Home / Solutions / Agentic WorkflowsNew
Solutions · Agentic workflows

Agents need a signature, not just a scope.

OAuth scopes prove an agent is allowed to call an API. They don't prove that a human freely consented to this specific action, in this specific scope, at this specific moment. As AI agents start to pay invoices, execute trades, and move money on a user's behalf, banks and regulators need portable cryptographic evidence that the underlying human consent was real, in scope, and not the product of prompt injection or account compromise. RTScale's SoM Signature is that evidence — bound to the moment of delegation, carried through every downstream call the agent makes.

Request a demo Read the developer brief
HUMAN AGENT BANK SoM SIGNATURE at delegation SIGNED CALL scope-bound Verifiable at every downstream step HARDWARE-ROOTED · TTL-BOUND · CRYPTOGRAPHICALLY ERASABLE
01 · The gap in agentic payments

The agent has permission. Does the user have a record?

Existing agent-to-API plumbing was designed for read-mostly workloads, not consequential financial action. Three gaps surface the moment money starts to move.

Gap 01

Scope without consent provenance.

OAuth tokens prove the agent is allowed to call the API. They prove nothing about the human's underlying state of mind when delegation was granted — whether consent was freely given, freely scoped, or even given at all. Cap-and-scope tokens are a permission model, not an evidence model.

OAuth 2.0 · RFC 6749 · scope is permission, not provenance
Gap 02

Prompt injection at the action layer.

Agents read documents the user didn't write — emails, invoices, files, web pages. A malicious invoice can redirect a payment to the wrong account. The bank sees a legitimate API call from a credentialed agent. The user sees a fraudulent transfer. There is no record of what the human authorized vs. what the agent inferred.

OWASP LLM01 · Prompt Injection at the action layer
Gap 03

Audit-trail blindness when things go wrong.

Today's audit trail for an agent action shows API calls and timestamps. It does not show the moment of delegation — what the user said, in what state, with what understanding. Five years from now, when a regulator asks "how did this $50,000 payment get authorized," the answer cannot be "trust me, the OAuth token was valid."

EU AI Act Art. 14 · meaningful human oversight
⚠ Without SoM Signature

Agent has the keys. No one has the receipt.

Agent acts on a valid OAuth token. If the user disputes the action, the only evidence is application logs. If prompt injection redirected the payment, the logs show a legitimate-looking API call. The bank's liability is unclear; the customer's recourse is slow; the regulator's question is unanswerable. Each side has plausible deniability and zero shared evidence.

✓ With SoM Signature

Agent carries cryptographic proof of consent.

The signature binds the moment of delegation — affective state, scope, TTL, agent identity — into a hardware-attested artifact. Every downstream call carries it. The bank verifies it. The regulator can re-verify it offline, years later. One shared evidence record. Disputes have data.

02 · A worked example

How the signature travels with the agent.

A user delegates monthly invoice payments to an AI financial assistant. The agent processes the queue, hits a scope boundary, and the system handles re-authorization without breaking the flow.

