external invocations

[adeinega]

I'm sorry if I miss anything but why does this spec put so much emphasize on "external" invocations?

Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation

and

A valid Txn-Token indicates a valid external invocation

and in many other places. This somehow limits the set of use cases where Txn Token tokens can be applied. ServiceA can make a m2m call to ServiceB in an asynchronous way, say because of some task in its scheduler, etc.

I would suggest shortening "external invocations to "invocations".

[gffletch]

What about explicitly calling out in the overview that both external and internal use cases are supported by this specifications? Support for internal use cases is called out in the section around the use of self-signed tokens and the definition associated with the subject_token parameter. However, I agree it's not called out as an equal use case.