# 🌍 OAuth3, Mar 25th
- AA the World
- Interop the Worlds
- Automate the World
## 🧭 Overview
This document captures a freeform, high-context jam session exploring the future of identity, authentication, and programmable agency — through the lens of Oauth3, TEEs, and cross-platform coordination. Participants sharing live on what it means to “encumber an account,” enable zero-click login, and design composable apps and agents that move fluidly across the modern web.
The discussion centered on two core tracks:
- **"AA the World"** — grounding identity in secure, expressive delegation via Oauth3, context-aware login flows, and TEE-based enforcement.
- **"Interop the Worlds"** — understanding how blockchains serve as *credible commitment devices* for programmable agents and user-owned identities in Web2+Web3 convergence.
Themes include:
- The tension between frictionless UX and privacy-preserving consent
- How to frame Oauth3 as a standard for intelligent authorization, not just login
- Why TEEs could justify zero-click flows without reintroducing surveillance
- Where wallets, agents, and identity intersect
- Why NFTs are better framed as context-aware access tokens
- And how to build agentic interfaces that interact with legacy APIs and social platforms — without losing trust, context, or user control
This isn’t a formal spec discussion — it’s a high-bandwidth space for convergence, jamming, and prototype visioning across identity, UX, and protocol layers. Think of it as a “roast + reimagine” of what access and identity should look like in the agent-powered internet.
## 🧠 Ideas That Emerged
These are the key conceptual shifts and reframings that surfaced during the jam session:
- **Oauth3 is not just login — it’s the gateway for programmable agents.**
Instead of “log me in,” we’re moving toward: “authorize my agent to act with scoped policy.”
- **TEEs justify “bad ideas” (like zero-click login) when trust enforcement is shifted to the enclave.**
Privacy no longer requires friction if we trust the execution layer.
- **Apps are agents. Tokens are access keys. Agents + NFTs + TEEs = programmable identity.**
We’re redefining apps as policy-driven agents, and NFTs as intent-carrying access credentials.
- **Wallets become intent routers, not just key holders.**
The wallet is where delegation logic, consent policy, and execution control converge.
- **Oauth3 as a programmable reverse proxy for humanintention.**
It acts as a middle layer between users, agents, and APIs, enforcing programmable consent and composable actions.
## 🔑 Core Questions Emerging
### 1. What is a Login Today?
- Not just authentication — it's **access negotiation**.
- Oauth3 explores “zero-click” or **context-aware** login where apps infer consent.
### 2. Is Zero-Click Login a Good Idea?
- Historically discouraged (privacy/tracking risks).
- With **Trusted Execution Environments (TEEs)**, it may now be safe and usable.
- It's not about clicks — it's about **trust, context, and user control**.
### 3. What is a Wallet?
- More than key storage:
- A **policy enforcer**
- A **context-aware agent**
- A programmable interface for delegated authority
### 4. Where Do Web2 and Web3 Intersect in Apps?
- Web2 = closed APIs, wall gardens.
- Web3 = **composable identity**, portable credentials, programmable permissions.
- Goal: meaningful “encumbrance” of accounts with programmable delegation.
---
## 🔐 Wallets as the New Password Managers
One of the underlying shifts discussed is the movement **away from traditional credentials (username + password)** toward **agent-based, context-aware access**.
While password managers weren’t explicitly named, the session consistently circled around the same goal:
> “How do we securely log in a user without needing a username, password, or even email?”
Key takeaways:
- **Magic links and passkeys** were referenced as stepping stones — but still dependent on centralized services.
- **Oauth3 + TEEs** offer an alternative path:
- Store credentials (like refresh tokens or JWTs) **inside a secure enclave**
- Delegate usage through **policy-based access**, rather than repetitive logins
- Enable “zero-click” access via **implicit, context-driven consent** (e.g., wallet connected, app whitelisted)
This frames the **wallet not just as a key manager**, but as a **next-gen password manager**:
- It governs access across services
- It holds verifiable credentials (tokens, attestations)
- It enforces scoped delegation, expiration, and revocation
### ➡️ TL;DR
> **Wallets + OAuth3 + TEEs = programmable passwordless UX**
>
> Instead of managing secrets, users manage trust policies — and agents carry out their intent securely.
---
## 🧠 Intelligent Context & UX
- **Smart defaults > zero-click**:
- Detect wallet presence and pre-fill.
- Infer intent and minimize prompts.
- Use policy and context to gate interactions.
- Oauth3 becomes an **agent-based UX layer**:
- Understands intent
- Handles delegated permission flows
- Avoids unnecessary user interruption
---
## 🧩 Architecture & Standards Direction
- Follow the model of `EIP-1193`:
- Standardize **message interfaces**, not the implementations.
- Let devs pack arbitrary policy data into generic payloads.
- TEEs enable:
- Secure JWK/refresh token storage
- Proxying auth through trusted computation
- Enforced policy boundaries with auditability
- SDKs/Templates:
- Don’t standardize every OAuth flow.
- Build SDK templates per resource provider (Telegram, Twitter, etc.)
- Encourage “template + rules” architecture.
---
## 🎮 Credible Commitments & Game Theory
- Commitments = **delegated, conditional agency**:
- “Let this group tweet from my account once.”
- “Allow access to my analytics if you hold this NFT.”
- **NFTs** as:
- Context-aware access tokens
- Soft credentials with programmable rules
- Interoperability = **capability transfer**, not just login compatibility.
---
## 💥 Use Case Convergences
### 1. Oauth as an Intelligent Agent API
- Not just authentication — **delegation and access policy routing**.
- Example: "Give this agent inbox access for 12h under X policy."
### 2. TikTok Comment Creator Fund
- Delegate publishing rights to AI agents.
- Use Oauth3 & TEEs for:
- Authenticated content generation
- Safe posting
- Identity-mapped reward mechanisms
### 3. Bootstrapping Agent Identity
- Agents need verifiable:
- Origin
- Intent
- Reputation
- Enabled by signed attestations and Oauth3 policy scopes.
### 4. Super Apps as Agents
- SuperApp = Agent with multi-surface access
- Agents interact across APIs, apps, and devices based on:
- User permissions
- Context
- Rules
---
## 🎯 Summary of Convergences
| Concept | Reframed As |
|----------------|----------------------------------------------------------|
| **Oauth3** | Programmable trust layer + routing middleware |
| **TEE** | Boundary of permissioned, verifiable computation |
| **NFTs** | Intent-carrying access tokens |
| **Apps** | Agents with behavioral models and scoped permissions |
| **Web3** | Programmable delegation and composable user autonomy |
---
Sign in with Wallet
Connect another wallet