[Design Proposal] Agent Identity & Access Control #635

nadheesh · 2026-03-26T03:42:56Z

nadheesh
Mar 26, 2026
Collaborator

Problem

AI agents on our platform need to call external tools (APIs, MCP servers) on behalf of users. Today, there is no standardized way for agents to prove their identity, access tools securely, or act on behalf of users with proper delegation. This is not unique to us. It is the central challenge the industry is converging on.

The core gap: Traditional IAM (OAuth 2.0, SAML) was designed for human users and static service accounts, not for autonomous systems that reason about goals, make independent decisions, chain delegations across domains, and may be created and destroyed dynamically [CSA][OpenID]. Treating agents as plain OAuth2 clients or service accounts leaves critical gaps:

No distinction between agent and human operations. Audit trails can't tell whether an action was performed by a user, an application, or an autonomous agent. Microsoft Entra introduced Agent ID specifically to address this [Entra].
No right-sized access. Agents get static, broad permissions rather than task-scoped, time-limited access. OWASP's Top 10 for Agentic Applications (2026) lists Identity and Privilege Abuse as a top threat [OWASP].
No delegation boundaries. When an agent acts on behalf of a user, there's no mechanism to cap the agent's access at the user's own permissions. The agent can silently escalate.
No accountability chain. Agents lack a traceable owner. Nearly 80% of organizations deploying autonomous AI cannot tell you, in real time, what those systems are doing or who is responsible for them [Strata].
No credential lifecycle. Static API keys and long-lived service account secrets don't match the ephemeral, dynamic nature of agent workloads. CSA advocates ephemeral, context-aware identities that expire after task completion [CSA].

Industry consensus: Agents must be treated as first-class identities with the same provisioning, credential rotation, access control, and deprovisioning expected for human employees (OWASP), but with identity models designed for autonomy, delegation, and scale (CoSAI, OpenID Foundation).

Functional Goals

Agent has a verifiable identity, distinguishable from human users and static service accounts
Agent can access registered tools with the right credentials for each tool
Agent can act on behalf of users with cryptographically bounded delegation
Users control which agents can access which tools and under what conditions
Minimal agent code changes: credentials injected at deploy time, single token for all tool calls

Security Principles

Aligned with CoSAI's Principles for Secure-by-Design Agentic Systems [CoSAI] and OWASP's Agentic Application Security Guide [OWASP]:

Human Ownership: Every agent traces to a named, accountable human. CoSAI Principle 1: "Agentic systems are human-governed and accountable."
Least Privilege: Agent gets only the minimum scopes needed for the current task. OWASP: "Grant access only when needed, revoke automatically."
Bounded Delegation: Agent cannot exceed the delegating user's own permissions. OpenID Foundation: delegation chains must be constrained.
Explicit Consent: Authority must be actively granted by the user, not assumed. No silent escalation pathway.

User Stories

As a platform engineer, I want to register an agent as a non-human identity with a designated human owner and have its credentials auto-injected at deploy time so that agents are first-class, accountable identities in the directory with minimal developer effort.
As an agent developer, I want my agent to obtain a per-tool OBO token (binding agent + user identity) for each tool call so that it can act on behalf of the authenticated user with scoped, auditable delegation.
As a platform engineer, I want to register HTTP APIs and MCP servers as tools (with URL patterns, auth types, scopes, and credentials stored in a secret store), bind them to agents, and configure per-tool consent policies so that I control what each agent can access and under what conditions.
As a platform engineer, I want the gateway to enforce tool access through agent identity and OBO tokens with least-privilege scopes, rather than exposing raw credentials to agents, so that a compromised agent cannot access tools beyond its current task or escalate beyond the delegating user's permissions.
As an agent developer, I want agent-friendly consent flows (inline 401 + auth_url for tool connections, out-of-band approval for high-risk actions, connection management APIs) so that my agent can acquire and manage user consent as part of the natural conversation flow [4][5][8][9][12][13].
As a platform engineer, I want to suspend or revoke an agent's identity with immediate effect so that I can contain anomalous agent behavior in real time.
As a security auditor, I want a full audit trail of token issuance, tool access, and consent changes, plus usage analytics to detect authorization drift, so that I can investigate incidents, prove compliance, and right-size permissions [23][26][28].

Existing Solutions

Agent Identity Models

Platforms with Real Agent Identity

Platform	Agent Identity	How it works	Status
Auth0/Okta	OAuth2 client + NHI in Universal Directory	Agent authenticates via client_credentials, participates in token exchange. Token Vault stores user tokens for 30+ providers.	GA (Auth0 for AI Agents) [25][41]
Microsoft Entra	Agent Identity Blueprint → Agent Identity	Blueprint is a template with credentials; agent identities are instances created from it (no own credentials). SDK runs as containerized companion service.	Preview (Agent ID SDK) [5][6]
AWS AgentCore	Workload Identity (IAM + AgentCore Identity service)	Workload identity auto-created with runtime. Uses proprietary `GetWorkloadAccessTokenForJWT` API (not RFC 8693). Token cached in AgentCore Token Vault.	GA [34]

Platforms without Real Agent Identity

Platform	What they call "identity"	User Identity	Downstream sees agent?
Composio	API Key (developer org)	`entity_id` string (defaults to "default") [36]	No
Nango	Secret Key (developer org)	`connection_id` string [38]	No
Arcade	API Key (developer org)	`user_id` string / `Arcade-User-ID` header [39]	No

Token Flow Patterns — Three Industry Approaches

Every platform requires the agent developer to write some code to forward user identity on outbound tool calls. The patterns differ in how much code and where the credential exchange happens.

Pattern 1: Platform Proxy + `user_id` String (Composio, Nango, Arcade)

The agent never calls the tool API directly. All calls go through the platform's managed proxy, which injects stored credentials server-side. The developer passes a user_id string on every SDK call.

Agent identity: Just a developer API key (identifies the org, NOT the agent). The downstream API has no knowledge of which agent called.

# Composio
from composio import Composio

composio = Composio(api_key="YOUR_API_KEY")  # identifies the developer, not the agent

# One-time: user connects their Google account
connection = composio.connected_accounts.initiate(
    user_id="user-123",           # developer must pass this
    auth_config_id=config_id,
    config={"auth_scheme": "OAUTH2"},
    callback_url="https://yourapp.com/callback"
)

# Arcade
from arcadepy import Arcade

client = Arcade()  # ARCADE_API_KEY from env

# Authorize (triggers OAuth if not already done)
auth = client.tools.authorize(tool_name="Gmail.ListEmails", user_id="user-123")
if auth.status != "completed":
    print(f"Click to authorize: {auth.url}")
    client.auth.wait_for_completion(auth)

# Execute — Arcade injects Gmail token server-side
result = client.tools.execute(tool_name="Gmail.ListEmails", user_id="user-123")

sequenceDiagram
    participant U as End User
    participant A as Agent App
    participant P as Composio/Arcade<br/>(managed proxy)
    participant T as Tool API<br/>(e.g. Google)

    U->>A: "Check my email"
    Note over A: Agent passes user_id on every call
    A->>P: execute(tool="Gmail.ListEmails",<br/>user_id="user-123")
    P->>P: lookup stored OAuth token<br/>for (user-123, Gmail)
    P->>T: GET gmail.googleapis.com<br/>Auth: Bearer user's_gmail_token
    T-->>P: emails
    P-->>A: result
    A-->>U: "You have 3 new emails"

Pros: Zero boilerplate. Just pass a user_id. No OAuth logic in agent code.
Cons: No real agent identity. Downstream can't distinguish which agent called. Developer API key is shared across all agents.

Pattern 2: Token Exchange + Decorator (Auth0/Okta, AWS AgentCore)

The agent has a real OAuth2 identity. It exchanges its own credentials + the user's inbound JWT for an OBO/workload token. This is typically wrapped in a decorator or SDK call.

# AWS AgentCore
from bedrock_agentcore.services.identity import IdentityClient

identity_client = IdentityClient("us-east-1")

@requires_access_token(
    provider_name="google-provider",
    scopes=["https://www.googleapis.com/auth/gmail.readonly"],
    auth_flow="USER_FEDERATION",
    on_auth_url=lambda x: print("Auth URL:", x),
)
async def check_email(*, access_token: str):
    # access_token is the user's Google token, obtained via AgentCore Identity
    resp = requests.get("https://gmail.googleapis.com/gmail/v1/users/me/messages",
                        headers={"Authorization": f"Bearer {access_token}"})
    return resp.json()

sequenceDiagram
    participant U as End User
    participant IG as Ingress Gateway
    participant A as Agent App
    participant IDP as IDP<br/>(Auth0/AgentCore)
    participant T as Tool API<br/>(e.g. Google)

    U->>IG: request (with user JWT)
    IG->>A: forward + user JWT
    Note over A: @requires_access_token decorator fires
    A->>IDP: token exchange<br/>(agent_creds + user_jwt)
    IDP-->>A: tool-specific token<br/>(user's Google access_token)
    A->>T: GET gmail.googleapis.com<br/>Auth: Bearer user's_google_token
    T-->>A: emails
    A-->>IG: response
    IG-->>U: response

Pros: Real agent identity. Token Vault enforces which agents can access which users' tokens.
Cons: More integration code (decorators, SDK calls). Developer must extract user token from inbound request.

Pattern 3: Sidecar (Microsoft Entra AgentID SDK)

A containerized companion service runs alongside the agent and handles all OBO token exchange. The agent forwards the user's inbound Authorization header to the sidecar, which does the rest. Currently in Preview [15].

