Is OAuth mandated?

[hrstoyanov]

Do businesses have to implement OAuth for identity linking for their customers?

What if the customers are authenticated with WebAuthn/Passkey?

[rabbidave]

Similarly interested in how y'all delegate actions while binding identity?

CoSAI et al. (of whom Google are members; happy to FWD invite) are working to standardize the landscape too

[zologic]

OAuth 2.0 is not mandated — the identity linking spec uses a mechanism registry pattern that is deliberately extensible.

In /.well-known/ucp, the dev.ucp.common.identity_linking capability declares a supported_mechanisms array. Each entry has a type (open string vocabulary) and a issuer URL. Platforms iterate from index 0 and select the first type they support:

"dev.ucp.common.identity_linking": [{
  "version": "2026-03-14",
  "config": {
    "supported_mechanisms": [
      {
        "type": "oauth2",
        "issuer": "https://store.example"
      }
    ]
  }
}]

oauth2 is the only standardised mechanism type today, backed by RFC 8414 server metadata at /.well-known/oauth-authorization-server. But the type field is an open vocabulary — nothing in the spec prevents a business from declaring "type": "webauthn" or "type": "passkey" alongside or instead of oauth2.

The practical constraint is that platforms need to implement the mechanism type to use it. Since oauth2 is the only standardised type today, platforms that only implement OAuth won't be able to use a WebAuthn-only business. But a business could declare both:

"supported_mechanisms": [
  { "type": "webauthn", "issuer": "https://store.example" },
  { "type": "oauth2",   "issuer": "https://store.example" }
]

...and platforms would use whichever they support.

On the WebAuthn/Passkey question specifically: the challenge is that WebAuthn is a browser-based ceremony — the credential is bound to the authenticator and requires a user gesture. For AI agent flows where there's no browser context, OAuth 2.0 Authorization Code + PKCE is the natural fit because the human consent step happens once in a browser and the agent gets a bearer token for subsequent autonomous operations. WebAuthn could work for the initial linking step if the platform has a way to initiate the ceremony, but ongoing agent authentication would still need a token-based mechanism.

We've implemented the oauth2 mechanism in UCPReady — full Authorization Code + PKCE S256, RFC 7591 dynamic client registration, RFC 7009 cascade revocation. Happy to share implementation notes if useful.