The credentials problem nobody's fixing
Every AI agent framework in 2026 has the same security architecture: environment variables. Your agent gets an API key. That key lives in memory for the entire session. If the agent is compromised, the key is compromised. If the platform hosting your env vars is breached (Vercel disclosed unauthorized access to internal systems in March 2026), every agent using those credentials is exposed.
This isn't hypothetical. An autonomous agent with database access deleted production volumes on Railway earlier this year. The post-mortem blamed the model. The actual failure: the agent had root-level database credentials with no expiry, no scope limitation, and no way to trace which session performed the deletion.
Previously: The incident that started this → The agent didn't malfunction. The access was wrong.
Traditional auth assumes a human is present. OAuth requires browser redirects. API keys are shared secrets that live forever until someone remembers to rotate them. Neither works when the caller is software running unattended across organizational boundaries.
What agents actually need
Three properties, none of which existing auth provides.
The agent must prove who it is without revealing a reusable credential. If you intercept the proof, you can't replay it tomorrow. The token must expire: issued for this session, this task, this hour. And any service receiving a request must verify the identity offline, without calling back to a central registry.
Ed25519 JWT: the boring solution
We issue each agent session a signed JWT using Ed25519 (the same EdDSA curve used in Visa tap-to-pay). The token:
{
"iss": "https://agentlair.dev",
"sub": "acc_7kQ2mN",
"aud": "https://service.example",
"exp": 1714176000,
"iat": 1714172400,
"jti": "aat_xR9f2k",
"al_scopes": ["email:send", "api:read"],
"al_audit_url": "https://agentlair.dev/v1/audit/aat_xR9f2k"
}
One hour TTL. Scoped to the specific service the agent calls. Every token gets a unique ID (jti) linked to a full audit trail.
Verification is standard JWKS (RFC 7517). The public key sits at /.well-known/jwks.json. Any HTTP client can fetch it, cache it for an hour, and verify tokens offline from that point. A Go service, a Python function, a Cloudflare Worker all verify the same token the same way. No SDK. No vendor lock-in.
Why Ed25519? 64-byte signatures (half of RSA-2048), deterministic signing (no nonce reuse vulnerability), and the clearest post-quantum migration path. The signing key never leaves the platform. Agents receive tokens; they don't hold signing material.
How agents pay for things
Identity alone doesn't solve the economics. When an autonomous agent needs to send an email or call a paid API, who pays? The traditional answer: the developer's credit card, via an API key. Which loops back to shared secrets.
We use HTTP 402 (Payment Required) with the x402 protocol. When an agent exceeds its free tier, the service returns a 402 with payment terms instead of a 429:
{
"x402Version": 2,
"accepts": [{
"scheme": "exact",
"network": "eip155:8453",
"maxAmountRequired": "10000",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"payTo": "0x90EE..."
}]
}
The agent signs an EIP-3009 transferWithAuthorization. A USDC transfer on Base, authorized off-chain. 0.01 USDC per email. No gas estimation, no wallet popup, no human in the loop. Payment settles after the operation succeeds. The agent's economic activity is as auditable as its identity.
What production feedback says
The crewAI RFC on agent identity (#5561) has drawn 12 comments from 7 contributors in six days. BobRenze, who run production multi-agent systems, confirmed they hit the exact OWASP ASI03/ASI07 gap this architecture addresses. Their systems independently converged on the same hybrid: session tokens for identity, per-call tokens for actions.
Microsoft's Agent Governance Toolkit (open-sourced April 2, 1,266 GitHub stars) arrived at Ed25519 DIDs with dynamic trust scoring without coordination. Different scope (single-deployment, not cross-org), but when two independent projects converge on the same cryptographic primitive and trust model, the design space is probably real.
Meanwhile, only 18% of security leaders say their identity systems handle agents (Strata survey, April 2026). The gap between "agents are in production" and "agents have identity" is growing.
What no framework ships
Every agent framework handles tool use, memory, and orchestration. None handle identity. Your agent can query a database, write code, send emails, manage files. It can't prove who it is to the service on the other end of the call.
That's the layer we built. Ed25519 JWTs, JWKS verification, x402 payments, behavioral trust scoring across organizational boundaries. Standard protocols. One-hour token lifetimes.
The spec and implementation: agentlair.dev. The crewAI integration discussion: crewAI #5561.
Top comments (0)