Skip to main content

PGAR Boundary ①: Ingress

Blueprint · ← Overview · Ingress · Agentic app →

Ingress receives the user request, validates the token, and issues claims to the agentic app. Every downstream decision binds to this principal.

THE CLAIM

No valid token, no agent session. Retrieval and tool paths inherit identity from ingress, not from the model.

What ingress owns

ResponsibilityDoes not own
Token validation (OAuth/OIDC/SAML)Tool proposals
Claims normalizationPDP rules
Rate limits, WAFBusiness logic
Correlation / request idContext pack assembly

Claims shape (minimum)

  • sub — stable principal id
  • roles or groups
  • emts — entitlements map (tool or corpus scoped)
  • limits — numeric thresholds where applicable
  • iat / exp — token lifetime

Failure classes

  • Anonymous ingress: agent session without validated principal
  • Claim injection: client-supplied roles trusted without IdP
  • Stale token: long loops without refresh
  • Missing correlation id: cannot tie audit to request

Implementation checklist

  1. Single gateway entry for agent API
  2. IdP validation on every request (no cached trust without TTL)
  3. Claims passed to agentic app as opaque session object
  4. Request id propagated to PEP audit

Trace fields

request_id, sub, token_iss, ingress_auth_latency_ms, claims_hash

See: Token & session boundary · Boundary overview