If autonomous agents are the new employees, your bearer tokens are their keycards. Today’s OAuth/JWT keycards open too many doors for too long, and no one can prove why a door was opened—only that it was. This is fine for deterministic apps; it breaks for stochastic, tool‑calling LLM agents. Agentic JWT (A‑JWT) proposes a surgical fix: bind every API call to a cryptographically verifiable intent (and optional workflow step), and give each agent its own identity plus proof‑of‑possession (PoP) keys. Zero‑Trust, but practical.
The core idea—separate intent from execution
Classical OAuth assumes the client embodies the resource owner’s live intent. Agentic systems violate that assumption: prompts drift, plans branch, and multi‑agent orchestration creates ambiguous accountability. A‑JWT splits concerns:
- Access Token (legacy JWT): the app’s coarse permit. Back‑compatible.
- Intent Token (A‑JWT): short‑lived, per‑agent, per‑intent, optionally per‑workflow‑step. Carries claims like
workflow_id,workflow_step,delegation_chain, and an agent checksum. - Per‑agent PoP key: HTTP‑signature on each request; replay dies even if a token leaks.
- Shim checksum: a runtime integrity stamp so the server knows the enforcement layer itself hasn’t been swapped.
Net effect: You can finally answer three questions on every call—who executed, on whose intent, and at which step—and block calls when any of the three don’t match.
Why this matters for operators and risk owners
- Contain blast radius: Compromise of one agent or step doesn’t unlock the whole app.
- Enforce least privilege dynamically: Workflows become first‑class policy objects—not just static scopes.
- Make audit trails objective: Delegation chains and step hashes provide cryptographic provenance, not just logs.
- Drop‑in path: Services that ignore the new claims still accept the token as a normal JWT.
Quick map: Classic OAuth/JWT vs Agentic JWT
| Dimension | Classic OAuth/JWT | Agentic JWT (A‑JWT) |
|---|---|---|
| Principal on the wire | App/client | Per‑agent identity (checksum‑bound) |
| Intent binding | Implicit via scopes | Explicit intent claim: workflow/step/context |
| Delegation lineage | Optional act chains, soft semantics |
Delegation chain with enforcement expectation |
| Replay protection | Bearer; DPoP optional | Mandatory PoP per agent (HTTP signatures) |
| Back‑compat | N/A | Full: ignore A‑JWT fields → behaves like JWT |
| Zero‑Trust posture | Point‑in‑time issuance | Per‑call verification of agent + intent + step |
Threats A‑JWT actually neutralizes (in practice)
| Threat (LLM/OAuth reality) | Why it happens | A‑JWT control |
|---|---|---|
| Prompt‑induced scope drift | LLM plans new actions beyond original user task | Token mint requires matching workflow_id/step registered at IDP; off‑path calls fail |
| Cross‑agent privilege hop | Low‑priv agent nudges high‑priv agent | Enforcement ties call to the executing agent’s checksum + PoP key |
| Token replay | Memory dump or proxy leak | PoP signature check blocks reuse without the private key |
| Shim swap / on‑host tampering | Replacing guardrails library | X‑Shim‑Checksum checked against IDP’s allow‑list |
| Who did what? | Logs are ambiguous | Delegation chain + step hash → cryptographic provenance |
Architecture—in one minute
- Register agents & workflows at the IDP (automate via CI/CD). Store: agent checksum, PoP pubkey, allowed workflow graph.
- Shim runs inside each agent process: derives checksum, mints intent tokens, signs requests, injects agentic headers, and rejects suspicious state (e.g., mutated prompt templates).
- Resource server verifies: (a) IDP signature, (b) PoP signature, (c) agent checksum match, (d) workflow step authorization.
Think of it as BeyondCorp for agents: identity per workload, just‑enough access per step, continuous verification.
Implementation notes you can act on this quarter
- Start narrow: Wrap only the high‑risk tool calls (write, transfer, delete) behind A‑JWT. Leave read‑only flows on legacy JWT while you harden infra.
- Automate registration: Bake agent/workflow registration into your deployment pipeline; fail builds on checksum drift.
- Cache with discipline: Keep intent tokens short‑lived (seconds to minutes). Cache per step—never globally.
- Introduce PoP now: Even before full intent tokens, move sensitive APIs to HTTP Message Signatures (RFC 9440) to kill trivial replay.
- Model the workflow as a DAG: Map step adjacency and permitted transitions. The IDP should reject tokens for off‑graph steps.
Where it will bite (trade‑offs)
- Mint latency: More, shorter tokens → more minting. Mitigate with per‑step caching + coalesced calls.
- Governance overhead: Any agent prompt/tool/config change requires re‑registration. Solve with “prompt template + allowed variables” and CI enforcement.
- Ecosystem coordination: Full value appears when IDP and major APIs speak A‑JWT natively. Use a resource‑server proxy as a transitional layer.
An operator’s checklist (copy/paste)
- Inventory all agent processes and label write‑capable tools.
- For each, define:
workflow_id, enumeratedworkflow_steps, allowed transitions. - Generate per‑agent keypairs; publish JWKs to IDP.
- Add shim; reject runtime prompt/template deltas not on an allow‑list.
- Enforce PoP + intent validation at the API gateway.
- Add tamper‑evident logs: token
jti,workflow_step,agent_checksum, PoPkid, request digest.
Business lens: Why this isn’t just “more crypto”
- Regulatory comfort: Objective provenance closes the loop on “automated decision accountability”.
- Segmentation ROI: You can finally price and insure agent workloads by actual blast radius, not by app monolith.
- Vendor‑neutral upgrade path: No rip‑and‑replace—A‑JWT rides existing OAuth/JWT rails.
What we’re watching next
- Standardization: Expect convergence with OAuth DPoP, RFC 8693
actchains, and GNAP sub‑grants. A‑JWT is a pragmatic middle step. - TEE profiles: Optional attestation can shrink the remaining on‑host TOCTOU window for high‑assurance deployments.
Bottom line: Agentic JWT fuses practical Zero‑Trust with how agentic systems actually work. It limits damage, clarifies intent, and gives security teams coarse‑to‑fine dials without stalling delivery.
Cognaptus: Automate the Present, Incubate the Future.