Authentication for AI Agents: OAuth Patterns for Non-Human Identity
Updated 2026-05-15 · 12 min read · By @guptadeepak
Key takeaways
- AI agents are non-human principals that act on behalf of a user, an organization, or themselves. The authentication pattern depends on which.
- OAuth 2.0 / 2.1 with on-behalf-of (OBO) tokens is the dominant pattern for user-delegated agent authentication in 2026.
- Dynamic Client Registration (RFC 7591) is how MCP servers and agent platforms register without a human in the loop; pair it with strict registration policies.
- Agent identity is the third leg of the identity stool alongside human and workload identity; conflating any two is the root of most agentic-AI security incidents.
- Token theft from an agent is high-impact: broader scopes, machine speed. Short lifetimes, narrow scopes, and sender-constrained tokens are non-optional.
Why agent authentication is its own problem
The identity stool has three legs in 2026:
- Human identity: a person. Authenticated via passkeys, passwords, MFA. Subject to user-friendly UX.
- Workload identity: a service or process. Authenticated via mTLS, SPIFFE SVIDs, cloud IAM. No UX, all automation.
- Agent identity: an AI agent that runs autonomously but often acts for a user. Combines properties of both — needs the delegation model of human auth, the lifecycle of workload auth, and a couple of patterns unique to itself (model-version provenance, prompt-source attribution, tool-call audit).
Conflating any two of these is the root of most agentic-AI security incidents. An agent running with a human user's full token (treating the agent as the user) means the agent's bugs become the user's compromises. An agent running as a generic service account (treating the agent as a workload) loses the audit trail of which user requested which action. The patterns below keep them separate.
Who is the principal: three scenarios
The authentication pattern depends on which entity the agent is asserting.
1. Agent acting on behalf of a single user, with their consent.
The user has consented (explicitly, through an OAuth authorization screen, or implicitly via terms of service) for the agent to act for them. The agent is calling APIs as the user, scoped to what the user authorized. Example: a calendar agent the user installed in their email client, which schedules meetings on their behalf.
The pattern: OAuth on-behalf-of (OBO) via RFC 8693 token exchange. The agent has its own client_id (registered with the OAuth server). At runtime, the agent takes the user's access token and exchanges it at the token endpoint for a new token, audience set to the downstream API. The new token preserves the user identity in claims; the audit log shows both the user and the agent.
2. Agent acting autonomously as a service.
The agent has its own service principal with its own permissions, not delegated from any user. Example: a monitoring agent that watches the company's logs and pages on-call for anomalies. No specific user is responsible for what it does; the company is.
The pattern: OAuth client_credentials grant. The agent authenticates as itself with client_id and credential (client_secret, mTLS cert, or DPoP key). The resulting access token carries the agent's identity, not a user's. Authorization is configured against the agent's principal.
3. Agent shared across many users.
A shared agent that processes many users' data. Example: a customer-support agent that reads support tickets from all users, no single user is in scope for any one request.
The pattern is context-dependent. If the agent should never see user-specific data, treat it as case 2 (service principal). If the agent processes one user's data per request, the calling code should swap to that user's context — OBO when the upstream call carried a user token, or explicit impersonation guarded by IAM policy when not. The mistake is letting a shared agent accumulate broad user permissions and call APIs ambiguously; the audit log becomes uninterpretable.
Dynamic Client Registration: agent onboarding at scale
OAuth 2.0 traditionally requires a human to register a client through a developer portal: fill out a form, get a client_id. That does not scale to agentic systems where new agents and new MCP servers need to be onboarded at runtime.
RFC 7591 (Dynamic Client Registration, DCR) defines a registration endpoint where clients register themselves programmatically. POST a JSON document describing the client; receive a client_id, client_secret, and a registration_access_token for managing the registration.
The risks DCR introduces:
- Open registration is open registration. Anyone who reaches the endpoint can create a client. Without a gate, the OAuth server becomes a free oracle for client creation and (with poor scope policies) for token issuance.
- Scope inflation. A registered client requests broad scopes; if the server grants what is requested, the new client has whatever permissions the policy permits, regardless of intent.
