Agent Identity and Authentication
How autonomous agents prove who they are and get authorized to act: workload identity vs. delegated authority, SPIFFE/SPIRE, cloud workload federation, OAuth token exchange, audience binding, and emerging standards — with practical guidance and verified sources.
An autonomous agent faces a credential problem that neither classic human login nor static service accounts solve cleanly. The agent must prove two distinct things: (1) what it is — its own workload identity — and (2) that it has permission to act on behalf of a human or organization. Conflating these two layers is the root cause of most agent auth mistakes.
The two-layer model
Layer 1 — Workload / agent identity (what the agent is) The agent itself needs a machine identity it can cryptographically prove. This is analogous to a TLS server certificate — but issued dynamically to a running workload rather than a static host. Long-lived API keys shared across agent instances are dangerous: they cannot be tied to a specific running process, they do not rotate automatically, and a leaked key grants permanent access.
Layer 2 — Delegated authority (permission to act on behalf of a user) When an agent takes actions in systems a human owns — reading email, calling an API with the user's permissions, submitting forms — it needs an authorization grant from that human. Holding the user's own credentials is the wrong pattern: it grants unlimited access with no scope boundary and no audit trail separating human actions from agent actions.
Workload identity: short-lived credentials and SPIFFE/SPIRE
The right approach for workload identity is cryptographically attested, short-lived credentials issued to a specific running workload — not a human typing a password or a static token in an environment variable.
SPIFFE/SPIRE (Secure Production Identity Framework for Everyone / SPIFFE Runtime Environment) is the most widely adopted open standard for workload identity. SPIFFE and SPIRE graduated from CNCF incubation in September 2022. The framework issues each workload a SPIFFE Verifiable Identity Document (SVID) in one of two forms:
- X.509-SVID — an X.509 certificate embedding the workload's SPIFFE ID in the Subject Alternative Name field as a URI (
spiffe://trust-domain/path). This certificate is used directly for mutual TLS (mTLS), enabling two workloads to authenticate each other cryptographically before any application data flows. - JWT-SVID — a signed JWT carrying the SPIFFE ID, suitable for HTTP/REST contexts where a bearer token in an Authorization header is needed.
SVIDs are short-lived and automatically rotated by the SPIRE agent — no human intervention needed. The SPIRE server attests the identity of a workload at launch time using platform-level evidence (Kubernetes service account token, AWS instance identity document, GCP metadata service token, etc.) and only then issues an SVID. This is the key distinction from a static API key: the credential is tied to a provably running workload, not to a secret that can be copied and reused.
See /resources/agentic-security-checklist (section 5 — secrets and credential management) for why long-lived shared API keys are dangerous for agents.
Cloud workload identity federation — all three major cloud providers support OIDC-based workload identity federation: a workload running on one platform (e.g. AWS EC2, a GitHub Actions runner, or a Kubernetes pod) exchanges its platform-issued OIDC token for short-lived credentials in a target cloud (e.g. GCP IAM, Azure Entra ID, AWS IAM). No static cross-cloud secret is required; the exchange is mediated by a Security Token Service. GCP's Workload Identity Federation, AWS IAM Roles Anywhere, and Azure Managed Identities are the canonical implementations. See the GCP documentation at cloud.google.com/iam/docs/workload-identity-federation.
Delegated authority: OAuth and token exchange
OAuth 2.0 authorization code + scopes is the standard protocol for an agent to obtain a bounded grant from a user. The user authorizes specific scopes; the agent receives a token that can only perform those scoped operations. Least-privilege scoping is essential: request only the scopes the current task requires, not a broad grant for all possible future tasks.
The agent-holds-user-token anti-pattern — storing the user's own access token (or refresh token) in the agent is risky: the token may have broad scopes beyond what the task needs, the agent has no distinct audit identity, and token leakage grants attacker-level access to the user's account.
RFC 8693 — OAuth 2.0 Token Exchange (IETF, January 2020) defines a protocol for an agent to present a token it already holds and receive a different, narrower token in return. This is the canonical mechanism for an agent to obtain a downstream token scoped to a specific sub-task or service, without holding the user's original broad token. The grant type is urn:ietf:params:oauth:grant-type:token-exchange.
