Agent Tokens

What are Agent Tokens?

Agent Tokens are specialized OAuth2 access tokens designed for AI agents operating in the agentic economy. They extend standard OAuth2 tokens with features for task-scoping, delegation tracking, and compliance-ready audit trails.

EU AI Act Compliant

Agent tokens include built-in compliance features for EU AI Act Article 13 (transparency and documentation).

Key Features

Task-Scoped Tokens

Tokens limited to specific tasks with operation count limits

Delegation Tracking

Full chain of authorization from human to agent(s)

Audit Trails

Compliance-ready logging for regulatory requirements

High Performance

< 3ms introspection latency with Redis cache

Agent Types

Type	Description	Use Case
`autonomous`	Agent operates independently without human approval per action	Long-running tasks, automated workflows
`supervised`	Agent requires human approval for critical actions	High-risk operations, GDPR Article 22 compliance
`ephemeral`	Short-lived agent for single task execution	One-time operations, quick tasks

Generating Agent Tokens

Endpoint

POST

/oauth/agent-token

Request


POST /oauth/agent-token
Content-Type: application/json
Body: JSON with client_id, client_secret, delegated_by_user_id,
      agent_type, scope, task_id, max_operations, etc.

See API Reference for complete parameter list.

Response

Returns JSON with access_token, token_type, expires_in, scope, agent_type, task_id, max_operations, and expires_on_completion fields.

Request Parameters

Parameter	Type	Required	Description
`client_id`	string	Yes	OAuth2 client identifier
`client_secret`	string	Yes	OAuth2 client secret
`delegated_by_user_id`	string	Yes	User ID of human authorizer
`agent_type`	string	Yes	autonomous \| supervised \| ephemeral
`scope`	string	Yes	Space-separated scopes (subset of client allowed_scopes)
`task_id`	string	No	External task identifier
`max_operations`	integer	No	Maximum number of token uses
`expires_on_completion`	boolean	No	Auto-revoke when max_operations reached
`intent_description`	string	No	Human-readable intent for compliance

Token Introspection (Extended)

When introspecting an agent token, the response includes additional agent-specific metadata such as: agent_type, delegated_by, delegation_chain, delegation_depth, task_id, max_operations, operations_remaining, expires_on_completion, intent_description, orchestrator_id, and environment.

See API Reference for complete introspection response format.

Use Cases

1. Autonomous Data Processing

An AI agent processes customer data with a token limited to 1000 operations. Configure with agent_type=autonomous, max_operations=1000, expires_on_completion=true.

2. Supervised Decision Making

An AI agent makes decisions that require human oversight. Configure with agent_type=supervised for high-risk operations.

3. Ephemeral Task Execution

A short-lived agent for a one-time operation. Configure with agent_type=ephemeral, max_operations=10, expires_in=300 seconds.

Compliance Features

Built for Compliance

Agent tokens automatically create audit trails that satisfy EU AI Act Article 13 requirements for transparency and documentation.

Audit Trail Example

All agent token operations are logged with timestamp, event_type, user_id, organization_id, and metadata including agent_type, task_id, task_scopes, max_operations, intent_description, and orchestrator_id.

Best Practices

✅ DO: Use Task-Scoped Tokens

Always set task_id and max_operations to limit token usage to specific tasks.

✅ DO: Provide Intent Descriptions

Include clear intent_description for compliance and audit purposes.

✅ DO: Enable Auto-Revocation

Set expires_on_completion: true for ephemeral tasks.

❌ DON'T: Use Long-Lived Agent Tokens

Keep agent token TTL short (default 15 minutes, max 1 hour).

❌ DON'T: Grant Excessive Scopes

Only grant the minimum scopes required for the specific task.

Next Steps

API Reference

Complete API documentation

Integration Guide

Learn OAuth2 integration patterns