**Bead** `9242fee3-0f2c-43a6-a506-8be19efe004a` · [canonical URI](https://redfish.acequia.io/guerin/.agents/9242fee3-0f2c-43a6-a506-8be19efe004a/) · discussion: Talk: 9242fee3 This page is the wiki facet of a [bead](https://redfish.acequia.io/guerin/.agents/); the bead is the source of truth.
## Identity - **URI:** `https://redfish.acequia.io/guerin/.agents/9242fee3-0f2c-43a6-a506-8be19efe004a/` - **Local origin:** `sites/redfish.acequia.io/guerin/.agents/9242fee3-0f2c-43a6-a506-8be19efe004a/` - **GUID:** `9242fee3-0f2c-43a6-a506-8be19efe004a` (UUID v4) - **Created:** 2026-06-03 - **Currently animated by:** Claude Code (Anthropic CLI, VS Code extension), model `claude-opus-4-7[1m]` — descriptive, not definitional. - **Invoked by parciante:** Stephen Guerin
## Motivation (Why a GUID) This bead exists to host an explanation of **acequia chain-tokens** and their relationship to the **OAuth standard**. Stephen asked specifically whether the acequia chain-token design is *consistent with* OAuth — the question is one of compatibility and trust-model alignment, not advocacy. A fresh GUID per [feedback_denovo-agents-discover-not-inherit](https://redfish.acequia.io/guerin/.agents/MEMORY-stub.md): no inheritance of unrelated thread context. Concurrent live beads (bonobo GIS-ABM at `85434089...`, AnyHazard critique at `31bd5380...`) are siblings, not parents.
## Mechanism (What this bead does) This bead holds: - a primary note explaining what acequia chain-tokens are, drawing on the canonical platform docs at `acequia.io/documentation/platform/` - a side-by-side mapping against the OAuth 2.0 + JWT ecosystem (RFC 6749, 7519, 7515, 8693, 7009, 6750, 7662) - the chat log that produced the explanation It does **not** modify the canonical chain-token documentation in `acequia.io/documentation/platform/` — those are read-only sources for this bead per [feedback_never-write-to-acequia-io](https://redfish.acequia.io/guerin/.agents/MEMORY-stub.md). Sources read (read-only, no modifications): - [`acequia.io/documentation/platform/user-authentication.md`](https://acequia.io/documentation/platform/user-authentication.md) — JWT structure, three-mode detection, chain-token claims, verification flow - [`acequia.io/documentation/platform/projects/capability-delegation.md`](https://acequia.io/documentation/platform/projects/capability-delegation.md) — full design rationale, migration phases, UCAN comparison, owner-as-root-authority discussion - [`acequia.io/documentation/platform/webdav-server.md`](https://acequia.io/documentation/platform/webdav-server.md) — server architecture, three-mode routing, sidecar access, chain endpoints - [`redfish.acequia.io/guerin/.agents/9e1d87f5.../2026-06-03/notes/user-representation-vocabulary.md`](https://redfish.acequia.io/guerin/.agents/9e1d87f5-a226-4d1a-be05-64c8d5cacf38/2026-06-03/notes/user-representation-vocabulary.md) — Gemini's vocabulary entry for "Chain-Token"
## Folder Layout ``` 9242fee3-0f2c-43a6-a506-8be19efe004a/ ├── about.md # this file ├── uploads/ # inbound dock (empty) └── 2026-06-03/ # first session ├── notes/ │ └── chain-tokens-and-oauth.md # primary note ├── skills/ # (empty) ├── chats/ │ └── 2026-06-03-chain-tokens-and-oauth.md └── artifacts/ # (empty) ```
## Session Log - **2026-06-03** — Bead opened on Stephen's request: explain acequia chain-tokens and their relationship to the OAuth standard. Stephen pre-clarified: "acequia chain-token" (not industry token-chain patterns) and "is it consistent with OAuth" (compatibility question). Output as notes/, not proposal-class. Pre-bead context: read `acequia.io/documentation/platform/user-authentication.md`, `capability-delegation.md`, `webdav-server.md`, and Gemini's vocabulary note in bead `9e1d87f5...`. Wrote single note `chain-tokens-and-oauth.md` covering: (1) what chain-tokens are at the wire level, (2) OAuth 2.0 architecture in brief, (3) side-by-side mapping table, (4) trust-topology divergence, (5) verdict on OAuth consistency, (6) closest cousins (UCAN, Macaroons, Biscuits, ZCAP-LD, RFC 8693 Token Exchange). Then Stephen corrected the trust-topology framing: the note treated "centralized AS" as the baseline and acequia as "no AS" — which imports OAuth's centralization assumption and erases the acequia vision where the AS-URI is itself a namespace served by a decentralized peer mesh (service workers as in-tab ingress routers, discovery servers, local OS-level acequia node servers — Cloudflare-tunnel "origins" generalized; eventual-consistency shared state, leader election, load balancing). Updated note in six places (TL;DR, §4.1 header + body + mini-table, §5 mapping-table rows, §8 verdict) to distinguish *cryptographic trust root* (user keypair, self-sovereign — genuinely AS-less) from *operational AS-role* (token-granting URIs served by peer mesh). Saved [`feedback_acequia-as-not-no-as`](c:/Users/steph/.claude/projects/c--Users-steph-Documents-sites/memory/feedback_acequia-as-not-no-as.md) under new MEMORY.md section "## Acequia Auth". Re-synced bead in background.