# Microsoft Entra AgentID SDK — sidecar runs as companion container
class SidecarClient:
    def __init__(self, base_url="http://localhost:5000"):
        self.base_url = base_url

    def call_downstream_api(self, incoming_token, service_name, relative_path,
                            method="GET", body=None):
        return requests.request(
            method,
            f"{self.base_url}/DownstreamApi/{service_name}",
            params={"optionsOverride.RelativePath": relative_path},
            headers={"Authorization": incoming_token},   # forward user's token
            json=body,
        )

sidecar = SidecarClient()

@app.route("/api/profile")
def profile():
    token = request.headers.get("Authorization")    # user's inbound token
    # Sidecar does OBO exchange AND calls Microsoft Graph
    result = sidecar.call_downstream_api(token, "Graph", "me")
    return jsonify(result)

sequenceDiagram
    participant U as End User
    participant IG as Ingress Gateway
    participant A as Agent App
    participant S as Sidecar<br/>(Entra SDK)
    participant E as Entra ID
    participant T as Tool API<br/>(e.g. MS Graph)

    U->>IG: request
    IG->>A: forward + user JWT
    Note over A: Extract Authorization header
    Note over A: LLM decides to call tool
    A->>S: GET /DownstreamApi/Graph<br/>Auth: <user JWT>
    S->>E: OBO exchange<br/>agent_cert + user_token
    E-->>S: OBO token
    S->>T: GET /me<br/>Auth: Bearer <OBO token>
    T-->>S: profile
    S-->>A: result
    A-->>IG: response
    IG-->>U: response

Pros: Agent developer writes simple HTTP calls, no OAuth logic. Sidecar handles caching, refresh, and downstream calls.
Cons: Requires a companion container. Developer still writes code to forward user's Authorization header.

Pattern Summary

	Pattern 1: Platform Proxy	Pattern 2: Token Exchange	Pattern 3: Sidecar
Platforms	Composio, Nango, Arcade	Auth0/Okta, AWS AgentCore	Microsoft Entra
Agent identity	API key (developer/org)	OAuth2 client / workload identity	Service Principal (via blueprint)
User identity	`user_id` string	User JWT from inbound request	User JWT forwarded to sidecar
Downstream sees agent?	No	Yes (`act` claim / workload binding)	Yes (OBO token)
Code changes	Pass `user_id` per call	Decorator + extract user token	Forward `Authorization` header
Credential exchange	Platform server-side	SDK/decorator or gateway	Sidecar container

Consent & Authorization Patterns

How Platforms Handle Consent

Approach	Platforms	Agent code change?	UX
Pre-auth	Composio [4], Entra [5], Aembit [7]	None	Best — no interruptions
LLM-inline	Composio [8], Arcade [9], AWS [10], Entra [11]	Minimal (handle 401)	Good — natural chat flow
CIBA	Auth0/Okta [12][13]	Moderate (poll)	OK — out-of-band via push notification

OAuth Intermediary / Token Vault Comparison

Platform	OAuth intermediary	Callback owner	Token storage	Refresh strategy
Auth0 Token Vault	Auth0 servers	Auth0 (`/login/callback`)	Auth0 encrypted infra	Lazy (on request) [49]
Composio	Composio servers	Composio (`/api/v1/callback`)	Composio managed backend	Lazy (on action execution) [4]
Nango	Nango servers	Nango (`/oauth/callback`)	PostgreSQL (self-hostable)	Proactive (checks on each request, webhooks for expiry) [31]
AWS AgentCore	AWS-managed endpoint	AWS endpoint	AgentCore Token Vault (encrypted)	Lazy (on request) [27]
Our platform	Agent Manager	Agent Manager (`/oauth/callback`)	Secret Store	Lazy (gateway refreshes on demand)

Gateway & MCP Ecosystem

How Platforms Route Agent-to-Tool Traffic

Platforms take one of three approaches to routing agent traffic to tools: a shared gateway (one per org/account, all agents connect to it), a per-pod sidecar (one per application instance, runs alongside the agent), or a managed SaaS proxy (vendor-hosted, agents call a cloud API).

Platform	Topology	How the agent connects to tools	Agent code changes	Ref
Okta Agent Gateway	Shared gateway (Okta cloud)	Admin creates a "virtual MCP server" by selecting specific tools from registered MCP servers and assigns it to an agent. The agent connects via MCP to one endpoint and sees only its permitted tools (filtered by admin composition, user group membership, and OAuth scopes). Identity propagation uses XAA/ID-JAG: Okta exchanges the user's identity assertion for a scoped token bound to each downstream tool.	MCP client integration	[23][25]
AWS AgentCore Gateway	Shared gateway (AWS managed, serverless)	Agent connects via MCP protocol. The gateway translates MCP calls into the backend's native protocol: Lambda invocations, REST API calls (via OpenAPI specs), or forwarding to other MCP servers. Handles both inbound auth (agent/user) and outbound credential injection (per-tool) independently.	MCP client integration	[26][27]
Composio	Managed SaaS proxy (Composio cloud)	Agent calls Composio's SDK or MCP endpoint. Composio proxies the request to the third-party API (Gmail, Slack, etc.) with stored user credentials injected server-side. The agent never calls tools directly.	SDK calls or MCP client	[4][30]
Nango	Managed proxy (SaaS or self-hosted)	Agent sends HTTP requests to Nango's proxy endpoint with a `connectionId`. Nango resolves the provider, retrieves/refreshes the user's OAuth token, injects credentials, and forwards the request. REST-to-REST proxy, no MCP support.	HTTP proxy API calls	[31]
Microsoft Entra AgentID SDK	Per-pod sidecar (runs as a container alongside the agent in the same pod)	Agent makes HTTP calls to `localhost` (sidecar). The sidecar handles all Entra ID interactions: token validation, OBO exchange, credential caching, and optionally proxies downstream API calls with tokens attached. It is NOT a shared service, each pod runs its own instance.	HTTP calls to localhost	[15]
Aembit	Per-pod sidecar + shared MCP gateway (two components)	Sidecar (AgentProxy): Transparently intercepts outbound HTTP traffic from the pod, validates workload identity, and injects credentials. No code changes. MCP Identity Gateway: A separate shared service that MCP clients connect to. It authenticates the MCP client, identifies the human user, and manages per-user credentials for downstream MCP servers.	Sidecar: none (transparent intercept). Gateway: MCP client integration.	[7][19]

MCP Multi-Tenancy — How Platforms Handle Multiple Users

Pattern	Example	How it works
Per-user MCP URL	Composio	Each user gets a unique endpoint: `https://backend.composio.dev/v3/mcp/SERVER_ID?user_id=USER_ID`. URL encodes user context.
Shared server + user header	Arcade, MCP OAuth spec	Single gateway URL. User identity passed via `Authorization: Bearer` token or `Arcade-User-ID` header on every request.
Per-session instance	Cloudflare (Durable Objects)	Each user session gets its own `McpAgent` compute instance (extends Durable Object). Natural isolation.

Security Principles Coverage

How well each platform enforces the four security principles for agent identity and delegated access:

Principle	Definition
Human Ownership	Every agent traces to a named, accountable human
Least Privilege	Agent gets only the minimum scopes needed for its task
Bounded Delegation	Agent cannot exceed the delegating user's own permissions
Explicit Consent	Authority must be actively granted by the user, not assumed

	Human Ownership	Least Privilege	Bounded Delegation	Explicit Consent
Microsoft Entra	✅ Service principal owners in directory; access reviews; Agent ID provisioned under owning user account	✅ OBO propagates only delegated scopes — app roles stay attached to the user, never the agent (enforced by spec)	✅ OBO ceiling: token scope is bounded by what the user previously consented; Conditional Access adds runtime bounds	✅ Admin or user consent required upfront; combined consent via `knownClientApplications`; no silent delegation pathway
AWS AgentCore	⚠️ IAM trust policy binds agent to AWS account, not a named individual; AgentCore Identity adds user context binding at runtime	✅ IAM Permission Boundaries set a hard ceiling; RFC 8693 token exchange enforces scope intersection at issuance	✅ `effective permissions = identity policy ∩ permission boundary`; RFC 8693 scope cannot exceed the subject token's granted scopes	✅ OAuth 2.0 Authorization Code via Cognito/OIDC; consent recorded at IdP; agent cannot act before user grants access
Auth0 / Okta	✅ NHI entities in Universal Directory with full owner lifecycle; agent identity scoped to an owning user	✅ Fine-grained M2M scopes; RAR (Rich Authorization Requests) for per-operation grants; XAA surfaces new scope requests to end users	⚠️ Token Vault isolates user tokens per agent binding; bounds enforced per OAuth provider, not formally guaranteed at token issuance	✅ Auth Code for interactive flows; CIBA for async out-of-band approval; XAA interrupts agent execution requiring explicit user approval for new capabilities
Composio	❌ `entity_id` is an app-level string; no directory ownership; developer API key identifies org, not individual agent	⚠️ Scopes set at Auth Config level at connection time; no per-call reduction; all-or-nothing per integration	❌ No ceiling mechanism; agent acts within the full OAuth grant of the connected account	⚠️ OAuth screen at account connection; once connected, agent acts autonomously with no per-action re-consent
Nango	❌ `connection_id` is a developer-assigned string; org-level Secret Key only; no accountability chain to a named human	⚠️ Scopes fixed at integration config; stored per connection record; no dynamic per-call reduction	❌ No delegation ceiling at the Nango layer; full OAuth grant is reused for all subsequent agent calls	⚠️ OAuth screen at connection initiation; stored token reused autonomously thereafter; no per-action consent trigger
Arcade AI	❌ No directory-level identity for the agent; API key identifies developer org; no per-agent accountability	⚠️ Scopes declared per-tool via `OAuth2(scopes=[...])` at tool definition time — better granularity than Composio/Nango, but still static per tool	❌ No delegation ceiling beyond the initial OAuth grant; agent reuses stored token for all calls after initial auth	✅ Strong: user must click through an OAuth consent URL per integration; agent polls `waitForCompletion()` and cannot proceed without active user action

Legend: ✅ Formally enforced ⚠️ Partially supported / depends on configuration ❌ Not enforced

Key differentiators:

Bounded delegation is the clearest gap in Pattern 1 platforms (Composio, Nango, Arcade). They store and replay full OAuth grants with no ceiling mechanism at the platform layer.
Human ownership is absent from the same three platforms because they track a developer API key, not an individual agent identity, so there is no accountable human party attached to a specific agent.
Explicit consent is Arcade's strongest property (active per-integration user auth before any tool call), while Composio and Nango rely on a one-time connection that grants broad ongoing access.
Microsoft Entra has the most complete formal enforcement across all four properties, backed by spec-level guarantees in the OBO flow.

Proposed Solution

Overview

Each agent gets a non-human identity (NHI) in Thunder. This is a first-class entity with both user nature (directory entry, attributes, roles, groups) and app nature (OAuth2 client for authentication). The same pattern is used by Okta (NHI in Universal Directory), Microsoft Entra (Agent Identity Blueprint), and AWS (Workload Identity).

