An authorization pattern where an AI agent uses OAuth tokens to act on behalf of a user or application without receiving the underlying password or raw secret. In practice, it creates a delegated access path that can be scoped, monitored, and revoked like any other non-human identity.
Expanded Definition
Agent-to-Agent OAuth is a delegated authorization pattern used when an AI agent needs to call APIs, act in workflows, or pass context to another agent without ever learning a password or raw secret. The security value is that the agent receives a scoped token, not standing credentials, so access can be limited, logged, and revoked in the same way other non-human identities are governed.
In NHI security, the distinction matters: OAuth is the delegation mechanism, while the agent is the acting identity that consumes the token. That makes this pattern different from embedding API keys in prompts, code, or tool configs, which creates durable credential exposure instead of time-bound authorization. Definitions vary across vendors on how much context an agent may carry between exchanges, so the operational boundary should be treated as a governance decision rather than a universal standard. For a standards-oriented view of delegated authorization, see OAuth 2.0 and the agentic risk framing in OWASP Agentic AI Top 10.
The most common misapplication is treating an agent-issued access token as if it were a harmless session artifact, which occurs when teams fail to scope or expire delegation after the agent completes its task.
Examples and Use Cases
Implementing Agent-to-Agent OAuth rigorously often introduces more token lifecycle complexity, requiring organisations to weigh safer delegation against additional policy, telemetry, and revocation overhead.
- An employee asks one agent to draft a ticket, then a second agent to retrieve CRM context using a token constrained to that workflow and user.
- A support orchestration agent delegates to a billing agent for account status checks, with consent recorded and the token limited to read-only endpoints.
- An enterprise assistant calls a document-processing agent that in turn calls a search agent, using chained tokens rather than passing raw secrets between services.
- A security team reviews a tokenized handoff after patterns similar to CoPhish OAuth Token Theft via Copilot Studio show how delegated access can be abused when trust is too broad.
- Architects use NIST AI Risk Management Framework guidance to define when an agent may request, store, or forward delegated authorization.
These patterns work best when each agent has a narrow purpose, a short-lived token, and clear revocation authority, especially when tied to the governance lessons in Ultimate Guide to NHIs — 2025 Outlook and Predictions.
Why It Matters in NHI Security
Agent-to-Agent OAuth is security-relevant because it turns an autonomous workflow into a governed identity chain. When that chain is poorly scoped, third-party integrations and downstream agents can inherit more authority than intended, creating a blast radius that looks small in design but large in production. NHIMG research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which means many delegated paths are already difficult to inventory and monitor. That visibility gap becomes more serious when agent actions are involved, because the token may be valid even after the original user or workflow is forgotten.
The governance impact is practical: lifecycle controls, consent review, logging, and revocation need to follow the token, not just the agent. The issue is especially visible in incidents involving token theft, prompt injection, or over-broad consent screens, where the delegation model itself becomes the attack path. See also CSA MAESTRO agentic AI threat modeling framework and OAuth 2.0 for the authorization mechanics that underpin this pattern.
Organisations typically encounter the real cost only after a delegated token is abused, at which point Agent-to-Agent OAuth becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and over-scoped NHI credentials used by agents. |
| OWASP Agentic AI Top 10 | A10 | Addresses unsafe agent tool use and delegated actions across agent chains. |
| NIST AI RMF | Frames AI system risk management for delegated agent actions and controls. | |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management applies directly to delegated agent tokens. |
| NIST Zero Trust (SP 800-207) | 4.1 | Zero Trust demands per-request authorization for non-human access paths. |
Use short-lived, scoped tokens and verify revocation paths for every agent delegation.