PAP Artifact
Agent->>Shield: Request + PAP Artifact (x-pap-artifact header)
Shield->>Shield: Validate signature, window, intent hash
alt Valid PAP
Shield->>Engine: Forward to policy evaluation
Engine-->>Agent: Decision Envelope (ALLOW/DENY)
else Invalid/Missing PAP
Shield-->>Agent: 403 BLOCKED_PAP_*
endPAP Artifact Schema
A PAP artifact is a JSON object containing:
| Field | Required | Description |
|---|---|---|
artifact_id | Yes | Unique identifier |
version | Yes | Protocol version ("1.0") |
human_signature | Yes | Algorithm, key fingerprint, and base64 signature |
canonical_intent | Yes | Action type, target, parameters, and SHA-256 hash |
validity_window | Yes | not_before and not_after timestamps (ISO 8601) |
governance_context | No | Project, budget code, compliance frameworks |
delegation_constraints | No | Allowed agent IDs, max executions |
High-Risk Actions
The following action types require a valid PAP artifact by default:
payment— Financial transactionsbulk_data_deletion— Mass data removalinfrastructure_change— System configuration mutationssensitive_data_access— PII or classified data retrieval
Usage
1. Configure PAP Middleware
import { papMiddleware } from 'abs-shield';
app.use('/api/v1/payments/*', papMiddleware({
trustedKeyFingerprints: ['fp:sha256:abc123...'],
highRiskActions: ['payment', 'bulk_data_deletion'],
}));2. Send PAP Artifact with Request
The artifact is sent as a base64-encoded JSON in the x-pap-artifact HTTP header:
curl -X POST https://api.example.com/v1/payments/approve \
-H "x-pap-artifact: $(echo '{"artifact_id":"pap-001",...}' | base64)" \
-H "x-agent-id: erp-backend" \
-d '{"action_type":"payment","target":"account:123","parameters":{"amount":50000}}'3. Use Validator Directly (SDK)
import { validatePAPArtifact, computeIntentHash } from 'abs-shield';
const result = await validatePAPArtifact(artifact, actionDetails, agentId, {
trustedKeyFingerprints: ['fp:sha256:abc123...'],
highRiskActions: ['payment'],
});
if (!result.valid) {
console.error(`Blocked: ${result.code} — ${result.message}`);
}Error Codes
| Code | Description |
|---|---|
BLOCKED_PAP_MISSING | High-risk action without PAP artifact |
BLOCKED_PAP_INVALID | Invalid version or untrusted signature |
BLOCKED_PAP_EXPIRED | Artifact outside validity window |
BLOCKED_PAP_INTENT_MISMATCH | Action details don't match artifact intent |
BLOCKED_PAP_AGENT_DENIED | Agent not authorized by delegation constraints |
Security Properties
- Fail-Closed: High-risk actions are always blocked without valid PAP.
- Intent Binding: SHA-256 hash ensures the authorized action matches exactly.
- Time-Bounded: Artifacts cannot be reused after expiration.
- Agent-Scoped: Optional delegation constraints restrict which agents can use the authorization.