Confused-deputy and token-passthrough risk — an agent that receives a user token from an orchestrator and forwards it directly to a downstream service creates a confused-deputy vulnerability: the downstream service cannot distinguish a legitimate orchestrator request from a forged one, and the token audience is not validated. RFC 8693 token exchange, combined with RFC 8707 resource indicators (audience binding), closes this gap. See /resources/mcp-server-authentication for how MCP explicitly forbids token passthrough.
RFC 8707 — Resource Indicators for OAuth 2.0 (IETF, February 2020) adds a resource parameter to OAuth requests so the client declares which resource server the token is for. The authorization server then issues a token whose audience (aud claim) is bound to that specific resource, preventing a token issued for Service A from being replayed against Service B.
Emerging agent-auth standards (as of June 2026)
Active standardization work addresses the agent-specific gaps in existing protocols:
IETF WIMSE — the Workload Identity in Multi-System Environments working group was chartered in March 2024 at IETF 119. It is producing architecture documents and token-exchange profiles for workloads that need to authenticate and exchange credentials across heterogeneous platforms. WIMSE explicitly addresses the case where an agent receives a workload identity token and must present it to a downstream system that uses a different identity scheme.
OpenID Foundation — Identity Management for Agentic AI — the OpenID Foundation's AI Identity Management Community Group published a whitepaper in October 2025 identifying two authentication layers that must work in tandem: the agent software itself authenticated as a trusted client, and the human delegating specific permissions. The Foundation has also attracted individual Internet-Drafts (e.g. draft-sharif-openid-agent-identity-00, March 2026) proposing agent-specific claims for OpenID Connect ID tokens — ownership, trust posture, and authorised capabilities. These are individual drafts with no formal IETF working-group standing as of June 2026, but they signal the direction the identity community is moving.
Practical guidance
- Give each agent instance its own identity. No shared keys, no shared OAuth client IDs across agent instances. Per-agent registration means a compromised credential affects one agent, not all of them.
- Issue short-lived, scoped tokens. Tokens should expire in minutes to hours, not days. Use refresh tokens or re-attest via SPIRE to get fresh credentials when needed.
- Audience-bind every token (RFC 8707). Include the
resourceparameter in OAuth requests so tokens cannot be replayed against unintended services. - Use token exchange (RFC 8693) rather than passing tokens through. When an agent delegates to a downstream service, exchange for a narrower token scoped to that service.
- Rotate and revoke. Build revocation into your agent lifecycle: when a task ends, revoke the tokens; when an agent is decommissioned, rotate secrets and expire credentials.
- Full audit log of which identity did what. Every action taken by an agent should be attributed to that agent's unique identity in an append-only audit log. See /resources/agent-observability for the broader tracing and logging pattern.
- Require human approval for high-privilege grants. Agents should not be able to self-elevate privilege. Any grant of admin-level or broad-scope access should require an explicit human approval step. See /resources/agent-guardrails.
Cross-links
- OAuth for MCP servers specifically: /resources/mcp-server-authentication
- Secrets and credential management in agent pipelines: /resources/agentic-security-checklist
- Audit logging and tracing of agent actions: /resources/agent-observability
- Human approval gates for high-stakes actions: /resources/agent-guardrails
Verified sources
- SPIFFE/SPIRE CNCF graduation announcement (September 2022): https://www.cncf.io/announcements/2022/09/20/spiffe-and-spire-projects-graduate-from-cloud-native-computing-foundation-incubator/
- SPIFFE overview and SVID specification: https://spiffe.io/docs/latest/spiffe-about/overview/
- RFC 8693 — OAuth 2.0 Token Exchange (IETF, January 2020): https://datatracker.ietf.org/doc/html/rfc8693
- RFC 8707 — Resource Indicators for OAuth 2.0 (IETF, February 2020): https://datatracker.ietf.org/doc/html/rfc8707
- IETF WIMSE working group (chartered March 2024): https://datatracker.ietf.org/group/wimse/history/
- WIMSE architecture draft: https://www.ietf.org/archive/id/draft-ietf-wimse-arch-01.html
- OpenID Foundation — Identity Management for Agentic AI whitepaper (October 2025): https://openid.net/wp-content/uploads/2025/10/Identity-Management-for-Agentic-AI.pdf
- OpenID Foundation — new whitepaper on AI agent identity challenges: https://openid.net/new-whitepaper-tackles-ai-agent-identity-challenges/
- GCP Workload Identity Federation documentation: https://cloud.google.com/iam/docs/workload-identity-federation