Skip to content
TCTDX Identity

Identity model

TCTDX Identity should treat identity as a set of explicit state machines rather than a pile of route handlers.

Actors

  • Human: a person authenticating directly.
  • Agent: software acting with delegated authority.
  • Client: an OAuth/OIDC application requesting tokens.
  • Tool: a resource or operation an agent can call.
  • Organization: the administrative and trust boundary for users, domains, clients, and agents.
  • Issuer: the authority that signs tokens and publishes metadata.

State that must be explicit

  • Email addresses are pending until mailbox proof succeeds.
  • MFA factors are pending until enrollment proof succeeds.
  • Agent grants are active only while their purpose, scope, and expiry remain valid.
  • Device authorizations are pending, approved, denied, expired, or redeemed.
  • Signing keys are active, retired, or revoked.
  • Sessions are active, step-up required, expired, or revoked.

Why state machines matter

Identity failures usually happen when a system lets a shortcut skip a state transition. The prototype demonstrated this with email verification: APIs could write verifiedAt directly. The rewrite should make that impossible by construction.