At runtime, the agent uses RFC 8693 token exchange to obtain a per-tool OBO token (binding agent + user identity) and sends it to the API Gateway, which validates locally (cached JWKS), checks scope, and translates to whatever credential the downstream tool requires. The downstream tool never sees the OBO token.

We follow Pattern 2 (Token Exchange) with a key simplification: a single OBO token per tool call, validated and translated at the gateway. This matches AWS AgentCore and Auth0's approach.

Design

Agent Identity — NHI in Thunder

An agent identity is NOT just an OAuth2 client. It's a non-human identity (NHI), a first-class entity in the identity system, like a human user but representing an agent.

Nature	What it provides	Used for
User nature	Directory entity — has attributes (name, owner, project), can be assigned roles, added to groups, participate in authorization policies	Governance, RBAC, audit, lifecycle management
App nature	OAuth2 client — can authenticate via client_credentials, receive tokens, participate in token exchange	Authentication, OBO, tool access

What gets created in Thunder when an agent is registered:

Agent Manager creates agent
    │
    ├── Agent Entity (in Agent Manager DB)
    │   ├── agent_id (UUID)
    │   ├── name, description, owner
    │   ├── project_id, environment_id
    │   ├── tool permission bindings
    │   └── lifecycle state (active, suspended, revoked)
    │
    └── NHI in Thunder (via Thunder admin API)
        ├── User nature:
        │   ├── Directory entry (searchable, manageable)
        │   ├── Attributes (agent_id, project, environment)
        │   ├── Group membership (e.g., "production-agents")
        │   └── Role assignments (for authorization policies)
        │
        └── App nature:
            ├── OAuth2 client (client_id, client_secret)
            ├── Grant type: client_credentials + token-exchange (RFC 8693)
            ├── Scopes: tool permissions (e.g., tools:twilio, tools:gcal)
            │   └── Embedded in OBO token → gateway validates locally
            └── Token issuance config

Core Design — OBO Token + Gateway

Key design decisions:

Per-tool OBO token — For each tool call, the agent's SDK wrapper exchanges agent_creds + user_assertion → OBO token scoped to that specific tool (e.g., scope: "tools:twilio"). Tokens are cached per (user, tool) pair in the SDK for the session. This matches the industry pattern: AWS @requires_access_token and Auth0 withTokenForConnection both issue per-tool tokens lazily. Sends single Authorization: Bearer <OBO> to gateway per call. No separate headers.
Agent identity — auto-injected as env var at deploy time (AGENT_CLIENT_ID / AGENT_CLIENT_SECRET). Agent uses these + user assertion to get OBO token from Thunder.
User identity — extracted from inbound x-jwt-assertion header. Agent uses it as the subject_token in the RFC 8693 exchange with Thunder.
Gateway proxies per-tool, not per-agent — routes like /tools/twilio/* → api.twilio.com/* are shared across all agents. The gateway checks whether this agent is permitted to access this tool by inspecting the OBO token's scope claim.
Permissions live in Thunder, validated locally at gateway — Agent→tool permissions are encoded as scopes in the OBO token (e.g., scope: "tools:twilio"). Each OBO token carries only the scope for the tool being called. Thunder issues the token with the requested scope, validated against the agent's registered tool bindings and the user's entitlements. The gateway validates the JWT locally (cached JWKS, no per-request IDP call) and checks the scope claim against the requested tool.
Agent Manager is deploy-time only — provisions NHI in Thunder (including tool scopes), stores tool credentials in the secret store, registers gateway routes. Not in the runtime hot path.
Gateway translates credentials — The OBO token is our internal auth. The downstream tool gets its own expected credential:
- External API with API key → gateway retrieves key from secret store, injects
- External API with user OAuth → gateway looks up stored user token, refreshes if needed, injects
- Internal API → gateway forwards the OBO token directly (our APIs understand sub + act claims)

Component responsibilities:

Component	Deploy time	Runtime
Agent Manager	Provision NHI in Thunder (with tool scopes), store tool credentials in secret store, register gateway routes	Handle user pre-authorization OAuth callbacks (exchange auth code → store user refresh tokens in secret store); handle CIBA approval requests. Not in the per-tool-call hot path.
Thunder	Issue agent client credentials, assign tool scopes to agent NHI	Issue OBO tokens (RFC 8693). Gateway validates OBO locally via cached JWKS (no per-request call to Thunder)
Tool Gateway	Receive route config from Agent Manager, cache Thunder's JWKS	Validate OBO token locally (signature + expiry + scopes) → check `scope` claim for tool permission → translate to tool credential → proxy → audit log
Secret Store	Receive tool credentials (API keys, OAuth client secrets) when tools are registered	Receive user pre-auth tokens at runtime via Agent Manager OAuth callbacks; serve all credential lookups to gateway on tool calls

Authorization Model

Permissions as scopes in the OBO token, validated locally at the gateway.

The industry standard is a three-layer model:

Layer	What	How	Where
1. Token validation	Signature, expiry, audience, issuer	Local JWKS check (cached, no IDP call)	Gateway
2. Coarse authorization	Does this agent have `tools:twilio` scope?	Check `scope` claim in JWT (local string check)	Gateway
3. Fine-grained authorization	Per-parameter constraints (e.g., amount limits)	Expression evaluation or external policy engine (OPA/Cedar)	Gateway or backend (Phase 4)

No gateway calls the IDP on every request. This is how Kong, Envoy/Istio, AWS API Gateway, WSO2 APIM, and Azure APIM all work: local JWT validation with cached JWKS.

Runtime authorization flow:

Tool Gateway receives tool call on per-tool route (e.g., /tools/twilio/*)
  → Validates OBO token LOCALLY (cached JWKS — no call to Thunder)
    → Checks signature, expiry, audience, issuer
    → Extracts agent_id (from act.sub) + user_id (from sub)
    → Checks scope claim: does token have "tools:twilio"? (local check)
  → Credential translation (depends on tool auth type — see Credential Translation)
  → Always: audit log + rate limiting + policy enforcement
  → Forward to tool API with translated credential

Four Security Principles

Any agent identity + delegated access design should guarantee four fundamental properties:

Principle	Definition	How our design enforces it
Human Ownership	Every agent traces to a named, accountable human	NHI is provisioned in Thunder under a user's account; the owning user's `sub` is recorded at creation and stored as the agent's `owner` attribute. Owners can suspend or revoke the agent at any time (Story 5, 6).
Least Privilege	Agent gets only the minimum scopes needed for its task	Each tool call triggers a per-tool OBO exchange scoped to that specific tool (e.g., `scope: "tools:twilio"`). Tokens are cached per (user, tool) for the session. The gateway rejects any call where `token.scope ∩ route` is empty. No agent ever carries a wildcard or multi-tool grant on a single token (Story 25).
Bounded Delegation	Agent cannot exceed the delegating user's own permissions	Thunder enforces this at token issuance: the OBO token's scope is capped at the intersection of (a) the agent's registered tool scopes and (b) the user's own entitlements for those tools. An agent cannot hold `tools:foo` for a user who has no `foo` entitlement (Story 16).
Explicit Consent	Authority must be actively granted by the user, not assumed	Pre-authorization requires an interactive OAuth callback. Unregistered tools return a 401 + `auth_url` (LLM-inline consent). High-risk actions trigger an out-of-band CIBA approval. There is no code path by which an agent silently escalates its own access (Stories 12, 14, 17).

Why User JWT (not user_id) for OBO

Some platforms (Composio, Nango, Arcade) pass a plain user_id string instead of the user's actual JWT for identifying the user in token exchanges. This is a critical security distinction.

	user_id string (Composio, Nango, Arcade)	User JWT (Auth0, Entra, AWS, Us)
Forgery	Trivial — agent/developer can pass any user_id	Impossible without IDP's private key
Replay	Indefinite (no expiry on a string)	Mitigated by JWT `exp` claim
Cryptographic proof	None — no signature to verify origin	IDP's signature proves the user authenticated
Audit trail	No proof user actually authorized the action	Full chain: `sub` (user) + `act` (agent) in signed OBO token
Trust model	Trust the calling application entirely	Trust the token issuer (IDP)

Why those platforms use user_id: Simpler integration — developers don't need to manage JWT forwarding. Their security model assumes the developer's backend has already authenticated the user. ZITADEL's documentation explicitly calls this approach "experimental and potentially insecure since trust is fully placed into the app making the request."

Our approach: The agent uses the user's actual JWT — received via x-jwt-assertion from the ingress gateway — as the subject_token in the RFC 8693 exchange. Thunder cryptographically verifies this JWT (signature, expiry, audience) before issuing the OBO token. A compromised agent cannot forge or replay a user's identity.

This aligns with the emerging IETF standard draft-oauth-ai-agents-on-behalf-of-user, which mandates actual user tokens (not user_id strings) for OBO exchanges.

Credential Translation

The gateway is the authorization boundary. After validating the OBO token, it translates to whatever credential the downstream tool expects:

Scenario	Gateway action
OBO token invalid / expired / bad signature	401 Unauthorized (local JWKS check)
Token `scope` does not include requested tool	403 Forbidden (local claim check — no IDP call)
Tool uses API key	Retrieve from secret store, inject, forward
Tool uses user's OAuth token (pre-authorized)	Lookup stored token from secret store, refresh if needed, inject, forward
Tool is our internal API	Forward OBO token as-is (our APIs understand `sub` + `act`)
Tool requires user auth (NOT pre-authorized)	Return 401 + auth_url (agent/LLM shows link) [8][9]
Tool requires step-up (e.g., payment)	Return 202 + trigger CIBA [12][13]

Approach Diagrams

The approach diagrams cover every combination of four architectural dimensions that shape the auth flow:

Dimension	Options
1. Privilege model	Own (sub=agent) · Own + caller context (sub=agent, ctx_caller for audit) · Delegation/OBO (sub=caller, act=agent, bounded by caller's entitlements)
2. Caller type	None (scheduler, service, event, CLI) · Human user (session JWT via browser) · Agent (NHI with dual nature — can be OBO subject like a user) · Service (app-only identity, pure M2M trigger)
3. Credential at tool	No translation (forward JWT/headers, tool trusts gateway) · Static credential (API key from secret store) · Delegated credential (per-user/per-caller token from secret store)
4a. Tool authorization	None (tool accepts agent/platform creds) · Required (OAuth flow at tool provider's consent screen — e.g., Google)
4b. Platform consent	None · Required (developer/admin policy enforces user approval, even if tool doesn't require OAuth)
4c. Timing	Pre-auth (during onboarding / Connected Accounts, before chat) · Inline (401 during chat, just-in-time)

