From gtm-agent adopting the bridge (gtm-agent#250): DelegatedToolClaims is fixed to {workspaceId, allowedTools, expiresAt}. gtm's bespoke token carried a dispatchId used as the hub idempotency key (${dispatchId}:${name}). On adoption that had to be reconstructed as SHA-256(bearer)[:32] inside the invoke seam — behavior-equivalent (one scope per dispatch) but the key VALUE changed, and old-format tokens don't verify under the new HMAC (an in-flight-deploy 401 window). An optional opaque context claim (signed, echoed back in the verified claims) would let a consumer carry dispatchId and preserve its exact token shape → truly zero-behavior-change adoption.
From gtm-agent adopting the bridge (gtm-agent#250):
DelegatedToolClaimsis fixed to{workspaceId, allowedTools, expiresAt}. gtm's bespoke token carried adispatchIdused as the hub idempotency key (${dispatchId}:${name}). On adoption that had to be reconstructed asSHA-256(bearer)[:32]inside the invoke seam — behavior-equivalent (one scope per dispatch) but the key VALUE changed, and old-format tokens don't verify under the new HMAC (an in-flight-deploy 401 window). An optional opaquecontextclaim (signed, echoed back in the verified claims) would let a consumer carrydispatchIdand preserve its exact token shape → truly zero-behavior-change adoption.