Agent Identity Lab

Most agents in production today authenticate with a long-lived API key in a config file. The fix is the same family of primitives that put passkeys in front of human users — short-lived credentials, hardware attestation, sender-constraint, and a delegation claim that makes user-on-behalf-of-agent calls attributable in audit logs. This lab is three working demos of those primitives, no IdP required.

RFC 8693OAuth 2.0 Token Exchange — the standards-track mechanism for user→agent delegation, anchored on the act claim.

4 attestation surfacesGitHub Actions OIDC, AWS Nitro, Azure managed identity, GCP WIF — all four eliminate long-lived secrets if you wire them up.

8 drift rulesAGT01–AGT08: long-lived secrets, missing attestation, scope drift, dormant agents, audit gaps, shared identities.

Three things in this lab

Token-exchange playground

Pick a user (passkey-authenticated, current or offboarded), pick an agent (with or without attestation), pick scopes and a TTL, and see the RFC 8693 request, the resulting delegated token claims, the audit-log line, and the warnings the IdP would flag.

Open playground →

Inventory + drift detector

Seven-agent fixture inventory across four attestation surfaces. Eight drift rules flag long-lived secrets, scope drift since baseline, dormant agents, missing act claims, and shared workload identities. SARIF export.

Run analysis →

Attestation primer

Side-by-side comparison of the six attestation surfaces a builder is most likely to wire up first: GitHub OIDC, AWS Nitro, Azure managed identity, GCP WIF, TPM 2.0, Apple App Attest. Pick by operational lift vs trust-root strength.

Compare options →

Why this lab

The companion essay to this lab — The Agent Identity Front — argues that AI agent identity is the next major vulnerability vector and that the gap between adoption velocity and governance velocity is widening. This lab is the working demo of the primitives that close the gap.

The drift rules are the patterns I see in consulting engagements repeatedly: long-lived secrets in config files, agents authenticating without attestation, scope drift over months, dormant agents that nobody has retired, audit logs that record the human as the actor when the agent is the one running the call.

Pairs with

Identity Lab — passkey registration, JWT inspector, and the three-identities explainer this lab builds on.
Prompt Injection Lab — the attack surface a delegated agent token is supposed to bound.
AuthZ Lab — what the agent's downscoped token meets when it lands on the resource server.