Scenario Matrix

Case	Group	Privilege Model	Caller	Credential at Tool	Consent
0	A	Own	None / Service	No translation	None
1	A	Own	None / Service	Static credential	None
2	B	Own + caller context	Human / Agent	No translation	None
3	B	Own + caller context	Human / Agent	Static credential	None
4	C	OBO (caller's privs)	Human / Agent	No translation	None
5	C	OBO (caller's privs)	Human / Agent	Static credential	None
6	D	OBO (caller's privs)	Human	Delegated credential	Tool authorization (pre-auth)
7	D	OBO (caller's privs)	Human	Delegated credential	Platform consent (pre-auth)
8	D	OBO (caller's privs)	Human	Delegated credential	Inline 401 → tool authorization

The diagrams are grouped by privilege model:

Group A (Cases 0–1): Agent's own privileges, no caller — Pure client_credentials. No user login. Agent is sub.
Group B (Cases 2–3): Agent's own privileges + caller context — client_credentials with ctx_caller claim. Caller is logged in but agent uses its own entitlements. Caller identity is audit metadata only.
Group C (Cases 4–5): OBO without consent — RFC 8693 token exchange. Caller's entitlements bound the agent. No pre-auth or consent needed (tool trusts gateway or uses static cred).
Group D (Cases 6–8): OBO with consent — Full user sessions showing login → consent → OBO → tool call. Each diagram shows the complete chain of trust.

Case 0: Agent's Own Privileges — No Caller, No Credential Translation

No human user. Agent is triggered by a scheduler, cron job, service, event, or CLI. Authenticates with client_credentials, operates under its own entitlements. Tool is internal — gateway forwards JWT directly, no credential translation.

sequenceDiagram
    participant C as Caller<br/>(Scheduler / Service /<br/>Event / CLI)
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant T as Internal Tool API<br/>(e.g., Analytics)

    Note over A: Deploy time: AGENT_CLIENT_ID,<br/>AGENT_CLIENT_SECRET injected as env vars

    C->>A: trigger request (no user context)

    A->>TH: POST /token<br/>grant_type: client_credentials<br/>client_id + client_secret<br/>scope: "tools:analytics"
    TH->>TH: Validate agent identity ✓<br/>Check agent's registered scopes ✓
    TH-->>A: JWT {sub: "pipeline-agent",<br/>scope: "tools:analytics",<br/>aud: "tool-gateway"}

    Note over A: sub = agent.<br/>No user claims.<br/>Agent's own entitlements only.

    A->>TG: GET /tools/analytics/v1/report<br/>Authorization: Bearer <token>

    TG->>TG: Validate JWT locally (cached JWKS)<br/>✓ Signature, expiry, issuer, audience<br/>✓ scope contains "tools:analytics"<br/>Extract agent_id (no user)

    Note over TG: Tool is platform-managed.<br/>No credential translation needed.

    TG->>T: Forward request directly<br/>(service mesh call)<br/>JWT forwarded or agent_id as header

    T-->>TG: results
    TG-->>A: response
    A-->>C: results

    Note over TG: Audit log:<br/>agent=pipeline-agent, user=NONE,<br/>tool=analytics

Key points:

No user involvement — no login, no user claims in token
sub = agent. Privileges = agent's registered scopes in Thunder
Gateway forwards JWT as-is. Tool trusts gateway identity.
Use case: scheduled reports, data pipelines, monitoring agents, event-driven processing, service-to-service

Case 1: Agent's Own Privileges — No Caller, Static Credential

Same as Case 0, but tool is external (e.g., Twilio with API key). Gateway translates credentials — retrieves API key from secret store and injects it. External tool never sees our JWT.

sequenceDiagram
    participant C as Caller<br/>(Scheduler / Service /<br/>Event / CLI)
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant SS as Secret Store
    participant T as External Tool API<br/>(e.g., Twilio)

    Note over A: Deploy time: AGENT_CLIENT_ID,<br/>AGENT_CLIENT_SECRET injected as env vars

    C->>A: trigger request (no user context)

    A->>TH: POST /token<br/>grant_type: client_credentials<br/>client_id + client_secret<br/>scope: "tools:twilio"
    TH-->>A: JWT {sub: "notifier-agent",<br/>scope: "tools:twilio",<br/>aud: "tool-gateway"}

    A->>TG: POST /tools/twilio/v1/messages<br/>Authorization: Bearer <token>

    TG->>TG: Validate JWT locally (cached JWKS)<br/>✓ scope "tools:twilio" ✓

    Note over TG: Credential translation needed.<br/>External tool expects API key.

    TG->>SS: GET credential for<br/>(notifier-agent, twilio)
    SS-->>TG: {apiKey: "TWILIO_AUTH_TOKEN_xxx"}

    TG->>T: POST api.twilio.com/2010-04-01/Messages<br/>Authorization: Bearer TWILIO_AUTH_TOKEN_xxx

    T-->>TG: message SID + status
    TG-->>A: response
    A-->>C: results

    Note over TG: Audit log:<br/>agent=notifier-agent, user=NONE,<br/>tool=twilio

Key difference from Case 0: Gateway performs credential translation via secret store. External tool never sees our JWT. API key is typically org-level or agent-level (not per-user).

Case 2: Agent's Own Privileges + Caller Context — No Credential Translation

Caller (human user or upstream agent) is present and authenticated. Agent operates under its own privileges — not the caller's. Caller identity is embedded as a custom claim (ctx_user or ctx_agent) for audit and data filtering only. Tool is internal — no credential translation.

sequenceDiagram
    participant C as Caller<br/>(Human User or<br/>Upstream Agent)
    participant IG as Ingress Gateway
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant T as Internal Tool API<br/>(e.g., Analytics)

    Note over A: Deploy time: AGENT_CLIENT_ID,<br/>AGENT_CLIENT_SECRET injected as env vars

    alt Human user (browser)
        C->>IG: request (with session JWT)
        IG->>IG: Validate user JWT ✓
        IG->>A: Forward + x-jwt-assertion header
    else Upstream agent (service call)
        C->>IG: request (with agent JWT)
        IG->>IG: Validate agent JWT ✓
        IG->>A: Forward + x-jwt-assertion header
    end

    Note over A: Extract caller assertion<br/>from x-jwt-assertion header

    A->>TH: POST /token<br/>grant_type: client_credentials<br/>client_id + client_secret<br/>scope: "tools:analytics"<br/>caller_assertion: <caller_jwt>
    Note over TH: Verify caller_assertion<br/>(signature, expiry) ✓<br/>Extract caller identity.<br/>Embed as custom claim — NOT sub.<br/>Privileges = AGENT's scopes only.<br/>Caller's entitlements NOT checked.
    TH-->>A: JWT {sub: "analytics-agent",<br/>ctx_caller: "user-123 | agent-A",<br/>scope: "tools:analytics",<br/>aud: "tool-gateway"}

    Note over A: sub = agent (not caller).<br/>ctx_caller = audit context only.<br/>Agent uses its OWN privileges.

    A->>TG: GET /tools/analytics/v1/report<br/>Authorization: Bearer <token>

    TG->>TG: Validate JWT locally ✓<br/>scope "tools:analytics" ✓<br/>Extract agent_id + ctx_caller

    TG->>T: Forward request<br/>agent_id + ctx_caller as headers

    T-->>TG: results
    TG-->>A: response
    A->>IG: response
    IG-->>C: "Report generated..."

    Note over TG: Audit log:<br/>agent=analytics-agent,<br/>ctx_caller=user-123 (who triggered),<br/>tool=analytics

Key points:

Thunder cryptographically verifies the caller JWT before embedding ctx_caller — agent cannot forge identity
sub = agent. Privileges = agent's scopes. Caller's entitlements NOT checked.
ctx_caller is for audit trail and optional data filtering, not authorization
Caller can be human user (session JWT) or upstream agent (agent JWT) — same mechanics

Case 3: Agent's Own Privileges + Caller Context — Static Credential

Same as Case 2, but tool is external. Gateway translates credentials via secret store.

sequenceDiagram
    participant C as Caller<br/>(Human User or<br/>Upstream Agent)
    participant IG as Ingress Gateway
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant SS as Secret Store
    participant T as External Tool API<br/>(e.g., Twilio)

    alt Human user
        C->>IG: request (with session JWT)
        IG->>A: Forward + x-jwt-assertion
    else Upstream agent
        C->>IG: request (with agent JWT)
        IG->>A: Forward + x-jwt-assertion
    end

    A->>TH: POST /token<br/>grant_type: client_credentials<br/>client_id + client_secret<br/>scope: "tools:twilio"<br/>caller_assertion: <caller_jwt>
    TH-->>A: JWT {sub: "notifier-agent",<br/>ctx_caller: "user-123 | agent-A",<br/>scope: "tools:twilio",<br/>aud: "tool-gateway"}

    A->>TG: POST /tools/twilio/v1/messages<br/>Authorization: Bearer <token>

    TG->>TG: Validate JWT locally ✓<br/>scope "tools:twilio" ✓<br/>Extract agent_id + ctx_caller

    TG->>SS: GET credential for<br/>(notifier-agent, twilio)
    SS-->>TG: {apiKey: "TWILIO_AUTH_TOKEN_xxx"}

    TG->>T: POST api.twilio.com/2010-04-01/Messages<br/>Authorization: Bearer TWILIO_AUTH_TOKEN_xxx

    T-->>TG: message SID + status
    TG-->>A: response
    A->>IG: response
    IG-->>C: "SMS sent ✓"

    Note over TG: Audit log:<br/>agent=notifier-agent,<br/>ctx_caller=user-123,<br/>tool=twilio

Key difference from Case 2: Gateway performs credential translation. External tool never sees our JWT or caller identity.

