What is XYZ?

XYZ is a proposed delegation protocol in the spirit of OAuth 2, but designed with the decade of experience that we have now with OAuth 2 and its extensions. The XYZ protocol is not intended to be directly compatible with OAuth 2, much in the same way that OAuth 2 was not directly compatible with OAuth 1. However, the concepts and many of the goals should feel familiar to developers used to these existing protocols and their extensions. Concepts from OAuth 2, OIDC, PKCE, UMA, CIBA, OBUK, FAPI, and a host of other extensions and profiles were analyzed and adapted in the design of XYZ, but with a mind toward taking the best aspects of all of them and applying them in a consistent way.

XYZ has several core features that drive its design principles, and these are key to providing a consistent data model:

  • Intent registration. This allows the client to start the process off the same way every time by making a request to the authorization server.
  • Don't assume the user has a browser. Interaction needs to happen in a variety of ways depending on the capabilities of the client, and only sometimes will a browser be involved.
  • Minimize the front channel. When a browser is involved, the protocol seeks to minimize the amount and kind of information that passes through the URLs of the front channel.
  • Polymorphic JSON. The protocol elements have different data types that convey additional contextual meaning, allowing us to avoid mutually exclusive protocol elements and design a more succinct and readable protocol. This lets us pass things by reference or by value using the same element field, among other things.
  • Key proofing and presentation. While OAuth 2 thrived on client secrets and bearer tokens, XYZ seeks to move beyond that at the base level, making use of a variety of security technologies.
  • Ease of transition from OAuth 2. Even though this is not backwards compatible, there should be a clear translation path from OAuth 2 based systems to XYZ.
  • Inline negotiation. Whenever possible, the protocol is designed such that discovery and registration are not needed, but they can still be supported.

And most importantly, XYZ seeks to build out a protocol that doesn't have the same assumptions as OAuth 2 by carefully examining and questioning all aspects of OAuth 2 and its extensions. Nothing is considered sacred, even as we build in a world already full of OAuth 2. This lets us question the utility of protocol elements like the client_id and figure out if and how they fit into the new world.


The XYZ protocol is one of the inputs in the newly-formed Grant Negotiation Authorization Protocol (GNAP) working group in the IETF. This is a new working group, and discussion is happening now on the txauth@ietf.org mailing list. The XYZ protocol has been submitted as an individual draft, but the GNAP protocol will take its own shape after the working group is officially formed.

GNAP will one day be a formal standard, and as that standardization process takes place, XYZ will transition to being an implementation of that standard.

Presentations and Materials

This website is the most comprehensive and complete collections of information about the XYZ project, and it tends to get updated before other artifacts do.

In addition to the website, I've been fortunate to present XYZ and its concepts at a few different places so far.

I've also written a number of articles on the topic of XYZ and the choices behind the protocol design.

Several others in the wider OAuth community have also provided some great discussions on XYZ and the concepts driving this new work.


Protocol proposals without implementations are merely thought experiments, and XYZ has always sought to ground all of its ideas in trial implementations. To date there are several code bases that can be downloaded, examined, and tried out. These have changed as the protocol has changed, and will continue to do so as GNAP takes shape. As such, things might be quirky or in a somewhat unfinished, experimental state at any time.

If you have feedback for this website, please see its repository or get in touch directly.