Every agent gets a cryptographic identity. Every session gets a scoped mandate. Credentials attenuate monotonically — child agents always get fewer permissions than their parent.
Revoke alice-chen's credential and both child agents lose access instantly.
When you hire a contractor, you give them a statement of work: what they can do, which rooms they can enter, how long they have access, and a spending limit. They don't get the keys to the whole building.
An agent mandate works the same way. Every session gets a scope: which tools, which data tiers, what constraints (amount limits, environment restrictions, target systems), and a time bound. The agent physically cannot exceed its mandate.
Mandate for: crm-research-agent Session: loan_evaluation_4821 allowed_tools: search, brain_query, read_db blocked_tools: shell, deploy, delete_record constraints: amount_max: 500 env: ["staging", "development"] targets: ["crm-db", "marketing-api"] ttl: 1 hour What happens: search("Q1 revenue") ALLOW (in scope) brain_query("churn rate") ALLOW (in scope) deploy("production") DENY (not in allowed_tools) transfer(amount=5000) DENY (exceeds amount_max)
Credentials delegate downward with strict attenuation. The parent agent issues a credential to the child agent. The child's scope is always a SUBSET of the parent's scope. The child cannot request tools the parent doesn't have.
Cascade revocation: revoke the parent's credential and every descendant credential dies instantly. One action, entire chain terminated. No orphaned permissions.
Runtime binding: credentials are cryptographically bound to the agent's configuration — tool list, model name, and config hash. If anything changes after issuance, the credential auto-invalidates.
Inspired by User-Controlled Authorization Networks. Self-contained capability tokens with embedded scope, no server lookup needed for validation.
Configurable limit prevents unbounded delegation chains. Most real-world pipelines are 2-3 hops.
Agents aren't orphans. Every agent is owned by a human or a team. Ownership is visible in the dashboard. Orphan detection in the security scanner.
Verify tokens from Okta, Azure AD, Google Workspace. JWKS-based key rotation. Standard claims mapped to agent permissions.
Auto-provision and deprovision agent identities from your IdP. Create, update, delete, list — all standard SCIM operations.
YAML manifest with 50 agents? Import them all at once. Each gets identity, credential, and owner assignment.