The Missing Protocol for AI Agent Authorization

Your agents have credentials. But can you prove that a specific agent action was authorized by a specific human instruction? The assumption that broke OAuth was built for one hop. Human clicks "Allow," client gets a token, token hits an API. Agent pipelines don't work like that. A user tells an orchestrator to "research our top 3 competitors and email a summary to the board." The orchestrator spawns a research agent, which calls a web search tool, which feeds results into a summarizer, which hands output to an email agent, which calls the Gmail API. Five hops. Three agents. The original instruction is buried in a context window. OAuth can't represent this. There is no standard mechanism for issuing a narrower downstream token at each hop so the same token gets forwarded, with the same permissions, to every service in the chain. The intent — why this access was granted — is nowhere in the token. Scope at each layer is whatever the developer hardcoded. And there's no record of who spawne