'api_key' → api_key:<key_id> (API-key identity; stable until key is revoked)
'http_sig'→ http_sig:<agent_url> (verified caller URL; the most durable identity)
Adopters who key on authInfo.sub or authInfo.extra instead MUST
document that choice — those fields are grant-specific and may not be
stable across credential rotations.
Default key-extraction function for the auth-principal→account mapping.
Canonical choices by credential kind:
'oauth'→oauth:<client_id>(OAuth 2.0 client identity; stable across token rotations)'api_key'→api_key:<key_id>(API-key identity; stable until key is revoked)'http_sig'→http_sig:<agent_url>(verified caller URL; the most durable identity)Adopters who key on
authInfo.suborauthInfo.extrainstead MUST document that choice — those fields are grant-specific and may not be stable across credential rotations.