What is may_act_grants and how does delegation work?

SharkAuth expresses delegation policy as structured data. Every grant is scoped to specific actions, resources, and time windows, and can be revoked or expired automatically when conditions change.

How does DPoP protect against token theft?

Every access token is cryptographically bound to the agent's private key via RFC 9449 DPoP. A stolen token is useless without the key, making replay attacks impossible by design.

What is act chain depth and why does it matter?

SharkAuth preserves the complete delegation chain across every agent hop. When agent A delegates to B who calls API C, the full provenance is surfaced in token introspection, eliminating 'the agent did it' dead ends.

How fast is cascade revocation?

Revoke any grant and every downstream token invalidates automatically. The change is indexed by grant_id and propagated through introspection in under 12 ms p99.

Can SharkAuth run offline or on edge devices?

Yes. It ships as a single static Go binary with embedded SQLite WAL. Deploy it next to your app, in a container, on a corporate VM, or an air-gapped edge. Or drop it on a $5 VPS. Backup is a single file copy.

What audit capabilities does SharkAuth provide?

Structured JSON audit logs, indexed by grant_id, subject, actor, and grant. Stream directly to your SIEM via events websocket. Compliance-ready out of the box.

Guide

What is agent authentication?

A complete guide to how AI agents prove identity, delegate authority across chains, and revoke access — with the same cryptographic rigor as human authentication.

Last updated: May 202615 min read

Definition

Agent authentication is the practice of verifying the identity of AI agents (software systems that act autonomously on behalf of users) and controlling what they can access, delegate, and revoke. Unlike traditional user authentication — where a human clicks a login button — agent authentication must handle machines that call APIs on behalf of other machines, often in chains of delegation three or more levels deep.

The core challenge: when agent A calls API B on behalf of user C, and API B then calls service D on behalf of agent A, how does service D know who originally authorized the action? And how do you revoke access for the entire chain when user C changes their mind?

Agent authentication solves this with three mechanisms: identity proof (who is the agent),delegation chains (who authorized whom), and cascade revocation (pull one thread, the whole graph unravels).

Key protocols and standards

OAuth 2.1

The foundation of modern API authorization. OAuth 2.1 (the latest draft) standardizes how agents obtain access tokens, with PKCE required for all clients and refresh token rotation by default.

OpenID Connect (OIDC)

Built on OAuth 2.0, OIDC adds an identity layer. For agents, this means the agent can present an ID token that proves both who it is and who authorized it.

RFC 8693 — Token Exchange

The critical protocol for agent delegation. Token Exchange lets an agent trade its access token for a new token scoped to a downstream service, preserving the original authorizer in the act / actor chain.

RFC 9449 — DPoP (Demonstrating Proof-of-Possession)

Binds every access token to a cryptographic key pair. A stolen token is useless without the private key. For agents, this means even if an API key leaks, the attacker cannot replay it.

How agent delegation works

Imagine a user asks their AI assistant to schedule a meeting. The assistant (agent A) needs to access the user's calendar (service B), which requires checking the user's availability against a scheduling service (service C). Here's how the delegation chain works:

User authorizes agent A via OAuth 2.1 consent flow. The user grants specific scopes: "read calendar" and "check availability."
Agent A exchanges its token via RFC 8693 Token Exchange to obtain a downstream token for service B, with act = agent A, actor = user.
Service B exchanges again to call service C, extending the chain: act = service B, actor = agent A, original = user.
Service C introspects the token and sees the full chain: user → agent A → service B → service C. It can enforce policy at any level.

This chain is cryptographically verifiable. Each token contains the previous token's hash, making it impossible to forge an intermediate link.

Why agent authentication matters now

45%

Of enterprises

plan to deploy autonomous agents by end of 2026 (Gartner)

3.2x

API call increase

when agents replace direct user actions (internal benchmark)

78%

Of security teams

cite "lack of agent visibility" as top concern (CrowdStrike 2026)

$4.2M

Average breach cost

from compromised service accounts (IBM 2025 report)

Frequently asked questions

How is agent authentication different from API keys?

API keys are static secrets that grant broad access until rotated. Agent authentication uses short-lived tokens with scoped permissions, cryptographic proof-of-possession (DPoP), and full delegation chains. If an API key leaks, the attacker has permanent access. If an agent token leaks, it expires quickly and cannot be replayed without the private key.

What is cascade revocation?

Cascade revocation means revoking any grant in a delegation chain automatically invalidates every downstream token. If a user revokes access to agent A, all tokens that agent A obtained — and all tokens those services obtained — become invalid simultaneously. In SharkAuth, this propagates in under 12 milliseconds p99.

Do I need to replace my existing OAuth 2.0 setup?

No. SharkAuth implements standard OAuth 2.1 and OIDC. Existing OAuth 2.0 clients work with minimal changes. Agent-specific features (Token Exchange, DPoP, cascade revocation) are opt-in extensions that clients can adopt incrementally.

What is an act / actor chain?

In RFC 8693 Token Exchange, the "act" claim identifies the entity currently performing the action (the agent), and the "actor" claim identifies the entity that authorized it (the user or upstream agent). A chain of act/actor pairs preserves provenance across every hop.