That said: Totally with you with the gameplan. I am currently looking a lot into MCP authZ and A2A authZ developments/issues, and am a bit underwhelmed of the way it goes, yet. Happy to have a chat about it

Oh, and the OpenAPI-openAI-struggle is real. Nevermind 😄

https://github.com/google/A2A/issues/19#issuecomment-2796567718 and https://github.com/modelcontextprotocol/modelcontextprotocol/issues/205#issuecomment-2781082042 may be a starting point. Or https://github.com/google/A2A/issues/153#issue-2993239784 where I went down a rabbit hole, looked at the underlying potential token binding-successor (DBSC) that is proposed and found it.. well, a bit... hum. https://github.com/w3c/webappsec-dbsc/issues/136

I'd love to hear all of your thoughts on these matters, and how ReBAC might be better fitting, if so. (And yes, I know the distinction between client aund user authZ, but these are just names. OAuth is just the status quo for the former, not the only thing that could and should do the job under all circumstances and I just get the feeling that there's an important voice missing on these specs from the other world 😉 not saying there's not place for both working complementary)