PGAR Boundary ①: Ingress
Blueprint · ← Overview · Ingress · Agentic app →
Ingress receives the user request, validates the token, and issues claims to the agentic app. Every downstream decision binds to this principal.
THE CLAIM
No valid token, no agent session. Retrieval and tool paths inherit identity from ingress, not from the model.
What ingress owns
| Responsibility | Does not own |
|---|---|
| Token validation (OAuth/OIDC/SAML) | Tool proposals |
| Claims normalization | PDP rules |
| Rate limits, WAF | Business logic |
| Correlation / request id | Context pack assembly |
Claims shape (minimum)
sub— stable principal idrolesorgroupsemts— entitlements map (tool or corpus scoped)limits— numeric thresholds where applicableiat/exp— token lifetime
Failure classes
- Anonymous ingress: agent session without validated principal
- Claim injection: client-supplied roles trusted without IdP
- Stale token: long loops without refresh
- Missing correlation id: cannot tie audit to request
Implementation checklist
- Single gateway entry for agent API
- IdP validation on every request (no cached trust without TTL)
- Claims passed to agentic app as opaque session object
- Request id propagated to PEP audit
Trace fields
request_id, sub, token_iss, ingress_auth_latency_ms, claims_hash