PAuth - Precise Task-Scoped Authorization For Agents

TL;DR

PAuth introduces a novel authorization model for AI agents that ensures only the specific operations needed for a user's task are permitted, improving security and precision over existing broad permission systems.

Contribution

The paper proposes PAuth, a new implicit authorization model with symbolic specifications and verification mechanisms, enabling precise, task-specific permissions for AI agents.

Findings

PAuth successfully executes tasks without overprivilege in benign scenarios.

PAuth detects and warns about unauthorized operations in attack scenarios.

The model maintains low token costs while ensuring precise permission enforcement.

Abstract

The emerging agentic web envisions AI agents that reliably fulfill users' natural-language (NL)-based tasks by interacting with existing web services. However, existing authorization models are misaligned with this vision. In particular, today's operator-scoped authorization, exemplified by OAuth, grants broad permissions tied to operators (e.g., the transfer operator) rather than to the specific operations (e.g., transfer $100 to Bob) implied by a user's task. This will inevitably result in overprivileged agents. We introduce Precise Task-Scoped Implicit Authorization (PAuth), a fundamentally different model in which submitting an NL task implicitly authorizes only the concrete operations required for its faithful execution. To make this enforceable at servers, we propose NL slices: symbolic specifications of the calls each service expects, derived from the task and upstream results. Complementing this, we also propose envelopes: special data structure to bind each operand's concrete value to its symbolic provenance, enabling servers to verify that all operands arise from legitimate computations. PAuth is prototyped in the agent-security evaluation framework AgentDojo. We evaluate it in both benign settings and attack scenarios where a spurious operation is injected into an otherwise normal task. In all benign tests, PAuth executes the tasks successfully without requiring any additional permissions. In all attack tests, PAuth correctly raises warnings about missing permissions. These results demonstrate that PAuth's reasoning about permissions is indeed precise. We further analyze the characteristics of these tasks and measure the associated token costs.