- Forgotten clients. Programmatic registration without programmatic deprovisioning means thousands of stale
client_ids accumulating with validclient_secrets.
The mitigations production deployments use:
- Initial Access Tokens (IATs): gate the registration endpoint with an IAT — an out-of-band-issued token that authorizes one registration. The IAT issuer is a human; the registration is the agent's.
- Strict scope policies per registration. The registration metadata declares the scopes the client may request; the OAuth server enforces an allowlist mapped to the IAT class.
- Software statements (RFC 7591 §2.3): a signed JWT asserting "this software is what it claims to be" — issued by the agent platform vendor, verified by the OAuth server. Combined with attestation, this lets the server know it is registering an instance of a known agent runtime, not arbitrary code.
- Lifecycle: registrations expire; refresh requires re-attestation; deletion is automated.
The Model Context Protocol (MCP) ecosystem leans heavily on DCR — every MCP server an agent discovers is a new OAuth client. Strict DCR policy is what keeps the discovery model from being an unbounded client-creation oracle.
Sender-constrained tokens: why agents need them more
Bearer tokens are bearer tokens — anyone who has them can use them. For human users that is bad enough; for agents that is worse, because agents:
- Act at machine speed (an hour of stolen-token use is hundreds of API calls).
- Often have broader scopes than humans (the agent for "schedule meetings and respond to email" combines permissions a human would have in two separate sessions).
- Run in environments where token storage is more porous (process memory in a Python script, environment variables in a container, logs from a debugger).
Sender-constrained tokens raise the bar:
- mTLS-bound tokens (RFC 8705): the access token is valid only when presented over a TLS connection where the client presents a specific certificate. Stolen token + no key = useless. The right pick when the agent runs in an environment that supports mTLS — service mesh, server-side runtimes.
- DPoP (RFC 9449): the agent holds a public/private key pair, signs a per-request DPoP proof, includes the key thumbprint in the token. Same property as mTLS, lighter to deploy. Right for agents that cannot do mTLS — browser-running agents, mobile agents, edge functions.
Either is materially stronger than bare bearer tokens for agent use cases. Adopting one before a token-theft incident teaches the lesson is much cheaper than adopting one after.
Token lifetimes for agents
The general rule: agent access tokens should be shorter than the equivalent human access tokens. The reasoning, restated:
- Token theft window is the lifetime. Stolen agent tokens get used immediately; human tokens have a delay while the attacker figures out the UX.
- Agents have broader scope. A token that authorizes 50 distinct API operations is more dangerous than one that authorizes 5.
- Agents do not notice anomalous activity. A human user logs in and sees unfamiliar sessions; the agent runs in a loop and notices nothing.
Reasonable defaults for production agent deployments: access tokens 5–15 minutes, refresh tokens rotated on every use (RFC 6749bis), refresh tokens bound to the client (sender-constrained — mTLS or DPoP).
The detail is covered in Token Management for AI Agents.
Audit and attribution
The audit log for an agent action must record at least:
- User principal (if OBO): who delegated the action.
- Agent principal: which agent took the action.
- Action: which API call, which scope, which resource.
- Source: the prompt or instruction that produced the action, if traceable (some agent runtimes record the LLM input that led to a tool call).
- Model identity: which model version produced the output that became the tool call.
The combination of user + agent + model + action is the new audit primitive for agentic systems. SIEM tools are starting to ingest this; CIAM products that ship strong audit log structure for agent actions (Auth0, Descope, WorkOS, Curity) are the ones building the right primitive.
Implementation guidance
- Decide whose identity the agent asserts before writing any code. OBO for user-delegated; client_credentials for autonomous; explicit per-request user context for shared agents. Picking later is a refactor.
- Use OAuth 2.1, not OAuth 2.0. PKCE mandatory, refresh-token rotation mandatory, audience-restricted tokens. OAuth 2.1 Explained for the details.
- For OBO, implement RFC 8693 token exchange. Most modern OAuth servers (Auth0, Curity, Keycloak, WorkOS, Ory Hydra) support it; pick one that does.
