Machine identity for AI agents: Which credential to issue and when

As AI agents increasingly interact with APIs and perform tasks that involve mutating records and chaining tool calls, the challenge of determining the appropriate credential for these agents becomes significant, especially in B2B workflows. Traditional authentication methods differentiate between human users, who receive sessions and user-scoped tokens, and machines, which use client credentials and short-lived JWTs. However, AI agents, which act on behalf of users but have different lifecycles and operational scopes, disrupt this binary system. The article explores three scenarios for agentic workflows: personal agents acting on behalf of individual users, shared agents serving organization-wide needs, and backend agents functioning as services. Each scenario requires different credential primitives: user-scoped API keys for personal agents, org-scoped API keys with permission scoping for shared agents, and M2M Applications issuing short-lived JWTs for backend agents. WorkOS provides a unified authorization framework that supports these scenarios, emphasizing the importance of careful credential storage and management to prevent security breaches.