Skip to main content

Request a Delegated Token

How the Agent Requests a Token

The agent acquires delegated tokens through the ID-JAG flow: the user logs in through the agent (OIDC), the agent exchanges that proof for an ID-JAG via token-exchange, and redeems it for a scoped access token via jwt-bearer. In the Python SDK this is one call:

from authsec_sdk import AgentIdentity, browser_login, PendingApprovalError, poll_until_approved

id_token = await browser_login(issuer=ISSUER, client_id=CLIENT_ID, resource=MCP_URL)
agent = AgentIdentity(ISSUER, CLIENT_ID, client_secret=SECRET, idp_issuer=ISSUER)

async with agent:
try:
token = await agent.access_for(
MCP_URL,
user_session={"subject_token": id_token},
requested_scopes=["myapp:read"],
)
except PendingApprovalError as e: # first-time access — admin approves once
token = await poll_until_approved(
agent, MCP_URL, e.status_url,
user_session={"subject_token": id_token},
requested_scopes=["myapp:read"],
)

AuthSec checks the request against the agent's roles and allowed scopes, then issues a token. The token only includes permissions that meet all three conditions:

  1. Assigned to the agent through its roles
  2. Listed in the client's allowed scopes
  3. Requested by the agent in this specific call

If the agent asks for a permission it doesn't have, the request is rejected.

Full walkthrough (registration, consent, approval, revocation): ID-JAG delegation guide.


Verify the Agent's Permissions

You can verify the agent's permissions by:

  • Decoding the token to inspect the agent's identity, assigned roles, and allowed scopes
  • Using the AuthSec SDK in your application to check permissions before allowing an action