guide · 2026-07-03

Giving AI agents real identity

guideagentproviderAndrii Tsok

The credential story for most agent fleets is a shared API key in a Kubernetes secret — long-lived, bearer-style, invisible in logs until it leaks. Here is the shape of the alternative, using apd (the lab's AAuth Agent Provider) as the issuer.

The three roles

apd issues. A single self-hosted binary (~11 MB image) that mints short-lived agent tokens binding an Ed25519 public key to a stable identity like aauth:billing-agent@your-domain, and publishes a JWKS.

The agent proves. Each outbound request carries an RFC 9421 HTTP message signature made with the agent's private key — which never leaves the workload.

The relying party verifies — without calling anyone. Fetch the JWKS (cacheable), check the signature and the token. Stateless: no introspection endpoint, no shared secret, no session store.

Enrollment without secrets

The bootstrapping problem — how does a workload get its first credential? — is solved by federation, not by another secret. A pod proves itself with its Kubernetes service-account token; a CI job with its OIDC token; a VM with its PKI cert; a mesh workload with SPIFFE. apd validates that native proof and issues the agent identity. Nothing to provision, nothing to rotate, nothing to leak in a .env file.

What revocation becomes

Mostly: waiting. Tokens live minutes, so a compromised context expires on its own; hard revocation exists for the exceptional case. Compare the incident-response runbook for a leaked eternal API key, and this is the argument in one line: the best secret is one that stops working before the attacker finishes reading it.

Honest label: apd is a sandbox project tracking a moving IETF draft (currently -09). The pattern, though, is where agent auth is heading — worth adopting the shape even while the spec settles.