Applications have to register with an Oz server ahead of time. This sets up an app ID to identify it and shares the Hawk keys for the software to make requests.

Applications are either third party sites or native software. This part is kind of redundant for native software since I guess each local install has to create its own app id?

Tickets are a set of Hawk credentials with one change: the unique ID is an Iron encoded string.

Tickets contain the metadata about the approval (including expiry time and scope permission) as an encrypted and HMAC signed object.

Unique IDs are used so it is always possible to perform revokation or liveness checks if you want to do that.

Lifecycle

Applications register with the host service to get an App ID.

Applications make a request to act on a user's behalf; if approved they get an "RSVP."

The RSVP holds the app ID, expiration date, and the Ticket.

Applications use the ticket as a hawk ID, and the hawk key during setup, to make requests on behalf of a user.

Dependencies

• Iron, used to seal tokens
• Hawk, used for authentication