====== Agent Identity and Authentication ====== Agent identity and authentication addresses how AI agents prove who they are, what permissions they hold, and how they securely interact with services and other agents. As agents operate autonomously across APIs and cloud services, traditional human-centric authentication (passwords, MFA) is insufficient. New standards extend **OAuth 2.0/2.1**, introduce **agent cards** for discovery, and apply **zero-trust models** to agent workflows. ===== Overview ===== When an AI agent calls an API, books a flight, or communicates with another agent, a fundamental question arises: how does the receiving system verify the agent's identity and permissions? Unlike human users who can complete interactive login flows, agents need machine-speed, non-interactive authentication that supports delegation chains, cross-domain access, and continuous verification. ===== OAuth Extensions for Agents ===== Standard OAuth 2.0 (RFC 6749) and the evolving OAuth 2.1 specification provide the foundation, extended with several mechanisms for agent-specific needs: ^ Mechanism ^ Purpose ^ Standard ^ | **PKCE** | Secure authorization code exchange without static secrets | OAuth 2.1 BCP | | **DPoP** | Bind tokens to agent-specific cryptographic keys, preventing replay | OAuth DPoP | | **Token Exchange** | Propagate identity across service boundaries without over-privileging | RFC 8693/9449 | | **On-Behalf-Of (OBO)** | Agent acts on behalf of a delegating user or service | OAuth OBO | | **CAEP** | Continuous Access Evaluation -- dynamic policy enforcement and revocation | Shared Signals | These extensions address key agent challenges: long-lived sessions, cross-domain delegation, and the need for fine-grained, context-aware authorization. # Agent authentication flow using OAuth Token Exchange import httpx class AgentAuthenticator: def __init__(self, client_id, client_secret, token_endpoint): self.client_id = client_id self.client_secret = client_secret self.token_endpoint = token_endpoint async def get_delegated_token(self, user_token, target_service): """Exchange user token for a scoped agent token via RFC 8693.""" response = await httpx.AsyncClient().post( self.token_endpoint, data={ "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange", "subject_token": user_token, "subject_token_type": "urn:ietf:params:oauth:token-type:access_token", "audience": target_service, "scope": "read:data write:limited", # Least-privilege }, auth=(self.client_id, self.client_secret) ) return response.json()["access_token"] async def prove_possession(self, token, request_url): """Create DPoP proof binding token to specific request.""" # DPoP proof is a signed JWT containing the request URL and method # Prevents token replay attacks across different endpoints proof = self._create_dpop_jwt(request_url, method="POST") return {"Authorization": f"DPoP {token}", "DPoP": proof} ===== Agent Cards (.well-known/agent.json) ===== Google's **Agent-to-Agent (A2A) protocol** introduces **agent cards** -- machine-readable JSON documents hosted at a well-known URL (''/.well-known/agent.json'') that declare an agent's identity, capabilities, supported protocols, and authentication requirements. An agent card enables: * **Discovery** - Other agents and services can find and verify the agent * **Capability negotiation** - Declares what tasks the agent can perform * **Authentication metadata** - Specifies required auth mechanisms * **Trust establishment** - Links to verifiable credentials and certificates The A2A protocol complements MCP (Model Context Protocol): while MCP standardizes how agents connect to tools and data sources, A2A standardizes how agents communicate with each other as peers. ===== Zero-Trust Models for Agents ===== Zero-trust architecture assumes no implicit trust -- every agent request must be verified continuously: * **Verify explicitly** - Every API call requires fresh proof of identity and authorization * **Least-privilege access** - Agents receive only the minimum permissions needed for each specific operation * **Assume breach** - Design systems to limit blast radius when an agent token is compromised * **Continuous evaluation** - CAEP enables real-time revocation based on anomalous behavior ===== Production Platforms ===== Several platforms have emerged to manage agent authentication at scale: * **Scalekit** - OAuth lifecycle management for AI agents * **Nango** - Multi-provider token management and re-consent handling * **Arcade** - Agent-specific auth with enterprise audit support * **Strata Maverics** - Agentic identity orchestration with DPoP and CAEP ===== NIST Standards ===== NIST's February 2026 concept paper on AI agent identity specifically addresses key management, strong authentication, and authorization patterns for enterprise agent deployments. See [[nist_ai_agent_standards]] for the broader standards initiative. ===== References ===== * [[https://www.scalekit.com/blog/oauth-ai-agents-architecture|Scalekit - OAuth for AI Agents Architecture]] * [[https://www.strata.io/blog/agentic-identity/why-agentic-ai-demands-more-from-oauth-6a/|Strata - Why Agentic AI Demands More from OAuth]] * [[https://towardsdatascience.com/inside-googles-agent2agent-a2a-protocol-teaching-ai-agents-to-talk-to-each-other/|Inside Google's A2A Protocol]] * [[https://github.com/google/A2A|A2A Protocol GitHub Repository]] * [[https://www.nccoe.nist.gov/sites/default/files/2026-02/accelerating-the-adoption-of-software-and-ai-agent-identity-and-authorization-concept-paper.pdf|NIST - AI Agent Identity and Authorization Concept Paper]] ===== See Also ===== * [[nist_ai_agent_standards]] - NIST initiative for agent interoperability and security standards * [[agent_observability]] - Monitoring and tracing agent behavior in production * [[agent_debugging]] - Development-time debugging of agent systems