## Modus Operandi (How to interact) - **Read [`chain-tokens-and-oauth.md`](https://redfish.acequia.io/guerin/.agents/9242fee3-0f2c-43a6-a506-8be19efe004a/2026-06-03/notes/chain-tokens-and-oauth.md) for the substantive content.** The about.md is just a pointer. - **Citations to acequia platform docs** anchor at headings or top-of-file; line ranges in those files may drift as the docs evolve. - **This is a reading**, not a standards proposal. It answers Stephen's compatibility question — it does not propose changes to OAuth or to acequia chain-tokens. - **This bead does not write to `acequia.io/`** — per [feedback_never-write-to-acequia-io](https://redfish.acequia.io/guerin/.agents/MEMORY-stub.md). All synthesis lives in this bead's URI-space.
## Capabilities - Hosts the chain-token / OAuth compatibility analysis. - Can be cited by future beads doing related design work (federation, cross-instance auth, OAuth bridging, UCAN interop). - Does not produce executable artifacts.
## Lifecycle - **Energization:** charge flows in when Stephen or follow-on agents cite this analysis. If chain-tokens evolve (Phase 4 peer verification, Phase 5 policy engine, key rotation, DID adoption), the note can be re-grounded in a new session folder or sibling bead. - **Apoptosis:** when the chain-token design stabilizes and the OAuth comparison is either folded into canonical platform docs or rendered obsolete by federation work, this bead can fade.
## Limitations - **Snapshot dated 2026-06-03.** The canonical chain-token docs are at Phases 1–3.7 complete, Phase 4+ in design. This analysis reflects that snapshot. Phase 4 (peer verification over WebRTC) may change the trust-topology comparison materially. - **OAuth surface is large.** The note covers core OAuth 2.0 (RFC 6749), JWT access tokens, Token Exchange (RFC 8693), Revocation (RFC 7009), and Bearer (RFC 6750). It does NOT cover OIDC discovery, JAR/PAR/JARM (RFC 9101/9126), DPoP (RFC 9449), MTLS client auth (RFC 8705), or Rich Authorization Requests (RFC 9396). Those are tangential to the chain-token question but may matter for future federation work. - **One reader, no peer review.** Single-agent reading; Stephen or a sibling agent may flag misreadings of either the chain-token design or the OAuth specs.
**Related beads (cite, do not duplicate):** - `9e1d87f5-a226-4d1a-be05-64c8d5cacf38` (2026-06-02 / 2026-06-03) — Gemini bead with the User Representation Vocabulary entry for "Chain-Token". This bead cites that vocabulary; does not duplicate. - `31bd5380-d743-420f-81a1-9258e7fbbf9a` (2026-06-03) — AnyHazard user-model critique. Concurrent thread, touches user-representation layer but not chain-tokens specifically. - `874fce5b-9c8b-4b23-b2ed-429148c6c4b7` (2026-04-23) — foundational Acequia design notes; the chain-token system is the auth substrate that the [downstream-pattern](https://redfish.acequia.io/guerin/.agents/874fce5b-9c8b-4b23-b2ed-429148c6c4b7/2026-04-23/notes/downstream-pattern.md) and [agent-as-bead](https://redfish.acequia.io/guerin/.agents/874fce5b-9c8b-4b23-b2ed-429148c6c4b7/2026-04-23/notes/agent-as-bead.md) frames assume. - `85434089-04b0-402a-ab70-0e44d66f13f7` (2026-06-01) — bonobo GIS-ABM bead, different thread. - Bead protocol: [`.agents/beads.md`](https://redfish.acequia.io/guerin/.agents/beads.md).
## References (bead cross-links) - Bead: Acequia User Model & Architecture Bead · [canonical](https://redfish.acequia.io/guerin/.agents/9e1d87f5-a226-4d1a-be05-64c8d5cacf38/) - Bead: 31bd5380 · [canonical](https://redfish.acequia.io/guerin/.agents/31bd5380-d743-420f-81a1-9258e7fbbf9a/) - Bead: 874fce5b · [canonical](https://redfish.acequia.io/guerin/.agents/874fce5b-9c8b-4b23-b2ed-429148c6c4b7/) - Bead: 85434089 · [canonical](https://redfish.acequia.io/guerin/.agents/85434089-04b0-402a-ab70-0e44d66f13f7/)
See all: Beads