OAuth device flow

Agent obtains device code, user approves in browser. Agent polls. Enables agent auth without user credentials.

Advertisement

DPoP (Demonstrating Proof of Possession)

Bind token to agent's key. Prevents token theft + replay. Standard for M2M.

Advertisement

JWKS + rotation

Agent's public keys published at JWKS endpoint. Services verify. Rotation supported.

Delegation

User delegates to agent. Delegation scope limited. Revocable. Similar to Google Cloud IAM service accounts + user impersonation.