Standards
Last reviewed: 2026-05-12.
This page lists the protocols and specifications STACK supports in production and the inbound formats it accepts. Links point to running code at api.getstack.run.
Implement
| Standard | Status | Use |
|---|---|---|
| RFC 7519 (JWT) and RFC 7517 (JWK) | Live | All passport tokens, signed with EdDSA over Ed25519. |
| RFC 8032 (EdDSA) and RFC 8037 (CFRG curves in JOSE) | Live | Signing algorithm and key format for passport tokens, JWK publishing, and COSE_Sign1 claim envelopes. Curve: Ed25519. |
| OAuth 2.1 with PKCE (RFC 7636) and Dynamic Client Registration (RFC 7591) | Live | Operator-to-service OAuth across 63+ services. |
| RFC 8693 Token Exchange | Live | Available at /oauth/token with grant_type=urn:ietf:params:oauth:grant-type:token-exchange. Wraps passport refresh. |
| OIDC (Core and Discovery) | Live | IdP federation as an L1 or L2 trust source. Compatible with Auth0, Okta, Microsoft Entra, and any compliant issuer. |
| Model Context Protocol (Streamable HTTP) | Live | Served at mcp.getstack.run. 80 tools. |
| A2A (Agent-to-Agent) | Live | GET /.well-known/agent.json exposes the AgentCard. POST /v1/a2a/jsonrpc handles task dispatch. |
| RFC 9052 (COSE) and COSE_Sign1 | Live | Passport claim envelopes are signed COSE_Sign1 structures using EdDSA. Three signing modes coexist (per agents.key_mode): customer_managed — strict SCITT, the customer generates and holds the agent’s signing key locally and signs envelopes themselves; STACK only verifies (matches the IETF SCITT architecture draft’s signer-equals-subject model). stack_managed — SCITT-style delegated, STACK signs on the agent’s behalf using a per-agent KMS-wrapped key; the envelope shape is identical and equally verifiable, but the trust model differs (STACK is the signing principal, customer relies on STACK’s key management). co_signed — both signatures present in the envelope’s co_signatures array (agent + STACK operator-attestation) for the highest assurance bar. All three produce valid COSE_Sign1 envelopes consumable by SCITT-conformant transparency log infrastructure. |
| RFC 9334 (RATS) and RFC 9711 (EAT) | Schema live | The rats_evidence passport claim type, supporting six attestation formats. |
| SLSA v1.0 | Schema live | The slsa_provenance passport claim type. |
| CycloneDX AI/ML-BOM | Schema live | The ai_bom_ref passport claim type. |
| ISO/IEC 22144 (C2PA) | Schema live | The c2pa_assertion passport claim type. |
“Schema live” means the claim envelope and registry accept the format end-to-end. Per-format server-side verifiers (re-attestation against the upstream issuer) are still in progress. Customers needing verification against a specific TEE or builder today can reach out directly.
Consume
Inbound tokens that STACK accepts and verifies.
- WIMSE Workload Identity Tokens. Validated at POST /v1/workload/wit. The validator includes twelve threat-model tests covering issuer trust, audience binding, replay, and structural malformation.
- SPIFFE SVID. Accepted as inbound identity. STACK does not issue SVIDs.
- OIDC ID Tokens. Accepted from any compliant issuer. The full flow includes discovery, PKCE S256, nonce, JWKS verification, and claim mapping per operator policy.
Supply-chain integrity
Policy STACK applies to its own dependency graph. Verifiable against the running lockfile and Dockerfiles in the repo.
- Minimum release age — 7 days. Enforced by
minimumReleaseAge: 10080inpnpm-workspace.yaml. Strict mode rejects the install rather than warning. Every documented npm supply-chain attack in the last three years was detected and pulled within 24-72 hours; the 7-day cooldown clears that window before our installs touch a new version. - Build-script allowlist. pnpm 11 blocks
postinstallandpreinstallscripts by default. The allowlist is explicit: esbuild, re2, argon2, sharp, cbor-extract, msgpackr-extract, @sentry/cli, core-js, protobufjs. Every other dependency installs with build scripts muted, closing the most common npm malware delivery path. - Frozen-lockfile installs. CI and every production Docker image build run
pnpm install --frozen-lockfileagainst the committedpnpm-lock.yaml. New versions never resolve on the fly during a deploy. - Customer-managed encryption keys (CMEK). Enterprise-tier operators bring their own AWS KMS key. Every operator-scoped ciphertext column STACK holds is wrapped with that key. Revoke the IAM grant; the next decrypt returns 503 with
code: cmek_revoked.
Policy adopted 2026-05-14.