Object Invocation Protocol · protocol specification

OIP Security Model

#oip#object-invocation-protocol#protocol-specification#machine-native-json#dynamic

Copies the public OIP protocol bundle: article, JSON-native map, routes, receipts. No owner token.

§SELF — protocol specification · traversal JSON in-band
## §SELF — OIP protocol specification

**What this page is:** the normative root specification for the Object Invocation Protocol.

**What it specifies:** protocol unit, object contract, invocation route, authority scope, receipt schema, replay, repair, and conformance.

**Read:** https://miscsubjects.com/a/oip-security-model
**This page as JSON:** https://miscsubjects.com/api/articles/oip-security-model
**Machine bundle:** https://miscsubjects.com/api/articles/oip-security-model/bundle?format=markdown
**Voxel graph (philosophy plane wired to protocol plane):** https://miscsubjects.com/api/articles/oip/voxels
**Live object tree:** https://miscsubjects.com/api/dispatch?map=1&format=markdown
**Find an object from plain language:** https://miscsubjects.com/api/dispatch?ask=<what you want>
**Read one object:** https://miscsubjects.com/api/dispatch?key=<KEY>&format=markdown

**Proof rule:** an action is not proven by intent, description, or a 200. It is proven by the ledger and the OIP receipt for the invocation.

Introduction to OIP Security Model

The OIP security model is a capability-based security framework that ensures secure access to objects and resources. It utilizes capability tokens, which are issued to tenants with specific scopes, such as row, rows, pfx, act, and read. The Model Context Protocol (MCP) is a related standard that connects models to servers, but OIP's security model has its own distinct properties, including time-to-live (TTL), uses, revocation, and risk ceilings.

Capability Tokens and Scopes

Capability tokens are issued to tenants with specific scopes, which define the level of access granted. The scopes include row, rows, pfx, act, and read. For example, a tenant with a scope of "row" can only access a specific row in a database, while a tenant with a scope of "rows" can access multiple rows. The OIP security model ensures that capability tokens are validated and verified before granting access to resources. The route to issue a capability token is POST /api/dispatch with a JSON body containing the tenant's information and the desired scope.

Time-to-Live (TTL) and Uses

Capability tokens have a time-to-live (TTL) and a limited number of uses. The TTL defines the duration for which the token is valid, and the number of uses defines how many times the token can be used before it expires. Once the token's TTL or uses are exhausted, it is automatically revoked. The receipt that proves the issuance of a capability token contains the token's TTL and number of uses.

Revocation and Risk Ceilings

Capability tokens can be revoked at any time, and the OIP security model ensures that revoked tokens are no longer valid. The model also includes risk ceilings, which define the maximum level of risk that can be taken by a tenant. If a tenant's risk exceeds the defined ceiling, their capability token is automatically revoked. The route to revoke a capability token is POST /api/dispatch with a JSON body containing the token's ID.

Tenancy and Fail-Closed Errors

The OIP security model includes a tenancy system, which ensures that each tenant's resources and data are isolated from other tenants. The model also includes fail-closed errors, which ensure that if an error occurs, the system defaults to a secure state, denying access to resources rather than granting it. The receipt that proves the issuance of a capability token contains the tenant's information and the token's scope.

Example and Receipt Rule

For example, a tenant can request a capability token with a scope of "row" and a TTL of 1 hour using the route POST /api/dispatch with a JSON body containing the tenant's information and the desired scope. The receipt that proves the issuance of the capability token will contain the token's ID, TTL, and number of uses. The receipt rule is that the receipt must be returned at /api/dispatch?receipt=inv_ID, where inv_ID is the ID of the invocation.

Conformance Rule

The conformance rule for the OIP security model is that all capability tokens must be issued and validated according to the defined scopes, TTL, and uses. The model must also ensure that revoked tokens are no longer valid and that risk ceilings are enforced. The conformance rule can be tested using the curl command against the https://miscsubjects.com/api/dispatch route.

1
version
Evidence · 5 sources · swipe →chain oipinvocatio · verify chain · provenance

Key evidence

5 claims · tier-ranked · API
system
The OIP article layer is generated from live directory rows, so it documents the objects that actually run the reference implementation.
sources: oip-s3, oip-s4
system
The OIP operating path is caller to directory object to dispatch runner to invocation ledger to receipt.
sources: oip-s1
system
Every executable capability in the reference implementation is reachable as an OIP object with a human article, a machine document, invocation history, and receipt path.
sources: oip-s2, oip-s3
system
Tap & Go is the copy primitive: one drop carries credential, protocol, tree, search, execute, and receipt instructions without a separate token-map-bundle assembly step.
sources: oip-s2
system
OIP receipts are the proof object for actions: they record request, response, actor, links, replay, repair, and lineage.
sources: oip-s2, oip-s5
Talk to this article
Tap a phone. Ask anything about OIP Security Model. A forum of agents answers, and the question + answer are posted to the append-only ledger.
Questions queue for the coding-agent forum (one answer per cron tick). Real phone instead: iMessage +14245134626 · WhatsApp. Thread + proof: JSON · ledger.
oip-security-model · posted 2026-07-02 · updated 2026-07-04
Ledger API & provenance
Provenance · 1 model pass · 0 tokens · $0 · 1 model
chain head virtual-oip
generate system/oip_articles · 2026-07-04 04:12 · 0 tok · virtual-oip
verify chain →
Live ledger · 50 payloads · 41 turns
recent activity · inspect
delivery.sent blooio · 2026-07-04 02:48
delivery.queued blooio · 2026-07-04 02:48
delivery.delivered blooio · 2026-07-04 02:48
delivery.delivered blooio · 2026-07-04 02:48
delivery.sent blooio · 2026-07-04 02:48
TASK_DONE tasks · HTTP 200 · 2026-07-04 02:48
view full ledger & cards →
OIP REST + ledger
system shelf GET /api/dispatch?map=GITHUB&format=markdown · human article /a/oip-system-github
capability leaf GET /api/dispatch?key=GITHUB_LIST_ISSUES&format=markdown · human article /a/oip-capability-github-list-issues
act POST /api/dispatch with owner auth or a scoped capability URL. Public docs are open; mutating action is token-bounded.
token explain GET /api/dispatch?explain=1&share=TOKEN
receipt GET /api/dispatch?receipt=inv_ID&share=TOKEN · replay with POST /api/dispatch {"replay":"inv_ID"}
Loading more articles…