Case 4: OBO (Caller's Privileges) — No Credential Translation

Caller (human user or upstream agent) is present. Agent acts on behalf of the caller via RFC 8693 token exchange — bounded by the caller's entitlements. Tool is internal, trusts gateway — no credential translation needed.

sequenceDiagram
    participant C as Caller<br/>(Human User or<br/>Upstream Agent)
    participant IG as Ingress Gateway
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant T as Internal Tool API<br/>(e.g., HR System)

    alt Human user
        C->>IG: "What's my PTO balance?"<br/>(with session JWT)
        IG->>A: Forward + x-jwt-assertion
    else Upstream agent (delegation chain)
        C->>IG: request (with agent-A JWT)
        IG->>A: Forward + x-jwt-assertion
    end

    Note over A: LLM reasons → call HR tool

    A->>TH: RFC 8693 token exchange<br/>grant_type: token-exchange<br/>subject_token: caller_assertion (JWT)<br/>actor_token: agent_token<br/>scope: "tools:hr-system"
    TH->>TH: Validate caller JWT (signature ✓)<br/>Validate agent has tools:hr-system ✓<br/>Caller has hr-system entitlement ✓<br/>scope = intersection(agent, caller, requested)
    TH-->>A: OBO token<br/>{sub: "user-123 | agent-A",<br/>act: {sub: "hr-agent"},<br/>scope: "tools:hr-system"}

    Note over A: sub = caller (not agent).<br/>act = agent. Privileges = CALLER's<br/>entitlements. Agent is bounded.

    A->>TG: GET /tools/hr-system/v1/pto<br/>Authorization: Bearer <OBO_token>

    TG->>TG: Validate OBO locally (cached JWKS)<br/>✓ Signature, expiry, audience<br/>✓ scope "tools:hr-system"<br/>Extract caller_id + agent_id

    TG->>T: Forward request<br/>caller_id + agent_id as headers

    T-->>TG: PTO balance data
    TG-->>A: response
    A->>IG: response
    IG-->>C: "You have 12 PTO days remaining"

    Note over TG: Audit log:<br/>caller=user-123, agent=hr-agent,<br/>tool=hr-system, action=GET /pto

Key differences from Cases 2–3 (caller context):

RFC 8693 token exchange, not enhanced client_credentials
Token sub = caller (not agent). act = agent. Privileges = caller's entitlements.
Thunder checks caller's entitlements AND agent's scopes — issues token with intersection
Agent is bounded by caller's entitlements — can only access what the caller can access

When caller is an upstream agent: Creates a delegation chain. If agent-A calls agent-B, the OBO token has sub: agent-A, act: {sub: agent-B}. agent-B is bounded by agent-A's entitlements.

Case 5: OBO (Caller's Privileges) — Static Credential

Same as Case 4, but tool is external. Gateway translates credentials via secret store.

sequenceDiagram
    participant C as Caller<br/>(Human User or<br/>Upstream Agent)
    participant IG as Ingress Gateway
    participant A as Agent App
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant SS as Secret Store
    participant T as External Tool API<br/>(e.g., Twilio)

    alt Human user
        C->>IG: "Send confirmation SMS"<br/>(with session JWT)
        IG->>A: Forward + x-jwt-assertion
    else Upstream agent
        C->>IG: request (with agent JWT)
        IG->>A: Forward + x-jwt-assertion
    end

    A->>TH: RFC 8693 token exchange<br/>subject_token: caller_assertion<br/>actor_token: agent_token<br/>scope: "tools:twilio"
    TH-->>A: OBO token<br/>{sub: "user-123 | agent-A",<br/>act: {sub: "comms-agent"},<br/>scope: "tools:twilio"}

    A->>TG: POST /tools/twilio/v1/messages<br/>Authorization: Bearer <OBO_token>

    TG->>TG: Validate OBO locally ✓<br/>scope "tools:twilio" ✓<br/>Extract caller_id + agent_id

    TG->>SS: GET credential for<br/>(comms-agent, twilio)
    SS-->>TG: {apiKey: "TWILIO_AUTH_TOKEN_xxx"}

    TG->>T: POST api.twilio.com/2010-04-01/Messages<br/>Authorization: Bearer TWILIO_AUTH_TOKEN_xxx

    T-->>TG: message SID + status
    TG-->>A: response
    A->>IG: response
    IG-->>C: "SMS sent ✓"

    Note over TG: Audit log:<br/>caller=user-123, agent=comms-agent,<br/>tool=twilio

Key difference from Case 4: Gateway translates credentials. Note that even though the credential is a static API key (agent/org level), the OBO token ensures the caller's entitlements are checked at Thunder — the agent can only call Twilio if the caller has tools:twilio entitlement.

Case 6: OBO + Tool Authorization — Pre-auth (OAuth Dance)

Complete user session. The tool provider (e.g., Google Calendar) requires user-level OAuth authorization — without it, you cannot access the user's data. User connects their tool account via OAuth during onboarding, then chats with OBO-authenticated tool calls.

The tool authorization (OAuth dance) happens because the tool itself requires it — Google won't give you calendar data without a user-authorized token.

sequenceDiagram
    participant U as End User<br/>(Browser)
    participant UI as Agent App UI
    participant AM as Agent Manager
    participant TP as Tool Provider<br/>(e.g., Google OAuth)
    participant SS as Secret Store
    participant IG as Ingress Gateway
    participant A as Agent App<br/>(LLM)
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant T as Tool API<br/>(e.g., Google Calendar)

    Note over U,UI: ═══ PHASE 1: USER LOGIN ═══

    U->>UI: Open agent app in browser
    UI->>TH: Redirect to Thunder login
    TH-->>U: Login page
    U->>TH: Authenticate (username/password, SSO, etc.)
    TH-->>UI: Authorization code
    UI->>TH: Exchange code → tokens
    TH-->>UI: User JWT (session token)
    Note over U,UI: User is now logged in.<br/>Session JWT established.

    Note over U,UI: ═══ PHASE 2: TOOL AUTHORIZATION ═══<br/>═══ (Tool requires OAuth consent) ═══

    Note over U,UI: Agent app shows Connected Accounts<br/>or first-use setup

    U->>UI: Click [Connect Google Calendar]
    UI->>AM: POST /connections/initiate<br/>{user_id, agent_id,<br/>tool: "google-calendar",<br/>scopes: ["calendar:read"]}

    AM->>AM: Build OAuth authorize URL:<br/>client_id = platform's registered<br/>OAuth client with Google<br/>redirect_uri = amp.example.com/<br/>oauth/callback<br/>state = encrypted(user_id, agent_id,<br/>tool, nonce)<br/>code_challenge = PKCE S256

    AM-->>UI: {auth_url: "https://accounts.google.com/<br/>o/oauth2/auth?..."}
    UI->>U: Redirect browser to Google

    U->>TP: Google's login + consent screen<br/>"Allow AMP Platform to<br/>read your calendar?"
    Note over U,TP: This is GOOGLE's consent screen.<br/>Tool authorization — the tool itself<br/>requires user consent.
    U->>TP: Click [Allow]

    TP-->>AM: Redirect to callback<br/>amp.example.com/oauth/callback<br/>?code=AUTH_CODE&state=...

    AM->>AM: Decrypt state → validate nonce
    AM->>TP: POST oauth2.googleapis.com/token<br/>{grant_type: authorization_code,<br/>code: AUTH_CODE,<br/>client_id, client_secret,<br/>code_verifier: PKCE verifier}
    TP-->>AM: {access_token, refresh_token,<br/>expires_in, scope}

    AM->>SS: Store Google's refresh_token<br/>key: (user-123, google-calendar)<br/>value: encrypted(refresh_token)
    SS-->>AM: stored ✓

    AM-->>UI: {status: "connected"}
    UI-->>U: "Google Calendar connected ✓"

    Note over U,A: ═══ PHASE 3: CHAT (OBO Runtime) ═══

    U->>IG: "What's on my calendar today?"<br/>(with session JWT)
    IG->>IG: Validate user JWT ✓
    IG->>A: Forward + x-jwt-assertion header

    Note over A: LLM reasons → call Google Calendar

    A->>TH: RFC 8693 token exchange<br/>subject_token: user_assertion (JWT)<br/>actor_token: agent_token<br/>scope: "tools:google-calendar"
    TH->>TH: Validate user JWT (signature ✓)<br/>Validate agent has scope ✓<br/>User has entitlement ✓<br/>scope = intersection
    TH-->>A: OBO token<br/>{sub: "user-123",<br/>act: {sub: "calendar-agent"},<br/>scope: "tools:google-calendar"}

    A->>TG: GET /tools/google-calendar/v1/events<br/>Authorization: Bearer <OBO_token>

    TG->>TG: Validate OBO locally (cached JWKS)<br/>✓ Signature, expiry, audience<br/>✓ scope "tools:google-calendar"<br/>Extract user_id + agent_id

    TG->>SS: GET stored credential<br/>key: (user-123, google-calendar)
    SS-->>TG: {refresh_token: "goog_rt_xxx"}

    TG->>TP: POST oauth2.googleapis.com/token<br/>(refresh grant)
    TP-->>TG: {access_token: "goog_at_fresh"}

    TG->>T: GET googleapis.com/calendar/v3/<br/>calendars/primary/events<br/>Authorization: Bearer goog_at_fresh

    T-->>TG: calendar events
    TG-->>A: response
    A-->>IG: response
    IG-->>U: "Today you have:<br/>• 9am Team standup<br/>• 2pm Design review"

    Note over U: ═══ USER LOGOUT ═══

Key points:

Phase 2 is tool authorization — Google requires it. Without the OAuth dance, you cannot access the user's calendar.
User's session JWT (from login) becomes the subject_token in OBO exchange — full chain of trust
At runtime, gateway retrieves stored Google refresh_token, refreshes, and injects Google access_token
If tool provider has its own API gateway (Google does), that gateway validates the Google access_token independently — dual credential validation
Failure mode: If Google revokes the refresh_token, gateway gets invalid_grant → returns 401 → degrades to Case 8 (inline consent)

Case 7: OBO + Platform Consent — Pre-auth (M2M Consent)

Complete user session. The tool does NOT require per-user OAuth — it works fine with M2M credentials. But the platform policy requires user consent before the agent can act on their behalf. User grants consent in our UI (no external OAuth dance), then chats with OBO-authenticated tool calls.

sequenceDiagram
    participant U as End User<br/>(Browser)
    participant UI as Agent App UI
    participant AM as Agent Manager
    participant IG as Ingress Gateway
    participant A as Agent App<br/>(LLM)
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant SS as Secret Store
    participant T as Tool API<br/>(e.g., Internal<br/>HR System)

    Note over U,UI: ═══ PHASE 1: USER LOGIN ═══

    U->>UI: Open agent app in browser
    UI->>TH: Redirect to Thunder login
    TH-->>U: Login page
    U->>TH: Authenticate
    TH-->>UI: Authorization code → exchange → User JWT
    Note over U,UI: User is now logged in.

