/Aegis
4,218 req/slive4.21ms p50
MAP/Registry/04 · Aegis/Plane I · Identity

Aegis.

Challenge-response auth, HKDF/FROST/BIP-44 key management, delegation trees with no-amplification, multi-dimensional policy.

Adapter · External Standard
I
Stable · v0.1.0
6ms

Overview

Challenge, response, delegation, key.

Aegis is the authentication and authorization framework built on OAS. It provides challenge-response authentication that proves possession of an OAS key without revealing it, a key management subsystem (HKDF for lineage, FROST for threshold signatures, BIP-44 for multi-chain wallets), and a delegation tree mechanism enforcing the no-amplification rule — no delegate may carry more authority than its delegator. Multi-dimensional policies bound spending, time, and lineage simultaneously.

Methods

Every method is dispatched through MAP. Capability scope, policy, and accounting apply uniformly.

aegis.challenge()
Issue a cryptographic challenge bound to a session and capability scope.
aegis:challenge
aegis.delegate()
Create a delegation token. Cannot grant more authority than the delegator possesses.
aegis:delegate
aegis.policy()
Evaluate a multi-dimensional policy: spending, temporal, lineage, jurisdictional.
aegis:policy

Request shape

A canonical call. Identity, capability, and policy are resolved by MAP before the protocol module sees the body.

// POST /v1/protocol/aegis.challenge // MAP envelope (provided by MACS): { "caller": "did:oas:l1fe:agent:0xa3f…", "capability": "aegis:challenge", "signature": "ed25519:0x9c…", "trace": "00-4f81b3a…-…-01" } // Aegis body (example): { "intent": "Challenge, response, delegation, key.", "budget": { "tokens": 200000, "deadline_ms": 8000 }, "return": ["result", "audit"] } // Response: { "result": "…", "audit": "max://record/0x4f81b3a-aegis-7a…" }

Governance posture

Every protocol in MAP is bound by the same governance posture. Refusal carries reasons. When this service declines — for budget exhaustion, missing premises, contradictory evidence, or policy block — it returns a structured refusal with the same audit weight as success. Refusals are first-class records; they are not silences.

Dissent is preserved. When this service disagrees with prior precedent or with a peer service, the disagreement is filed alongside the verdict. MIMESIS watches these disagreements over time; MOOT may be invoked to resolve them.

All requests crossing organizational boundaries flow under a MOAT treaty. The treaty fixes capability scope, rate, and economic terms. Calls outside the treaty's envelope are refused at MACS.

Integration

Three integration surfaces. All requests pass through MAP.

// 1. Native MAP protocol (signed envelope) await map.dispatch("aegis.challenge", body, { capability }); // 2. MCP tool — any MCP-compliant client await mcp.call("map.aegis.challenge", body); // 3. A2A task — cross-organization invocation await a2a.task("map://intent", { intent: body, treaty: "moat://0x91a" });

SLA & metering

6ms
28ms
99.95%
evaluations

Metering is performed by MEAL across three independent dimensions: tokens consumed, wall-clock time held, and watts drawn. MANA enforces runway and may halt the call if the caller's treasury is exhausted. See pricing for current rate cards.

Adjacent

This service does not stand alone. The protocols it consults and feeds:

OAS · identity lineage
MACS · capability set
MAX · every delegation
MOTET · failed challenges
MAXIM · policy authority
MEAL · per-evaluation meter

Browse the registry.

Thirty-five protocols, each with its own contract. Identity to awareness, in seven planes.

All ProtocolsRequest API access