AI agent identity
A verifiable, cryptographic identity assigned to an autonomous AI agent, so any system can prove who the agent is, who it acts for, and what it is authorized to do.
AI agent
Autonomous software that performs tasks on a user’s or organization’s behalf — browsing, calling APIs, and taking actions without a human present for each step.
Principal
The user or organization that owns an agent and delegates authority to it; every action an agent takes traces back to its principal.
Delegated authority (delegation)
Scoped, time-bound, revocable permission granted by a principal to an agent, letting the agent act on the principal’s behalf without sharing long-lived secrets.
Scope
A specific, limited permission attached to a credential that defines exactly what an agent may do, enforced on every request to keep access least-privilege.
Verification
The real-time check, on every request, of an agent’s signature, identity, and scope before an action is allowed.
Trust score
An evidence-based measure of an agent’s trustworthiness built from real behavioral signals, letting platforms treat a well-behaved agent differently from an unknown one.
Revocation
Instantly invalidating an agent’s identity or delegation so it loses access on its very next request, rather than waiting for a token to expire.
Enforcement
Applying authorization and revocation decisions consistently at the point of action, everywhere an agent operates.
Governance
Writing access policy once and enforcing it consistently across every service, team, and agent.
Audit trail
An append-only, hash-chained, tamper-evident record of every agent action, so you can prove what an agent did and when.
Key management
The automated issuance, rotation, and retirement of cryptographic keys across their lifecycle, so credentials do not go stale or leak.
JWT (JSON Web Token)
A compact, signed token format that carries verifiable claims about an identity; a foundation of modern auth and of agent credentials.
JWKS (JSON Web Key Set)
A published set of public keys used to verify the signatures on JWTs without ever sharing private keys.
RS256
An RSA signature algorithm (RSASSA-PKCS1-v1_5 with SHA-256) commonly used to sign and verify JWTs.
OAuth 2 and OIDC
OAuth 2 is the standard framework for delegated authorization; OpenID Connect (OIDC) adds an identity layer on top. Both underpin agent authorization.
WIMSE
Workload Identity in Multi-System Environments — IETF work standardizing verifiable identity for workloads and agents.
SPIFFE
Secure Production Identity Framework for Everyone — an open standard for issuing verifiable identities to workloads.
MCP (Model Context Protocol)
A protocol for connecting tool-calling AI agents to tools and data; its authorization profile uses OAuth 2.1 with PKCE.
A2A (Agent-to-Agent)
An interoperability approach that lets agents discover and trust each other using signed Agent Cards.
Agent Card
A signed, machine-readable description of an agent (its identity and capabilities) used for agent-to-agent trust under A2A.
Bot detection
Behavioral guessing of whether traffic is human or automated (IP, headers, mouse movement); contrasted with identity-based verification, which proves who an agent is.