OAuth device flow
Agent obtains device code, user approves in browser. Agent polls. Enables agent auth without user credentials.
Advertisement
DPoP (Demonstrating Proof of Possession)
Bind token to agent's key. Prevents token theft + replay. Standard for M2M.
Advertisement
JWKS + rotation
Agent's public keys published at JWKS endpoint. Services verify. Rotation supported.
Delegation
User delegates to agent. Delegation scope limited. Revocable. Similar to Google Cloud IAM service accounts + user impersonation.