- Gate DCR with initial-access-tokens and strict scope policies. Open DCR is a security incident waiting.
- Sender-constrained tokens for agents in production. mTLS where the runtime supports it, DPoP otherwise. Bearer-only is a risk choice you should make consciously.
- Short access-token lifetimes. 5–15 minutes. Refresh-token rotation. Refresh tokens bound to the client.
- Audit user + agent + model + action. The combination is what makes incident response possible.
- Plan for compromise. When an agent's token is stolen, what blast radius does it have? If the answer is "everything the user can do for the next hour," scope reduction and lifetime reduction are urgent.
Go deeper: A comprehensive guide to MCP covers the protocol most agent platforms use to expose tools and data to models.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Curity
Curity is the standards-purist enterprise CIAM in 2026, among the most spec-correct OAuth 2.0 / OIDC implementations available, with strong FAPI and Open Banking support that suits financial services and regulated workloads. The configuration-as-code model treats identity like infrastructure-as-code, which appeals to engineering-mature enterprises. Outside the standards-correctness or FAPI use cases, the enterprise pricing and learning curve make broader-scope CIAM (Auth0, Ping) more practical.
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
Frontegg
Frontegg is the strongest B2B SaaS CIAM in 2026 by Admin Portal and self-service end-customer experience, the buyer is a SaaS engineering team that needs to ship enterprise-grade IT admin features without building them, and Frontegg delivers more of that out of the box than Auth0 or WorkOS. The trade-off is narrower B2C feature coverage and a smaller ecosystem than Auth0; for B2B-first SaaS the Admin Portal alone often justifies the choice.
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
FAQ
- What's a non-human identity and why does it matter for AI agents?
- A non-human identity (NHI) is any principal that is not a person — service accounts, workloads, API keys, and now AI agents. NHIs in production typically outnumber human identities 20-to-1 and grow faster. AI agents are a new NHI category with two distinguishing properties: they operate at machine speed (so token theft has a wide blast radius before detection), and they often need delegated permissions from a human (so the on-behalf-of model matters more than for ordinary workloads).
- Should an AI agent use the user's token or its own?
- Depends on what the agent is doing. Acting on behalf of a single user with their consent: OAuth on-behalf-of (OBO) — the agent has its own client identity, plus a delegated token derived from the user's session. Acting autonomously as a service: client_credentials grant — the agent has its own service principal, its own scopes, no user attached. Acting for multiple users (a shared agent that processes many users' data): either pattern depending on whether the agent should see user-specific data; pick consciously, do not default.
- What is the on-behalf-of (OBO) flow?
- OBO is a token-exchange pattern (RFC 8693): a service that received a user's access token can exchange it at the token endpoint for a new token bound to a downstream service. The new token's audience is the downstream service; the user identity is preserved in the claims. For AI agents, OBO is how the agent says 'I am the calendar agent, acting for user X, calling the calendar API on their behalf.' The audit log shows both the user and the agent.
- How does Dynamic Client Registration fit into this?
- DCR (RFC 7591) lets a client register with an OAuth server programmatically — no human filling out a form to create a client_id. MCP servers and agent platforms use DCR to onboard new agents at scale. The risk: anyone who can reach the registration endpoint can create a client. Production deployments protect DCR with an initial-access-token gate, restrict the scopes a registered client can request, and require attestation of the registering software where possible.
- How short should an agent token's lifetime be?
- Shorter than the equivalent human token, in most cases. Agents act faster than humans, so a 1-hour token gives an attacker a 1-hour window of automated action — typically more damage than a human attacker could do in the same window. 5-15 minute access tokens with refresh-token rotation are reasonable defaults for production agent deployments. Sender-constrained tokens (mTLS, DPoP) raise the bar further by making stolen tokens useless without the corresponding key.
Sources
- OAuth 2.1 (IETF draft)
- RFC 8693 — OAuth 2.0 Token Exchange
- RFC 7591 — OAuth 2.0 Dynamic Client Registration
- RFC 9449 — OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- RFC 8705 — OAuth 2.0 Mutual-TLS Client Authentication
- Model Context Protocol (Anthropic, 2024)