Time
User · Agent · Bank
Signature events
T+0open
User initiates the task
UserHey, please pay last month's contractor invoices. They should be in my email.
AgentGot it. I'll scan for invoices dated last month and come back with a summary before paying anything.
Not yet engaged No signature requested. The agent is reading the user's email — not yet acting on the world.
T+15ssummary
Agent returns with a confirmable summary
AgentFound 3 invoices from Acme Construction totaling $8,750. Routing: ACH to account ending 4231. Should I proceed?
Preparing capture surface The agent's UI surfaces the SoM consent prompt. The user is about to make a real authorization decision — the system must capture it.
T+22sdelegation
User confirms — the delegation moment
UserYes, go ahead.
User's banking app foregrounded. Confirmation screen with the same $8,750 / Acme Construction summary. 30-second Deep Scan begins as the user reads.
Deep Scan · Authorization class On-device 30-second capture. Affect indicators measured against the user's session baseline. Result: clear consent across facial, prosodic, and gaze channels. Capturing · 30s
T+52sseal
Signature sealed and bound The user's hardware (Secure Enclave) signs the SoM artifact. Scope, TTL, agent identity, and affective provenance are bound together. Signature delivered to the agent as part of the delegation token.
Sealed · scope-bound Authorization class · scope: pay Acme Construction ≤ $10,000 · TTL 24h · max 5 calls · bound to agent_id did:agent:abc · provenance: clear consent. Sealed
T+55sexecute
Agent submits the first payment Agent calls the bank's payment API with the delegation token + attached SoM signature. The bank's existing OAuth check passes; the signature is verified by Trust Cortex as fresh, in scope, and consent-clear.
Verified at bank Signature chain valid → hardware root attested · scope match: Acme Construction · within TTL · consent provenance: clear. Payment proceeds. Verified
T+90scontinue
Agent processes invoices 2 and 3 Second and third ACH submissions to the same vendor under the same signature. Each call carries the signature; bank verifies scope match on each one. Counter: 3 of 5 calls used.
Same signature, reused Replay-protected via nonce inside the bank's API gateway. Scope and TTL re-checked on every call — not just at delegation.
T+5medge case
Agent finds a fourth invoice — different vendor A late invoice for $3,200 from BetaCo Supplies arrives. The agent identifies it as part of the user's instruction ("last month's invoices") but the existing signature's scope is bound to Acme Construction only.
Scope mismatch detected BetaCo ≠ Acme Construction. The bank's verification fails on scope, not on credentials. The bank returns 402 step_up_required with the specific mismatch detail. Step-up required
T+5m10sre-ask
Agent pauses and asks the user
AgentI also found a $3,200 invoice from BetaCo Supplies. That's a different vendor than the others — I'll need a fresh authorization. Approve?
UserYeah, that's right. Approve it.
Quick Scan re-authorization ~200ms on-device Quick Scan in the user's banking app. Signature scope narrowed to this single BetaCo payment, TTL 5 minutes. Higher specificity, shorter window. Sealed · narrow
T+5m12sresume
BetaCo payment proceeds Agent retries the API call with the new narrow signature. Bank verifies the new signature, the BetaCo scope, and clear consent. Payment proceeds. The agent completes the task.
Two signatures, two records The agent now carries two signatures in its delegation context — the broader Acme signature (3 of 5 calls used, 23h TTL remaining) and the narrow BetaCo signature (single-use, expires T+10m).
T+30derasure
Standard data lifecycle The bank retains the signature chain as part of its evidence record per its policy. The user can request cryptographic erasure of the underlying biometric capture at any time — keys are revoked, the captures become unverifiable forever.
GDPR Art. 17 satisfied by design Signature chain remains verifiable for audit. Raw biometric provenance is mathematically erased.
03 · Anatomy of an agentic signature

A signature an agent can carry, a bank can verify, a regulator can replay.

The Authorization class extends the SoM Signature with scope, time-to-live, and agent binding. Everything an agent's runtime needs to forward, and a bank's fraud platform needs to verify.

SoM Signature · Authorization class · serialized {
  "class": "authorization",
  "scope": {
    "action": "payment.ach",
    "payee_did": "did:legal:us:acme-construction-llc",
    "amount_cap": { "value": 10000, "currency": "USD" },
    "call_limit": 5
  },
  "time": {
    "issued_at": "2026-05-12T14:23:18Z",
    "expires_at": "2026-05-13T14:23:18Z"
  },
  "binding": {
    "agent_id": "did:agent:fin-assistant-v2:abc123",
    "principal_id": "did:human:pseudo:xyz789"    // pseudonymous
  },
  "provenance": {
    "capture_class": "deep_scan_30s",
    "consent_clarity": "clear",  // decomposed indicators in /provenance.full
    "hardware_root": "secure_enclave",
    "attestation": "apple.aaguid:..."
  },
  "signature": {
    "alg": "EdDSA",
    "sig": "MEUCIQDq2...",              // signed by Secure Enclave
    "chain": "[device_attestation, tenant_ca, rtscale_root]"
  }
}
Property 01

Scope

What actions the signature authorizes. Specific payee, action type, amount cap, call limit. Banks verify on every downstream call, not just at delegation.

