Request a Delegated Token
How the Agent Requests a Token
The agent acquires delegated tokens through the ID-JAG flow: the user logs in through the agent (OIDC), the agent exchanges that proof for an ID-JAG via token-exchange, and redeems it for a scoped access token via jwt-bearer. In the Python SDK this is one call:
from authsec_sdk import AgentIdentity, browser_login, PendingApprovalError, poll_until_approved
id_token = await browser_login(issuer=ISSUER, client_id=CLIENT_ID, resource=MCP_URL)
agent = AgentIdentity(ISSUER, CLIENT_ID, client_secret=SECRET, idp_issuer=ISSUER)
async with agent:
try:
token = await agent.access_for(
MCP_URL,
user_session={"subject_token": id_token},
requested_scopes=["myapp:read"],
)
except PendingApprovalError as e: # first-time access — admin approves once
token = await poll_until_approved(
agent, MCP_URL, e.status_url,
user_session={"subject_token": id_token},
requested_scopes=["myapp:read"],
)
AuthSec checks the request against the agent's roles and allowed scopes, then issues a token. The token only includes permissions that meet all three conditions:
- Assigned to the agent through its roles
- Listed in the client's allowed scopes
- Requested by the agent in this specific call
If the agent asks for a permission it doesn't have, the request is rejected.
Full walkthrough (registration, consent, approval, revocation): ID-JAG delegation guide.
Verify the Agent's Permissions
You can verify the agent's permissions by:
- Decoding the token to inspect the agent's identity, assigned roles, and allowed scopes
- Using the AuthSec SDK in your application to check permissions before allowing an action