Filling in the GNAP

Justin Richer
4 min readOct 22, 2020


About a year ago I wrote an article arguing for creating the next generation of the OAuth protocol. That article, and some of the other writing around it, has been picked up recently, and so people have been asking me what’s the deal with XYZ, TxAuth, OAuth 3.0, and anything else mentioned there. As you can imagine, a lot has happened in the last year and we’re in a very different place.

The short version is that there is now a new working group in the IETF: Grant Negotiation and Authorization Protocol (gnap). The mailing list is still at txauth, and the first WG draft is available online now as draft-ietf-gnap-core-protocol-00.

How Are These All Related?

OK, so there’s GNAP, but now you’re probably asking yourself what’s the difference between GNAP and XYZ, or TxAuth, or OAuth 3.0. With the alphabet soup of names, it’s certainly confusing if you haven’t been following along the story in the last year.

The XYZ project started as a concrete proposal for how a security protocol could work post-OAuth 2.0. It was based on experience with a variety of OAuth-based and non-OAuth-based deployments, and on conversations with developers from many different backgrounds and walks. This started out as a test implementation of ideas, which was later written down into a website and even later incorporated into an IETF individual draft. The most important thing about XYZ is that it has always been implementation-driven: things almost always started with code and moved forward from there.

This led to the project itself being called OAuth.XYZ after the website, and later just XYZ. When it came time to write the specification, this document was named after a core concept in the architecture: Transactional Authorization. The mailing list at IETF that was created for discussing this proposal was named after this draft: TxAuth. As such, the draft, project, and website were all referred to as either XYZ or TxAuth depending on who and when you asked.

After months of discussion and debate (because naming things is really hard), the working group settled on GNAP, and GNAP is now the official name of both the working group and the protocol the group is working on publishing.

As for OAuth 3.0? Simply put, it canonically does not exist. The GNAP work is being done by many members of the OAuth community, but not as part of the OAuth working group. While there may be people who refer to GNAP as OAuth 3.0, and it does represent a similar shift forward that OAuth 2.0 did, GNAP is not part of the OAuth protocol family. It’s not out of the question for the OAuth working group decides to adopt GNAP or something else in the future to create OAuth 3.0, but right now that is not on the table.

The GNAP Protocol

Not only is GNAP an official working group, but the GNAP protocol has also been defined in an official working group draft document. This draft represents the output of several months of concerted effort by a design team within the GNAP working group. The protocol in this document is not exactly the same as the earlier XYZ/TxAuth protocol, since it pulled from multiple sources and discussions, but there are some familiar pieces.

The upshot is that GNAP is now an official draft protocol.

GNAP is also not a final protocol by any stretch. If you read through the draft, you’ll notice that there are a large number of things tagged as “Editor’s Notes” and similar commentary throughout, making up a significant portion of the page count. These represent portions of the protocol or document where the design team identified some specific decisions and choices that need to be made by the working group. The goal was to present a set of initial choices along with rationale and context for them.

But that’s not to say that the only flexible portions are those marked in the editor’s notes. What’s important about the gnap-00 document is that it’s a starting point for the working group discussion. It gives the working group something concrete to talk about and debate instead of a blank page of unknown possibilities (and monsters). With this document in hand, the working group can and will change the protocol and how it’s presented over the specification’s lifecycle.

The Immediate Future

Now that GNAP is an active standard under development, XYZ will shift into being an open-source implementation of GNAP from here out. As of the time of publication, we are actively working to implement all of the changes that were introduced during the design team process. Other developers are gearing up to implement the gnap-00 draft as well, and it will be really interesting to try to plug these into each other to test interoperability at a first stage.

TxAuth and Transactional Authorization are functionally retired as names for this work, though the mailing list at IETF will remain txauth so you might still hear reference to that from time to time because of this.

And as stated above, OAuth 3.0 is not a real thing. Which is fine, since OAuth 2.0 isn’t going anywhere any time soon. The work on GNAP is shifting into a new phase that is really just starting. I think we’ve probably got a couple years of active work on this specification, and a few more years after that before anything we do really sees any kind of wide adoption on the internet. These things take a long time and a lot of work, and it’s my hope to see a diverse and engaged group building things out!



Justin Richer

Justin Richer is a security architect and freelance consultant living in the Boston area. To get in touch, contact his company: