You've heard the case for externalized authorization, now it's time to get your hands dirty. This masterclass takes you inside the OpenID AuthZEN specification, equipping you with the knowledge and practical understanding to evaluate, implement, and advocate for AuthZEN in your own organization.

We begin with the specification itself: unpacking the core API surface, the access evaluation request and response model, and the subject, resource, and action primitives that make AuthZEN expressive yet interoperable. We'll walk through real API calls, what a well-formed access evaluation request looks like, how a compliant PDP responds, and how to handle batch evaluations and context-rich decisions at runtime.

- From specification to practice: we'll revisit the AuthZEN interoperability exercises conducted across the community, examining what was tested, which implementations participated, and what the results revealed about real-world conformance and edge cases. These interops are proof that the standard works and a candid look at where the hard problems still lie.

- We then turn to the frontier: authorization in the age of agentic systems and MCP servers. As LLM-powered workflows become part of the enterprise IT landscape, the question of what can this agent do? becomes urgent. We'll show how AuthZEN's externalized model extends naturally to AI processes enforcing consistent, auditable, policy-driven access control whether the requester is a human, an API client, or an autonomous agent calling an MCP tool.

Attendees will leave with:

- A working understanding of the AuthZEN spec - the API, the data model, and the design decisions behind them.
- Lessons from interoperability - what real-world testing has taught the community about building conformant, robust implementations.
- A blueprint for AI-era authorization - how to extend your AuthZEN deployment to govern agentic and MCP-based workloads today.

This is a technical session. Bring your questions, your edge cases, and your scepticism.