Skip to main content

Trust Delegation

Trust delegation enables users to delegate their own trust to autonomous AI agents, allowing those agents to act on their behalf. By assigning specific roles and scoped permissions, users can issue delegated tokens that grant agents only the authority they need — ensuring that every autonomous action is explicitly authorized, traceable, and bound by the principle of least privilege.

How Trust Delegation Works

When you onboard an AI agent, the following steps take place:

1. Register the agent as a client

2. A workload entry appears on the Autonomous Workloads page

3. Deploy a SPIRE agent

4. Assign roles and permissions to the agent

5. The agent requests a delegated token

6. AuthSec issues a token with only the allowed permissions

The delegated token is a short-lived credential that carries the agent's identity and the exact permissions you've granted. The agent cannot expand its own access or reach resources outside its assigned scope.

Before You Begin

Make sure the following are in place:

Trust Delegation vs User Authentication

User AuthenticationTrust Delegation
Who is it for?Human usersAI agents acting on a user's behalf
IdentityEmail, OAuth, or SAML loginClient ID + SPIFFE identity
CredentialsPassword, MFA, or passkeysClient secret + certificate
PermissionsBased on the user's full roleLimited to explicitly allowed scopes
Token lifetimeSession-based (hours)Short-lived (minutes to hours)
Can permissions grow?Users can request role changesAgents are locked to their configured scopes

Next Steps