Most Policy Decision Points return a bare allow/deny. This one maps the AuthZEN 1.0 Authorization API request shape ({subject, action, resource, context}) to a mandate gate, and returns the standard {decision, context} response with an OCG execution receipt carried in context. Any relying party can take that receipt and independently replay the decision.
The PDP accepts the standard AuthZEN Authorization API evaluation request and returns the standard response shape. Nothing about the wire contract changes; the receipt rides inside the response's existing context field.
| AuthZEN field | Maps to | Notes |
|---|---|---|
subject | mandate principal | The identity or agent requesting authorization. |
action | mandate scope/verb | The action the subject wants to perform. |
resource | mandate target | The resource the action would apply to. |
context (request) | mandate parameters | Additional evaluation context, passed through to the gate. |
decision (response) | allow/deny | Standard AuthZEN boolean decision, unchanged. |
context (response) | OCG execution receipt | The differentiator: an execution_hash-referenced receipt a relying party can replay independently of this PDP. |
POST /authzen/evaluation
{
subject: { type: "agent", id: "agent-example-001" },
action: { name: "can_execute_payment" },
resource: { type: "mandate", id: "mandate-example-001" }
}
// response
{
decision: true,
context: { ocg_receipt: { execution_hash: "sha256:โฆ", node: "compile_work_mandate" } }
}