    Note over U,UI: ═══ PHASE 2: PLATFORM CONSENT ═══<br/>═══ (Developer/admin policy requires it) ═══

    Note over U,UI: Agent app shows consent prompt.<br/>Tool supports M2M access — no per-user<br/>OAuth needed. But platform policy<br/>requires user approval.

    U->>UI: Click [Authorize Agent]<br/>for HR System
    UI->>AM: POST /connections/consent<br/>{user_id: "user-123",<br/>agent_id: "hr-agent",<br/>tool: "hr-system",<br/>consent_type: "m2m_delegation",<br/>scopes: ["employee:read"]}

    AM->>AM: Validate:<br/>✓ Agent has tools:hr-system in Thunder<br/>✓ User has hr-system entitlement<br/>✓ Requested scopes within allowed set

    AM->>AM: Record consent grant:<br/>(user-123, hr-agent, hr-system)<br/>consent_type: m2m_delegation<br/>scopes: [employee:read]<br/>granted_at: now<br/>expires_at: 90 days (policy)

    AM-->>UI: {status: "authorized",<br/>consent_type: "m2m_delegation"}
    UI-->>U: "HR System authorized ✓<br/>Agent will use platform<br/>credentials on your behalf"

    Note over U,UI: No redirect. No OAuth dance with<br/>tool provider. No tokens stored.<br/>Just a consent record.

    Note over U,A: ═══ PHASE 3: CHAT (OBO Runtime) ═══

    U->>IG: "What's my PTO balance?"<br/>(with session JWT)
    IG->>IG: Validate user JWT ✓
    IG->>A: Forward + x-jwt-assertion

    Note over A: LLM reasons → call HR system

    A->>TH: RFC 8693 token exchange<br/>subject_token: user_assertion (JWT)<br/>actor_token: agent_token<br/>scope: "tools:hr-system"
    TH-->>A: OBO token<br/>{sub: "user-123",<br/>act: {sub: "hr-agent"},<br/>scope: "tools:hr-system"}

    A->>TG: GET /tools/hr-system/v1/pto?user=me<br/>Authorization: Bearer <OBO_token>

    TG->>TG: Validate OBO locally ✓<br/>scope "tools:hr-system" ✓<br/>Extract user_id + agent_id

    TG->>AM: Check consent:<br/>(user-123, hr-agent, hr-system)?
    AM-->>TG: ✓ Consent valid<br/>type=m2m_delegation<br/>scopes=[employee:read]

    Note over TG: M2M consent path:<br/>Use agent's own M2M credential.<br/>Pass user_id for data filtering.

    TG->>SS: GET M2M credential<br/>for (hr-agent, hr-system)
    SS-->>TG: {client_id: "platform_hr_client",<br/>client_secret: "xxx"}

    TG->>TG: Get M2M access token<br/>(client_credentials with<br/>platform_hr_client)

    TG->>T: GET hr-api.internal/v1/pto<br/>Authorization: Bearer <M2M_token><br/>X-On-Behalf-Of: user-123

    T-->>TG: PTO balance data
    TG-->>A: response
    A-->>IG: response
    IG-->>U: "You have 12 PTO days remaining"

    Note over U: ═══ USER LOGOUT ═══

Key differences from Case 6 (tool authorization):

	Case 6 (Tool authorization)	Case 7 (Platform consent)
Why consent?	Tool requires it (Google won't give data without OAuth)	Platform policy requires it (tool works with M2M creds)
What happens?	OAuth dance at tool provider's consent screen	Simple consent recorded in Agent Manager
What's stored?	User's refresh_token in secret store	Consent grant record in Agent Manager
Runtime credential	User's OAuth token (refreshed from stored refresh_token)	Agent's M2M credential + user_id for filtering
External redirect?	Yes — browser goes to tool provider	No — stays in our UI

Case 8: OBO + Inline 401 → Tool Authorization

User has NOT pre-authorized the tool. During chat, the agent attempts to call it, gets a 401, and presents an auth link. The credential flow happens entirely in the browser, bypassing the Agent/LLM. The LLM never sees tokens or secrets — only the auth_url metadata.

This can be triggered for either reason — tool authorization (Google requires OAuth) or platform consent (policy requires approval). The diagram shows tool authorization (OAuth dance).

sequenceDiagram
    participant U as End User<br/>(Browser)
    participant IG as Ingress Gateway
    participant A as Agent App<br/>(LLM)
    participant TH as Thunder (IDP)
    participant TG as Tool Gateway
    participant SS as Secret Store
    participant AM as Agent Manager
    participant TP as Tool Provider<br/>(e.g., Google OAuth)
    participant T as Google Calendar<br/>API

    Note over U,IG: ═══ PHASE 1: USER LOGIN ═══

    U->>IG: Open agent app
    Note over U,TH: User authenticates via Thunder<br/>→ Session JWT established

    Note over U,A: ═══ PHASE 2: CHAT ATTEMPT (fails) ═══

    U->>IG: "What's on my calendar today?"<br/>(with session JWT)
    IG->>A: Forward + x-jwt-assertion

    Note over A: LLM reasons → call Google Calendar

    A->>TH: RFC 8693 token exchange<br/>subject_token: user JWT<br/>actor_token: agent_token<br/>scope: "tools:google-calendar"
    TH-->>A: OBO token {sub: "user-123",<br/>act: {sub: "calendar-agent"},<br/>scope: "tools:google-calendar"}

    A->>TG: GET /tools/google-calendar/v1/events<br/>Authorization: Bearer <OBO_token>

    TG->>TG: Validate OBO ✓<br/>scope "tools:google-calendar" ✓

    TG->>SS: Lookup (user-123, google-calendar)
    SS-->>TG: NOT FOUND<br/>(no tool authorization)

    TG-->>A: HTTP 401<br/>{error: "auth_required",<br/>auth_url: "https://amp.example.com/<br/>connect/google-calendar<br/>?agent=calendar-agent<br/>&user=user-123&nonce=abc123",<br/>tool_name: "Google Calendar",<br/>required_scopes: ["calendar:read"]}

    Note over A: ╔═══════════════════════════════╗<br/>║   SECURITY BOUNDARY          ║<br/>║                               ║<br/>║ LLM sees ONLY:                ║<br/>║   • auth_url                  ║<br/>║   • tool_name                 ║<br/>║   • required_scopes           ║<br/>║   • error message             ║<br/>║                               ║<br/>║ LLM NEVER sees:               ║<br/>║   • tokens / secrets          ║<br/>║   • refresh_tokens            ║<br/>║   • client credentials        ║<br/>║   • auth codes                ║<br/>╚═══════════════════════════════╝

    A-->>IG: response
    IG-->>U: "I need access to your Google<br/>Calendar. Please connect:<br/>[Connect Google Calendar]"

    Note over U,TP: ═══ PHASE 3: CREDENTIAL FLOW ═══<br/>═══ (BYPASSES LLM ENTIRELY) ═══

    rect rgb(230, 245, 230)
        U->>AM: Click link → new browser tab<br/>https://amp.example.com/<br/>connect/google-calendar<br/>?nonce=abc123
        AM->>AM: Validate nonce ✓<br/>Build OAuth URL for Google's<br/>authorization endpoint
        AM-->>U: Redirect to Google
        U->>TP: Google's consent screen<br/>"Allow AMP to read your calendar?"
        U->>TP: Click [Allow]
        TP-->>AM: Callback with auth_code
        AM->>TP: Exchange code → tokens
        TP-->>AM: {access_token, refresh_token}
        AM->>SS: Store refresh_token<br/>key: (user-123, google-calendar)
        SS-->>AM: stored ✓
        AM-->>U: "Google Calendar connected! ✓<br/>You can close this tab."
    end

    Note over U,TP: Tokens flowed through:<br/>Browser → Agent Manager → Google<br/>→ Secret Store. NEVER through Agent/LLM.

    Note over U,A: ═══ PHASE 4: CHAT RETRY (succeeds) ═══

    U->>IG: "OK, I connected it. Try again?"
    IG->>A: Forward + x-jwt-assertion

    A->>TG: GET /tools/google-calendar/v1/events<br/>Authorization: Bearer <OBO_token><br/>(reuse cached OBO, still valid)

    TG->>TG: Validate OBO ✓
    TG->>SS: Lookup (user-123, google-calendar)
    SS-->>TG: {refresh_token: "goog_rt_xxx"}<br/>✓ Now exists!

    TG->>TP: Refresh → fresh access_token
    TP-->>TG: {access_token: "goog_at_fresh"}

    TG->>T: GET googleapis.com/calendar/v3/<br/>calendars/primary/events<br/>Auth: Bearer goog_at_fresh

    T-->>TG: calendar events
    TG-->>A: response
    A-->>IG: response
    IG-->>U: "Today you have:<br/>• 9am Team standup<br/>• 2pm Design review"

Critical security property: The rect block (green-highlighted) shows the credential flow that completely bypasses the Agent/LLM. Auth codes, tokens, and refresh tokens flow through Browser → Agent Manager → Tool Provider → Secret Store. The LLM only ever sees the auth_url string and the eventual 200 success response.

Inline platform consent variant: If the 401 is due to missing platform consent (not tool authorization), Phase 3 would show our consent UI instead of the OAuth dance — same 401 trigger, but user approves in our UI and a consent record is stored instead of tokens.

Future Cases to Consider

Case	Description
CIBA Step-Up	Push notification approval for high-risk actions (e.g., payment > $1000). Cross-cutting modifier to Cases 4–8. Already described in the CIBA section below.
Token Refresh Mid-Session	OBO token expires (SDK re-exchanges), stored refresh token revoked by external provider (degrades to Case 8 inline consent), agent credentials expire (SDK re-authenticates).
Revocation / Suspension	Admin suspends agent → Thunder revokes tokens, gateway deny-lists. User revokes consent → stored credential deleted, next call gets 401.
MCP Transport	Same OBO token over MCP Streamable HTTP transport. Gateway filters `tools/list` by scope claims and validates `tools/call` against scope. Same auth model, different transport framing.
Agent-to-Agent + Delegated Credential	Agent chain where downstream agent needs user's delegated credential (e.g., agent-A delegates to agent-B, which calls Google Calendar). Requires passing delegation chain through secret store lookup. Edge case — deferred.