Property 02

Time

Issued-at and expires-at, plus call-counter exhaustion. Narrower TTL for narrower scope; broader TTL for routine batches. The agent cannot extend either.

Property 03

Binding

Bound to a specific agent identifier and a specific principal. A leaked signature cannot be replayed by a different agent. A compromised agent cannot reuse another principal's signature.

Property 04

Provenance

Decomposed affective indicators at the moment of delegation, hardware-attested. A reviewer or regulator can read consent clarity offline, years later, without re-deriving from raw biometrics.

04 · Integration patterns

Framework-agnostic. SDK-mediated. Standards-tracking.

The signature is a payload, not a framework. RTScale provides agent-side SDKs and bank-side verification libraries; the rest is your stack's plumbing.

01

Agent-side SDK · call getSoMSignature(scope, ttl)

Drop-in for any agent framework that supports tool-calling. The SDK surfaces the consent prompt on the user's authenticated device, returns the sealed signature, and binds it to the agent's outbound calls.

LangChain · AutoGen · Vercel AI · OpenAI Assistants · Claude tools
02

Bank-side verification · webhook or library

Your payment API accepts the signature as an extension header. Verification library returns scope-match, freshness, and consent-clarity in a single call. Or run it as a sidecar webhook into your existing fraud platform.

REST · gRPC · Kafka · IBM MQ
03

Standards alignment

Signature serialization uses W3C Verifiable Credentials. Refresh flow follows OAuth 2.0 Step-Up Authentication Challenge Protocol. Card flows ride EMV 3DS extension data. We're active in the IETF GNAP working group for next-generation agent delegation primitives.

W3C VC · OAuth Step-Up · EMV 3DS · IETF GNAP
05 · Threat model

What the signature defends against.

Agentic workflows open a small set of new attack surfaces. The SoM Signature isn't a silver bullet, but the bindings make several specific attacks materially harder.

Threat 01

Prompt injection redirecting the action

A malicious document or webpage instructs the agent to redirect payment to an attacker-controlled account. The agent constructs a syntactically valid API call.

Bank verifies signature scope against the actual recipient. Scope mismatch → step-up. The signature is bound to a specific payee, not an instruction string.
Threat 02

Stolen API credentials, no fresh consent

An attacker exfiltrates the agent's OAuth token. They attempt to replay it to drain the principal's account.

No fresh SoM signature available → bank declines or step-ups. The attacker cannot fabricate hardware-rooted attestation from the principal's device.
Threat 03

Replayed signature outside TTL

An attacker captures a valid signature in transit and attempts to replay it later or against a different action.

Bank checks TTL and scope on every call. Nonce + replay-protection at the API gateway. Signature outside window → declined.
Threat 04

Agent acting after consent revoked

The principal changes their mind. They want to stop the agent from completing in-flight actions.

Signature revocation propagates via the verification path — bank checks revocation list on every call. The agent's authority ends the moment the principal revokes.
Threat 05

Scope creep through follow-on actions

The agent encounters an adjacent action ("pay this related invoice from a different vendor") and tries to extend the original signature.

Scope is signed; it cannot be modified by the agent. New scope requires new signature → step-up to the principal. Demonstrated in §02 timeline.
Threat 06

Coerced delegation

The principal is being coached, scammed, or coerced at the moment of delegation. They produce a syntactically valid consent.

Provenance carries decomposed affect indicators. The bank's policy can require Adjudication-class capture for high-value delegations, where coercion signals trigger hold rather than authorize.
06 · Frequently asked questions

Builder questions, answered.

