oauth.net/specs/ oauth.net/specs/ Current active drafts in the OAuth working group
| Token Status List (TSL) draft-ietf-oauth-status-list IESG Evaluation | |
| OAuth 2.0 for Browser-Based Applications draft-ietf-oauth-browser-based-apps RFC Ed Queue | |
| Cross-Device Flows: Security Best Current Practice draft-ietf-oauth-cross-device-security In Last Call (ends 2025-12-16 | |
| Updates to OAuth 2.0 Security Best Current Practice draft-ietf-oauth-security-topics-update | |
| OAuth SPIFFE Client Authentication draft-ietf-oauth-spiffe-client-auth | |
| JSON Web Token Best Current Practices draft-ietf-oauth-rfc8725bis | |
| SD-JWT-based Verifiable Credentials (SD-JWT VC) draft-ietf-oauth-sd-jwt-vc | |
| The OAuth 2.1 Authorization Framework draft-ietf-oauth-v2-1 | |
| OAuth 2.0 for First-Party Applications draft-ietf-oauth-first-party-apps | |
| Identity Assertion JWT Authorization Grant draft-ietf-oauth-identity-assertion-authz-grant | |
| OAuth Client ID Metadata Document draft-ietf-oauth-client-id-metadata-document | |
| Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants draft-ietf-oauth-rfc7523bis | |
| OAuth 2.0 Attestation-Based Client Authentication draft-ietf-oauth-attestation-based-client-auth | |
| OAuth Identity and Authorization Chaining Across Domains draft-ietf-oauth-identity-chaining | |
| Transaction Tokens draft-ietf-oauth-transaction-tokens | |
| OAuth Trust Binding Extension (OTBE) draft-fulz-oauth-trust-binding | |
| OAuth Authorization Management URI draft-emelia-oauth-authorization-management-uri | |
| OAuth2.0 Extension for Multi-AI Agent Collaboration: Applier-On-Behalf-Of Authorization draft-song-oauth-ai-agent-collaborate-authz | |
| OAuth 2.0 Web Message Response Mode for Popup- and Iframe-based Authorization Flows draft-meyerzuselha-oauth-web-message-response-mode-00 | |
| Agent-to-Agent (A2A) Profile for OAuth Transaction Tokens draft-liu-oauth-a2a-profile | |
| OAuth 2.0 Delegated Authorization draft-li-oauth-delegated-authorization | |
| AAuth - Agentic Authorization OAuth 2.1 Extension draft-rosenberg-oauth-aauth | |
| OAuth 2.0 JWT Authorization Grant with DPoP Binding draft-parecki-oauth-jwt-dpop-grant | |
| OAuth 2.0 Refresh Token and Authorization Expiration draft-watson-oauth-refresh-token-expiration | |
| OAuth 2.0 Entity Profiles draft-mora-oauth-entity-profiles | |
| OAuth 2.0 App2App Browser-less Flow draft-zehavi-oauth-app2app-browserless | |
| Separating DPoP Bindings for Access and Refresh Tokens draft-rosomakho-oauth-dpop-rt | |
| OAuth SPIFFE Client Authentication draft-schwenkschuster-oauth-spiffe-client-auth | |
| Updates to OAuth 2.0 Security Best Current Practice draft-wuertele-oauth-security-topics-update | |
| DPoP for the OAuth 2.0 Device Authorization Grant draft-parecki-oauth-dpop-device-flow | |
| Application-Agnostic Demonstration Proof of Possession (DPoP) Framework draft-nandakumar-oauth-dpop-proof | |
| Global Token Revocation draft-parecki-oauth-global-token-revocation | |
| OAuth 2.0 Resource Parameter in Access Token Response draft-mcguinness-oauth-resource-token-resp | |
| OAuth2.0 Extention for AI Agent: Authorization on Target draft-song-oauth-ai-agent-authorization | |
| OAuth 2.0 Client ID Prefix draft-parecki-oauth-client-id-prefix | |
| Rich OAuth Error Responses draft-watson-oauth-rich-error-response | |
| OAuth 2.0 step-up authorization challenge proto draft-lombardo-oauth-step-up-authz-challenge-proto | |
| OAuth 2.0 client extension claims draft-lombardo-oauth-client-extension-claims | |
| Deferred Key Binding for OAuth draft-richer-oauth-tmb-claim | |
| OAuth 2.0 Dynamic Client Registration with Trusted Issuer Credentials draft-kasselman-oauth-dcr-trusted-issuer-token | |
| OAuth Client Registration on First Use with SPIFFE draft-kasselman-oauth-spiffe | |
| Selective Disclosure for JSON Web Tokens RFC 9901 | |
| OAuth 2.0 Protected Resource Metadata RFC 9728 | |
| JSON Web Token (JWT) Response for OAuth Token Introspection RFC 9701 | |
| Best Current Practice for OAuth 2.0 Security RFC 9700 Best Current Practice | |
| OAuth 2.0 Step Up Authentication Challenge Protocol RFC 9470 | |
| OAuth 2.0 Demonstrating Proof of Possession (DPoP) RFC 9449 | |
| OAuth 2.0 Rich Authorization Requests RFC 9396 | |
| JWK Thumbprint URI RFC 9278 | |
| OAuth 2.0 Authorization Server Issuer Identification RFC 9207 | |
| OAuth 2.0 Pushed Authorization Requests RFC 9126 | |
| The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) RFC 9101 | |
| JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens RFC 9068 | |
| JSON Web Token Best Current Practices RFC 8725 Best Current Practice | |
| Resource Indicators for OAuth 2.0 RFC 8707 | |
| OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC 8705 | |
| OAuth 2.0 Token Exchange RFC 8693 | |
| OAuth 2.0 Device Authorization Grant RFC 8628 | |
| OAuth 2.0 Authorization Server Metadata RFC 8414 | |
| OAuth 2.0 for Native Apps RFC 8252 Best Current Practice | |
| Authentication Method Reference Values RFC 8176 | |
| Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) RFC 7800 | |
| OAuth 2.0 Token Introspection RFC 7662 | |
| Proof Key for Code Exchange by OAuth Public Clients RFC 7636 | |
| OAuth 2.0 Dynamic Client Registration Management Protocol RFC 7592 Experimental | |
| OAuth 2.0 Dynamic Client Registration Protocol RFC 7591 | |
| JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC 7523 | |
| Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC 7522 | |
| Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants RFC 7521 | |
| JSON Web Token (JWT) RFC 7519 | |
| OAuth 2.0 Token Revocation RFC 7009 | |
| OAuth 2.0 Threat Model and Security Considerations RFC 6819 Informational | |
| An IETF URN Sub-Namespace for OAuth RFC 6755 Informational | |
| The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 | |
| The OAuth 2.0 Authorization Framework RFC 6749 | |