User Token Acquisition — OAuth Intermediary

When a tool requires user-delegated access (e.g., user's Google Calendar), the user must first connect their account. The platform acts as an OAuth intermediary, the same pattern used by Auth0 Token Vault, Composio, and Nango.

Pre-authorization flow (primary, best UX):

User connects their tool accounts through the agent's own UI before using the agent. This is the dominant industry pattern [4][5].

┌─────────────────────────────────────────────────────────────────┐
│  Agent UI — Connected Accounts                                   │
│                                                                 │
│  "Travel Assistant" needs access to these services:             │
│                                                                 │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  Service            Status           Action              │   │
│  │  ─────────────────────────────────────────────────────── │   │
│  │  Twilio SMS    ● Connected       [Disconnect]       │   │
│  │  Google Calendar    ○ Not connected   [Connect]          │   │
│  │  Stripe Payments    ○ Not connected   [Connect]          │   │
│  └──────────────────────────────────────────────────────────┘   │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

How user tokens get into the secret store: See Approach Diagrams — Case 6 (tool authorization pre-auth), Case 7 (platform consent pre-auth), Case 8 (inline 401 consent).

Key details:

Aspect	How it works
Who owns the OAuth client with Google?	Agent Manager registers the OAuth client (client_id/secret) with each tool provider.
Where does the callback go?	To Agent Manager's callback endpoint (`/oauth/callback`). Agent Manager is the OAuth intermediary.
What gets stored?	`refresh_token` in secret store, keyed by `(user_id, tool_provider)`. Access tokens are short-lived and regenerated at runtime.
Who refreshes at runtime?	The Tool Gateway retrieves the refresh_token, exchanges it for a fresh access_token, and injects it.
Per-agent or per-user?	Tokens stored per `(user_id, tool_provider)` — if a user connects Gmail, any agent with `tools:gcal` scope can use it.

Consent Handling

LLM-Inline Fallback (for tools not pre-authorized)

If a tool wasn't pre-authorized and the agent tries to use it, gateway returns a 401 with an auth_url. The LLM naturally presents it in chat [8][9]. The credential exchange (OAuth dance) happens entirely in the browser, bypassing the Agent/LLM — the LLM only ever sees the auth_url metadata, never tokens or secrets. See Approach Diagrams — Case 8 (inline 401 → tool authorization) for the detailed flow.

CIBA Step-Up (for high-risk actions)

Even with pre-authorization, some actions need explicit approval (e.g., payments, deleting data). Gateway evaluates consent policy and returns HTTP 202 + triggers CIBA via Agent Manager → Thunder → push notification to user's device. User approves/denies. Agent retries after approval. Per-action consent via CIBA [12][13].

MCP Support

For MCP-native agents, the same gateway can expose an MCP server interface. The MCP spec (2025-03-26) mandates OAuth 2.1 with Authorization: Bearer on every HTTP request [42]. This maps directly to our OBO token model:

MCP client sends OBO token (agent + user) on every request
Gateway validates OBO token on every tools/call request
Same authorization logic, credential translation, and audit applies

Our approach: We follow the shared server + user token pattern. Our gateway is a shared MCP server that validates the OBO token on every request, extracts both agent and user identity from claims (act + sub), and resolves credentials accordingly.

Tool-level authorization at gateway:

Level	What it controls	How
Tool filtering	Which tools appear in `tools/list`	Gateway rewrites response, removes unauthorized tools
Tool call validation	Which tools can be called via `tools/call`	Gateway checks `scope` claim against `params.name`
Parameter constraints	What values can be passed	Gateway validates `params.arguments` against claims (Phase 4)

MCP gateway is additive: same backend, different transport.

Developer Experience

Agent Developer Code

import requests, os
from functools import lru_cache

# --- Auto-injected by platform at deploy time ---
AGENT_CLIENT_ID = os.environ["AGENT_CLIENT_ID"]
AGENT_CLIENT_SECRET = os.environ["AGENT_CLIENT_SECRET"]
THUNDER_TOKEN_URL = os.environ["THUNDER_TOKEN_URL"]
TOOL_GATEWAY_URL = os.environ["TOOL_GATEWAY_URL"]

# --- Get agent token (client_credentials) ---
def get_agent_token():
    resp = requests.post(THUNDER_TOKEN_URL, data={
        "grant_type": "client_credentials",
        "client_id": AGENT_CLIENT_ID,
        "client_secret": AGENT_CLIENT_SECRET,
    })
    return resp.json()["access_token"]

# --- Per-tool OBO token (lazy, cached per user+tool for session) ---
_obo_cache = {}

def get_obo_token(user_assertion: str, tool_scope: str):
    cache_key = (user_assertion, tool_scope)
    if cache_key in _obo_cache:
        return _obo_cache[cache_key]       # reuse cached token for this (user, tool)

    agent_token = get_agent_token()
    resp = requests.post(THUNDER_TOKEN_URL, data={
        "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
        "subject_token": user_assertion,
        "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
        "actor_token": agent_token,
        "actor_token_type": "urn:ietf:params:oauth:token-type:jwt",
        "scope": tool_scope,               # only the scope for THIS tool
        "client_id": AGENT_CLIENT_ID,
        "client_secret": AGENT_CLIENT_SECRET,
    })
    token = resp.json()["access_token"]
    _obo_cache[cache_key] = token
    return token
    # Returns JWT with: sub=user, act={sub: agent}, scope="tools:twilio"

# --- SDK tool wrapper: handles OBO exchange per tool ---
def tool_call(tool_scope: str):
    """Decorator that lazily fetches a per-tool OBO token before calling the tool."""
    def decorator(fn):
        def wrapper(user_assertion, *args, **kwargs):
            obo_token = get_obo_token(user_assertion, tool_scope)
            return fn(*args, obo_token=obo_token, **kwargs)
        return wrapper
    return decorator

# --- Tool functions: each gets its own narrow-scope OBO token ---
@tool_call(tool_scope="tools:twilio")
def send_sms(to: str, body: str, *, obo_token: str):
    return requests.post(
        f"{TOOL_GATEWAY_URL}/tools/twilio/v1/messages",
        json={"to": to, "body": body},
        headers={"Authorization": f"Bearer {obo_token}"},
    )

@tool_call(tool_scope="tools:gcal")
def check_calendar(date: str, *, obo_token: str):
    return requests.get(
        f"{TOOL_GATEWAY_URL}/tools/gcal/v1/events",
        params={"date": date},
        headers={"Authorization": f"Bearer {obo_token}"},
    )

# --- Request handler ---
@app.route("/chat", methods=["POST"])
def chat(request):
    user_assertion = request.headers.get("x-jwt-assertion")

    # LLM reasons and decides which tool to call...
    # Each tool wrapper handles its own OBO exchange:
    result = send_sms(user_assertion, "+1234567890", "Your booking is confirmed")
    # ^ fetches OBO(scope="tools:twilio"), caches for session
    return result

What each per-tool OBO token contains:

{
  "sub": "user-123",
  "act": { "sub": "travel-assistant" },
  "iss": "https://thunder.example.com",
  "aud": "tool-gateway",
  "scope": "tools:twilio",
  "exp": 1711382400
}

Comparison to industry:

What we require	What Composio requires	What AWS AgentCore requires	What Entra requires
`@tool_call(scope="tools:twilio")` decorator	API key in env (auto)	`@requires_access_token(provider, scopes)` decorator	Sidecar container
Decorator fetches per-tool OBO lazily, caches	`user_id=` on every SDK call	Decorator fetches per-provider token lazily, caches	Forward `Authorization` header to sidecar
Gateway validates + translates to tool credential	Composio server does lookup	Gateway resolves to tool credential	Sidecar does OBO + calls downstream

Our pattern directly matches AWS AgentCore and Auth0: per-tool decorator handles token exchange lazily, one narrow-scope OBO per tool per session.

Console Wireframes

Create Agent:

┌─────────────────────────────────────────────────────────────────┐
│  AMP Console                                    [user@org] ▾    │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ◄ Agents / Create New Agent                                    │
│                                                                 │
│  ┌─────────────────────────────────────────────────────────┐    │
│  │  Agent Name *        [ travel-assistant            ]    │    │
│  │  Display Name        [ Travel Assistant             ]    │    │
│  │  Description         [ Manages calendar and sends     ]    │    │
│  │                      [ SMS notifications for users   ]    │    │
│  │  Project *           [ acme-travel         ▾ ]          │    │
│  │  Environment *       [ production          ▾ ]          │    │
│  └─────────────────────────────────────────────────────────┘    │
│                                                                 │
│  Identity (auto-provisioned)                                    │
│  ┌─────────────────────────────────────────────────────────┐    │
│  │  A non-human identity (NHI) will be created in Thunder  │    │
│  │  with user nature (directory entry, attributes, roles)  │    │
│  │  and app nature (OAuth2 client, client_credentials).    │    │
│  │                                                         │    │
│  │  Agent ID:    (generated on create)                     │    │
│  │  NHI:         (auto-provisioned in Thunder)             │    │
│  └─────────────────────────────────────────────────────────┘    │
│                                                                 │
│                                    [ Cancel ]  [ Create Agent ]  │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Register Tools (Agent Detail → Tools Tab):

┌─────────────────────────────────────────────────────────────────┐
│  AMP Console                                    [user@org] ▾    │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ◄ Agents / travel-assistant                                    │
│                                                                 │
│  [ Overview ] [ Tools ] [ Permissions ] [ Credentials ] [ Logs ]│
│  ──────────── ========                                          │
│                                                                 │
│  Registered Tools                              [ + Add Tool ]   │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  Tool Name        Endpoint Pattern         Auth Type     │   │
│  │  ─────────────────────────────────────────────────────── │   │
│  │  Twilio SMS      api.twilio.com/v1/*       API Key       │   │
│  │  Google Maps      maps.googleapis.com/v1/* API Key       │   │
│  │  Stripe Payments  api.stripe.com/v1/*      API Key       │   │
│  │  User Calendar    graph.microsoft.com/v1/* OAuth2 (OBO)  │   │
│  └──────────────────────────────────────────────────────────┘   │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Deploy Flow

sequenceDiagram
    participant D as Developer
    participant C as AMP Console
    participant AM as Agent Manager
    participant TH as Thunder
    participant GW as API Gateway
    participant K as K8s

    D->>C: deploy agent
    C->>AM: POST /agents
    AM->>TH: create NHI "travel-assistant-prod"<br/>user nature + app nature (client_credentials)<br/>scopes: tools:twilio, tools:gcal
    TH-->>AM: agent_id + client_id + secret
    AM->>GW: store tool credentials (API keys, OAuth secrets)
    AM->>GW: register tool proxy routes<br/>/tools/twilio/*, /tools/gcal/*
    GW-->>AM: routes registered
    AM->>K: create deployment with env vars:<br/>AGENT_CLIENT_ID, AGENT_CLIENT_SECRET,<br/>TOOL_GATEWAY_URL, THUNDER_TOKEN_URL
    K-->>AM: deployment ready
    AM-->>C: agent deployed
    C-->>D: "Deployed"

Out of Scope

Multi-agent delegation chains — If Agent A calls Agent B on behalf of a user, maintaining the delegation chain (e.g., via nested act claims or Okta ID-JAG). Deferred to Phase 4+.
Fine-grained policy engine (OPA/Cedar) — Per-parameter constraints beyond scope checks. Deferred to Phase 4.
Runtime credential rotation — Automatic propagation of rotated credentials to running agents without restart. Deferred to Phase 4.
Agent suspension enforcement details — Immediate revocation across all gateways. Deferred to Phase 4.
Usage analytics and authorization drift detection — Deferred to Phase 4.

