AFFIXIO
OAuth re-verify
OAuth session theft and agent re-verification
OAuth token theft lets attackers ride valid sessions without repeating identity checks. Continuous identity verification needs signed allow or deny at sensitive actions, not only at login. AffixIO re-verifies eligibility with ML-DSA-65 proofs and Merkle audit when risk signals fire or agents act on behalf of users.
Definition
OAuth re-verification is signed allow or deny when a session or agent requests a protected action after initial OAuth authentication.
Field note. OAuth token revocation alone does not prove the current session holder authorised the action. Re-verify at the boundary.
Re-verify at consequential boundaries
Keep OAuth for authentication. Add AffixIO verify before payments, account recovery, API key minting, and data export. Issue fresh proofs when risk engines score anomalies. Deny blocks the action. Allow attaches Merkle metadata.
Agents presenting on behalf of users follow the same pattern: user consent proofs plus agent eligibility proofs where policy requires both.
Continuous identity verification pattern
Define triggers: new device, geo velocity, privilege elevation, high-value transfer. Map each trigger to a verify call with short TTL proofs.
Pair with deepfake and injection defences so media attacks cannot skip re-verify simply because a token exists.
Boundary hooks for OAuth session re-verification
Wire AffixIO verify immediately before the boundary where OAuth session re-verification applies: checkout authorisation, MCP tool invocation, age gate, or offline scan. Issue proofs when policy is satisfied. Present at the edge. Gate on signed allow or deny.
Train support on deny retrieval: Merkle ref lookup should not require engineering access. Document which circuit version was active when the proof was issued.
Ofcom alignment
Login-time checks, lifetime trust
Stealing an OAuth token bypasses login MFA if downstream services never re-verify eligibility for consequential operations.
Bearer tokens without action binding
Possession of a token authorises any scoped API call until expiry.
Agent sessions inherit excessive scope
Compromised agent OAuth grants spend and export without fresh proofs.
No spent-proof on elevation
Password reset and payment paths reuse stale session trust.
Incident forensics from access logs only
Logs lack signed decision artefacts auditors can re-check.
Regulatory pack
Re-verify agents after OAuth session theft
Stolen OAuth sessions let attackers drive agent actions with valid tokens but invalid intent. Agent re-verification at sensitive hooks re-checks permission proofs before payment or data export.
List actions that require fresh proof
Spend, export, admin, credential issuance.
Wire risk triggers to verify
SOC rules call AffixIO when OAuth sessions look anomalous.
Issue short-lived re-verification proofs
Bind to session, device, and action class.
Log Merkle refs on every elevation
Support incident response with re-checkable outcomes.
Boundary review
Readiness checks for OAuth session re-verification
- Never trust OAuth scope alone for agent spend paths.
- Configure spent-proof on account recovery flows.
- Test token theft tabletop with re-verify enabled.
- Document deny UX for locked sessions.
- Sandbox anomaly-triggered verify before production.
Age-assurance FAQ
Questions on OAuth session re-verification
Replace OAuth provider?
No. AffixIO re-verifies eligibility beside OAuth sessions.
Refresh tokens?
Re-verify complements token rotation. Policy defines when each applies.
SaaS agents?
Machine and agent sessions benefit from the same elevation gates.
Related product?
/agent-authorisation/ covers agent permission patterns.
Sector context
Pages that support OAuth session re-verification
Infrastructure
More infrastructure briefs
Test OAuth session re-verification
Simulate session theft in sandbox, then confirm verify rejects stale proofs at payment hooks.