docs(building): explain why bearer tokens are prohibited for financial operations#5822
Open
aleksUIX wants to merge 2 commits into
Open
docs(building): explain why bearer tokens are prohibited for financial operations#5822aleksUIX wants to merge 2 commits into
aleksUIX wants to merge 2 commits into
Conversation
…l operations The authentication method table states the 3.1+ prohibition but not the rationale, and the question keeps coming up. Add a subsection covering proof of possession versus token theft, payload integrity via the signed covered components, replay resistance, and the accountability anchor that lowers fraud and dispute cost, with a pointer to the L1 verifier checklist instead of hand-rolled cryptography. Closes adcontextprotocol#5789.
Contributor
There was a problem hiding this comment.
The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.
This is an automated message from the Argus AI review workflow.
Contributor
There was a problem hiding this comment.
The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.
This is an automated message from the Argus AI review workflow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #5789 (critical knowledge gap: signed requests vs bearer tokens).
The Authentication Method table in
docs/building/by-layer/L2/authentication.mdxstates that static credentials are prohibited for mutating and financial operations from 3.1, but never says why. The question keeps coming up (the issue captures a Slack thread where a human expert had to supply the rationale). This PR writes the rationale into the doc where the question is asked.Change
New "Why bearer tokens are prohibited for financial operations" subsection, placed directly after the mechanism table and the 3.0-floor warning:
Explanatory only: no new requirements, no changes to the normative table, consistent with the covered components and parameters specified in the L1 security reference. Docs only, outside
docs/reference/; no changeset per the protocol-scope policy.Verification
docs/building/by-layer/L1/security.mdx(request-signing section: covered components, ±60 s window, nonce)