Skip to main content

Connect agents and services

You've launched a protected application. Right now that means every call is denied — nothing holds a token yet. This section onboards the things that will call it, each with its own identity, its own grant, and its own kill switch.

Before you start

  • A launched application — the full walkthrough is Protect an application
  • Roles with scopes granted on that application (Access policy) — every caller below is admitted by assigning it one of those roles

Three kinds of callers

The first question is always the same: whose permissions apply when the tool runs?

The caller…Identity typeExampleGuide
acts as the signed-in user, interactivelyOAuth client (DCR)Claude Desktop, Claude Code, CursorClients and connections
acts as itself, with standing permissionsService account (M2M)nightly pipeline, CI job, backend service, K8s workloadpick a credential below
acts on behalf of a signed-in user, unattendedAgent (ID-JAG delegation)copilot, chatbot, research assistantID-JAG agents

The first kind needs no onboarding from you: the client software registers itself via DCR the moment a user connects it to your server; the user logs in, consents, and every token carries that user's permissions. You just watch (and occasionally approve) from the Clients and connections page.

This section is about the other two — the callers that run unattended, and therefore need an identity you deliberately create and grant.

The shared model

Every caller this section covers goes through the same four stations:

  1. Identity — register it once: a Service Account, a workload, or an Agent.
  2. Grant — assign it a role on your application (Access tab). An identity with no grant gets access_denied on every token request.
  3. Token — the caller trades its credential for a short-lived access token scoped to your application.
  4. Connection — the live link shows up on the application's Connections tab: who, through which role, which scopes, last seen — and revocable per row.

M2M: pick your credential

Three ways a machine can prove who it is — same token flow, increasing security:

MethodProofSecret stored?Best forGuide
A. Client secretID + shared secret⚠️ yes, on the callerquick starts, simple deploymentsClient secret
B. Private-key JWTsigned assertion (RFC 7523)🔑 private key only, never on the wireenterprise security posturesPrivate-key JWT
C. Kubernetes / SPIFFEplatform-attested workload identity✅ nothing stored at allKubernetes clustersKubernetes / SPIFFE

The ladder A → B → C goes from "shared password" to "asymmetric keys" to "the infrastructure itself vouches for the pod". Start where your deployment is; upgrading later doesn't change the grant model.

Agents: acting for a user

When a copilot answers Alice's request, the MCP server should apply Alice's permissions and the audit log should say "Alice, via agent X". That's ID-JAG delegation: the user consents once, an admin approves once, either side can revoke at any time.

→ ID-JAG agents

Watching it all

  • Application → Connections tab — pending requests and active connections for this server
  • Sidebar → MONITOR → M2M Logs — every machine token grant as it happens
  • Application → Access tab → Who has access — every identity, its role, its effective scopes, revocable per row