Pulled from conversations with agent-framework teams, fintech security leads, and bank API platform owners.

Q1 Does this work with the agent framework I'm already using?

Yes — the signature is a payload, not a framework. Our agent-side SDK exposes a single primitive: getSoMSignature(scope, ttl). Drop it into any tool-calling loop. We have reference integrations for LangChain, AutoGen, Vercel AI SDK, OpenAI Assistants, and Anthropic Claude tools. The SDK handles the user-facing consent surface and returns the sealed signature; you decide how to forward it.

Q2 What if the user isn't physically present when the agent needs to act?

That's the whole point of the TTL + scope model. Pre-issued signatures with bounded scope and time-to-live let an agent act asynchronously within the principal's pre-authorized envelope. Outside that envelope, the agent can't proceed — it has to wait, step-up, or fail. The user trades certainty (they know exactly what the agent can do for the next 24 hours) for asynchrony (they don't have to be there for every call).

Q3 What about agent-to-agent transactions — one agent paying another agent's principal?

Two signatures meet at the transaction. The paying agent carries its principal's authorization signature. The receiving agent's principal has been onboarded with their own attestation chain (which may be a different signature class — Confirmation or Presence). The two are verified independently by the rails or banks involved. Neither agent is implicitly trusted by the other; both sides have evidence.

Q4 How does this interact with PSD3 / SCA for agent-initiated payments?

The EBA's RTS for agent-initiated payments under PSD3 is still being finalized — public consultation is ongoing. RTScale's signature satisfies the "something the user is" factor (affective biometric, hardware-attested), and composes with traditional possession and knowledge factors that the agent's runtime can carry. We're tracking the consultation closely and have submitted positions on the relationship between TTL-bounded authorization and dynamic linking. Production guidance arrives as the RTS firms up.

Q5 If the agent is compromised — prompt injection, credential theft — what's actually exposed?

A compromised agent can replay an existing valid signature only inside its scope and within TTL. Prompt-injected scope expansion is caught at the bank's verification step (the new payee or amount won't match the signed scope). Credential theft of the agent's API token does not grant the attacker the principal's hardware root — they cannot mint a fresh signature. The blast radius of an agent compromise is bounded by the active signatures' scopes and TTLs, not by the agent's full credential set.

Q6 Latency for refreshing or step-up signatures during an active agent run?

Quick Scan refresh: ~200 ms p95 on-device. Deep Scan re-authorization (for raising amount caps or broadening scope): 30 s. The agent's runtime can prefetch likely refresh prompts when it sees scope-boundary signals in its plan, so the user-facing pause is the scan duration, not scan + round-trip. Most production agent UIs we've seen surface the consent prompt inside their existing chat surface — no separate app required.

Q7 Privacy — does the agent ever see the user's biometric data?

No. Capture is on-device, inside a hardware-attested context — Mobile SDK on the user's phone, Desktop SDK on the user's machine, Web SDK in the user's browser. The agent receives the signed signature, which is a small cryptographic artifact containing decomposed affect indicators and provenance, not raw biometric data. The agent runtime does not see, store, or have any path to the raw frames or audio. This is by design and contractual.

Q8 What happens if the principal wants to revoke an active signature mid-run?

The principal can revoke through their user portal or banking app. Revocation is pushed to the bank's verification path and to the agent's runtime within seconds. The agent's next API call after revocation fails verification and the agent is informed it has lost authority. In-flight calls already accepted by the bank's queue may still settle — once a wire is committed to the rail, RTScale can't claw it back, and we wouldn't claim otherwise.

Build with the signature

Bring your agent. We'll show you what consent provenance looks like in your stack.

The 30-minute demo runs your agent against a sandbox bank with a real RTScale verification path. Watch the signature get sealed at delegation, ride along through downstream calls, and trigger step-up at the scope boundary. No deck, no theoretical "imagine if" — your code, our SDK, working signatures.

Request a developer demo Read the developer brief