Alternatives Considered

Approach	Trade-offs	Why not
Pattern 1: Platform Proxy + user_id string (Composio, Nango, Arcade)	Simple developer experience — just pass a `user_id`. No OAuth logic in agent code.	No real agent identity. Downstream API can't enforce agent-level policies. We need agent identity for governance.
Pattern 3: Sidecar (Microsoft Entra AgentID SDK, Aembit)	Agent developer writes minimal code. Sidecar handles all token exchange.	We already have an API Gateway. Sidecar adds deployment complexity with no benefit over gateway.
Two separate headers (agent_token + X-User-Assertion)	Simpler token issuance — no token exchange step.	No cryptographic binding between agent and user. Gateway must validate two tokens. No industry platform uses this pattern.
Plain OAuth2 client (no NHI)	Simpler — just create an OAuth2 client for each agent.	No directory presence, no attributes, no group membership, no lifecycle management. Can't search for agents, can't assign roles, can't enforce policies via directory. NHI gives us both auth + governance. Matches industry: Okta NHI [25], Entra Blueprint [6], AWS Workload Identity [34].

Open Questions

Milestones

Phase	Scope	Target
1	Agent IAM Identity + Tool Registry — Provision NHI in Thunder on agent creation (user + app nature, with tool scopes). Tool entity + CRUD APIs. Agent→tool permission bindings stored as scopes in Thunder. Credential storage in secret store. Deploy-time env var injection.	TBD
2	Gateway Tool Proxy — Extend existing API Gateway with tool proxy routes. Tool registry → gateway route registration. OBO token validation (single JWT with `sub` + `act` claims, validated via cached JWKS). Credential translation. Audit logging at gateway level.	TBD
3	OBO + Authorization — RFC 8693 token exchange at agent → Thunder. Pre-authorization flow (Connected Accounts via agent UI / platform APIs). Connection management APIs. LLM-inline fallback (401 + auth_url). CIBA step-up for high-risk actions.	TBD
4	Advanced Governance + MCP Gateway — Policy enforcement at gateway (rate limits, scopes, parameter constraints). Agent suspension. Usage analytics + drift detection. Runtime credential rotation. MCP server interface on gateway.	TBD

0xbrainkid · 2026-03-28T17:07:25Z

0xbrainkid
Mar 28, 2026

Thorough design proposal. WSO2's position in the identity stack makes this especially impactful — if agent-manager ships native agent IAM, it immediately reaches WSO2's existing enterprise footprint.

The gap analysis is spot-on: OAuth 2.0 treats agents as static clients, but agents are dynamic, autonomous, and cross-boundary. The delegation chain problem you describe (Agent A→B→C with attenuation) is being actively discussed in the MCP core repo as well.

Two observations from production:

1. Cross-org is the hard part. Everything in this proposal works well within WSO2's control plane. The challenge is: what happens when an agent on WSO2-managed infra calls a tool hosted by a different org using a different identity provider? No shared directory, no admin relationship. This is where self-sovereign agent identity (cryptographic, verifiable by any party independently) becomes necessary.

2. Trust ≠ Authentication. Even with perfect agent auth, the tool provider needs to answer: should I trust this agent? Not just is this agent authenticated? Trust requires history — what has this agent done before, has it behaved reliably? Authentication is binary; trust is a spectrum.

We built SATP (Solana Agent Trust Protocol) to address both gaps:

On-chain Ed25519 identity that any party can verify without a shared IdP
Trust scores derived from verifiable on-chain actions (not self-asserted capability claims)
Composable with existing IAM — SATP identity can be an attribute in WSO2 agent tokens

Would WSO2 agent-manager consider supporting pluggable external trust providers? The architecture you describe could natively integrate external trust signals alongside internal policy evaluation.

0 replies

nadheesh · 2026-04-09T05:46:38Z

nadheesh
Apr 9, 2026
Collaborator Author

Thanks for the thoughtful feedback, @0xbrainkid. Really appreciate you taking the time to engage deeply with the proposal and sharing your production experience.

You're raising two critical points, and I want to address both directly.

Cross-org is indeed the hard part.

You're absolutely right — everything within a single organization's control plane is the "easier" problem. The real challenge emerges when agents cross organizational boundaries with no shared directory or admin relationship. This is something we're actively thinking about. Our current approach is to solve this through trusted authorization servers and federated users, essentially allowing organizations to establish trust relationships where each org's authorization server can recognize and validate agent identities from the other. But I'll be honest: this is one of the hardest problems in the space, and we don't claim to have it fully figured out. Your point about cryptographic, self-sovereign agent identity that any party can verify independently is well taken — that's a compelling direction for the truly decentralized case.

Trust ≠ Authentication — agreed.

This is an important distinction. Authentication tells you who the agent is; trust tells you whether you should let it in. We see trust as a spectrum too, not a binary gate.

On SATP and pluggable trust providers:

Yes — modularity is a core design goal for us. We want agent-manager to support pluggable identity providers, gateways, and policy engines. The idea of pluggable external trust providers is very interesting. We'll take a closer look at SATP to understand how trust signals like on-chain verifiable history could integrate alongside our internal policy evaluation. Where exactly trust providers fit in the architecture is something we need to explore further, but it's clearly a relevant dimension — especially for cross-org scenarios where no single authority can vouch for an agent's behavior.

Thanks again for pointing us to SATP and the MCP discussion thread — we'll dig into both.

0 replies

arian-gogani · 2026-04-12T17:50:41Z

arian-gogani
Apr 12, 2026

Identity and access control for agents is necessary but not sufficient. Access control answers "can this agent use this tool?" — but it doesn't answer "is this agent using this tool within acceptable parameters?"

An agent with permission to call a transfer API can still move $50K when it should be capped at $500. Access control permits the tool call; behavioral constraints govern how it's used.

I've been building this as a complementary layer: Nobulex. Agents declare behavioral rules (permit/forbid/require with conditions), and every action gets evaluated against those rules at runtime — before execution. Violations are blocked, not logged after the fact.

Every decision goes into a SHA-256 hash-chained log for independent verification.

The two layers compose:

Agent Manager handles who can access what (identity + access control)
Proof-of-behavior handles what they're allowed to do with that access (behavioral constraints + enforcement)

Playground: nobulex.com/playground

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Design Proposal] Agent Identity & Access Control #635

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

[Design Proposal] Agent Identity & Access Control #635

Uh oh!

Uh oh!

nadheesh Mar 26, 2026 Collaborator

Problem

Functional Goals

Security Principles

User Stories

Existing Solutions

Agent Identity Models

Platforms with Real Agent Identity

Platforms without Real Agent Identity

Token Flow Patterns — Three Industry Approaches

Pattern 1: Platform Proxy + user_id String (Composio, Nango, Arcade)

Pattern 2: Token Exchange + Decorator (Auth0/Okta, AWS AgentCore)

Pattern 3: Sidecar (Microsoft Entra AgentID SDK)

Pattern Summary

Consent & Authorization Patterns

How Platforms Handle Consent

OAuth Intermediary / Token Vault Comparison

Gateway & MCP Ecosystem

How Platforms Route Agent-to-Tool Traffic

MCP Multi-Tenancy — How Platforms Handle Multiple Users

Security Principles Coverage

Proposed Solution

Overview

Design

Agent Identity — NHI in Thunder

Core Design — OBO Token + Gateway

Authorization Model

Four Security Principles

Why User JWT (not user_id) for OBO

Credential Translation

Approach Diagrams

Scenario Matrix

Case 0: Agent's Own Privileges — No Caller, No Credential Translation

Case 1: Agent's Own Privileges — No Caller, Static Credential

Case 2: Agent's Own Privileges + Caller Context — No Credential Translation

Case 3: Agent's Own Privileges + Caller Context — Static Credential

Case 4: OBO (Caller's Privileges) — No Credential Translation

Case 5: OBO (Caller's Privileges) — Static Credential

Case 6: OBO + Tool Authorization — Pre-auth (OAuth Dance)

Case 7: OBO + Platform Consent — Pre-auth (M2M Consent)

Case 8: OBO + Inline 401 → Tool Authorization

Future Cases to Consider

User Token Acquisition — OAuth Intermediary

Consent Handling

LLM-Inline Fallback (for tools not pre-authorized)

CIBA Step-Up (for high-risk actions)

MCP Support

Developer Experience

Agent Developer Code

Console Wireframes

Deploy Flow

Out of Scope

Alternatives Considered

Open Questions

Milestones

Replies: 3 comments

Uh oh!

0xbrainkid Mar 28, 2026

Uh oh!

nadheesh Apr 9, 2026 Collaborator Author

Uh oh!

arian-gogani Apr 12, 2026

nadheesh
Mar 26, 2026
Collaborator

Pattern 1: Platform Proxy + `user_id` String (Composio, Nango, Arcade)

0xbrainkid
Mar 28, 2026

nadheesh
Apr 9, 2026
Collaborator Author

arian-gogani
Apr 12, 2026