Bearer tokens fail at agent scale without proof of possession

At a glance

What this is: This is an analysis of why bearer tokens break down in autonomous agent systems, with replay risk, log leakage, and accountability loss as the central findings.

Why it matters: It matters because IAM, PAM, and NHI teams must stop treating bearer tokens as acceptable inter-agent credentials when possession alone is enough to grant access.

👉 Read Strata Identity's analysis of bearer token risk in autonomous agent systems

Context

Bearer tokens are access credentials that work for whoever presents them, which makes them fragile when they move through autonomous agent chains. In machine-speed systems, a token can be forwarded, logged, indexed, replayed, and abused before a human team has any practical chance to intervene.

For identity programmes, this is not just a token-handling problem. It is an NHI governance problem because agent-to-agent handoffs expand the attack surface, weaken accountability, and make possession-based access a poor fit for systems that reuse credentials across short-lived tasks.

Key questions

Q: How should security teams prevent bearer token replay in agent workflows?

A: They should stop forwarding the same token across agents and services. Instead, they need hop-by-hop token exchange, proof-of-possession binding, and strict scope reduction so copied credentials cannot be reused outside the intended task. The control objective is to make every downstream hop issue a smaller, short-lived credential that dies with the work.

Q: Why do bearer tokens become more dangerous in autonomous agent systems?

A: Because agents move credentials faster and more often than humans do, and the token can outlive the actor that used it. That creates replay risk, log leakage risk, and accountability loss across the chain. Possession-based access was built for controlled handoffs, not for machine-speed delegation between multiple entities.

Q: What do organisations get wrong about proof-of-possession for tokens?

A: They often treat it as a narrow technical enhancement instead of a governance boundary. Proof-of-possession only works if the private key stays separated from logs, caches, and forwarding paths. If the same workflow still leaks token material, DPoP reduces replay risk but does not fix weak credential handling.

Q: Should teams use bearer tokens at all for autonomous agents?

A: Only as a temporary exception, and only when the token is tightly scoped, bound to a key, and exchanged at every hop. For most autonomous workflows, reusable bearer credentials create too much replay and delegation risk. The safer pattern is constrained downstream access, not portable authority.

Technical breakdown

Bearer token replay in agent chains

Bearer tokens are authentication artefacts that do not prove the holder’s identity beyond possession. In agent systems, each hop can expose the token through logs, memory dumps, or forwarding mistakes, which creates replay conditions at machine speed. The problem is not only interception, but the fact that one valid token can remain usable after it has been copied across multiple services and agents. That makes the original session boundary meaningless once the token leaves its intended path. Proof-of-possession and token exchange are both attempts to narrow that exposure, but the technical issue begins with the bearer model itself.

Practical implication: stop allowing reusable bearer tokens to cross agent boundaries without binding or exchange controls.

Why token lifetime breaks at machine speed

Short-lived agents can still generate long-lived security exposure because their credentials outlive the work they were issued for. An agent may exist for milliseconds, yet its token can persist in logs, caches, and downstream systems long after the task ends. That creates a mismatch between identity lifecycle and credential lifecycle. In human IAM, review windows assume the subject remains present long enough to govern. In agentic systems, the credential is often the only durable artefact, which makes lifetime control the real governance plane.

Practical implication: align token validity to task scope, not to infrastructure convenience or default session settings.

Proof of possession and token exchange as control patterns

Demonstration of Proof-of-Possession, or DPoP, binds a token to a private key so the token alone is not enough for access. Token exchange goes further by issuing a new, narrower token at each hop instead of forwarding the original one. Together, these patterns reduce replay value and prevent privilege from flowing upward through an agent relay chain. They do not eliminate all abuse, but they change stolen access from a reusable credential into a constrained, task-bound artefact that is much harder to reuse outside the intended context.

Practical implication: prefer bound tokens and hop-by-hop exchange wherever agents delegate access to downstream services.

Threat narrative

Attacker objective: The attacker wants reusable access to downstream APIs and services through a copied token, then enough execution capacity to perform repeated unauthorized actions before detection.

1. Entry occurs when a bearer token is passed between agents, then exposed through logs, memory, or a forwarding error that makes the token available outside the intended workflow.
2. Escalation occurs when the exposed token is replayed by an attacker or reused across services, allowing repeated API calls without any proof of ownership beyond possession.
3. Impact occurs when the replayed token enables large-scale unauthorized actions, including data access, privilege abuse, and automated misuse at machine speed.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Bearer token reuse is an identity governance failure, not just a transport flaw. In autonomous agent systems, the credential is moved more often than the actor can be reviewed, which makes possession-based access structurally unsafe. The important point is not that tokens leak, but that the model assumes the bearer remains trustworthy after every hop. That assumption fails when the token itself becomes the most reusable object in the chain, so practitioners must treat bearer design as a governance decision, not an implementation detail.

Token lifetime and task lifetime have to be governed as one control plane. The article shows that a short-lived agent can leave behind a long-lived access artefact, which creates identity blast radius far beyond the agent’s actual runtime. That is a classic NHI lifecycle problem, but in agentic systems it becomes sharper because the lifecycle of the token and the lifecycle of the actor diverge. The result is access that survives the task, the session, and sometimes the visibility window. Practitioners should read this as evidence that lifecycle governance must move closer to execution time.

Proof-of-possession changes the category of the problem because it breaks the assumption that possession equals authority. Bearer tokens were designed for a world where the holder could be trusted to hold and use the token in a controlled path. That assumption collapses when agents hand credentials to other agents, services, and logs at machine speed. The implication is that identity teams need to re-evaluate what counts as a valid credential in autonomous workflows, because the old bearer model no longer aligns with how delegation actually happens.

Token exchange is a governance boundary, not just a protocol feature. The article’s core operational insight is that permissions should flow downhill through the chain and never be forwarded unchanged. That aligns with OWASP NHI thinking, but it also exposes a broader IAM lesson: delegation without scope reduction creates accountability voids. When one token is used by four entities, no one can prove ownership or intent after the fact. Practitioners should treat hop-by-hop exchange as the default pattern wherever downstream access is unavoidable.

AI-adjacent systems inherit NHI controls before they inherit AI controls. The article is about autonomous agents, but the immediate failure mode is still credential handling, scope leakage, and replay. That means NHI governance remains the baseline discipline even when the actor is autonomous. The field should stop drawing a sharp line between agent security and machine identity security, because the same control failures now govern both. Practitioners need to design for bounded delegation first, then layer agent-specific policy on top.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• OWASP Agentic Applications Top 10 is the natural next step for teams mapping agentic identity risk to controls and threat models.

What this signals

Bearer-token governance will become a default requirement in autonomous workflows. When 98% of companies plan to expand AI agent deployment and 80% already report out-of-scope behaviour, the question is no longer whether tokens can be replayed, but whether the programme can prove each hop was intentional. Teams should assume that credential forwarding will remain the easiest abuse path until exchange and binding are enforced at design time.

Identity blast radius is now a measurable programme risk. The article’s logic matches what NHI teams already see in machine identity sprawl: a single credential can survive far beyond the actor that used it. That means agent governance, NHI lifecycle, and secrets handling need one operating model instead of three disconnected reviews. The strongest programmes will align bounded delegation with controls in the Ultimate Guide to NHIs.

Replay resistance is becoming a baseline control objective for AI-adjacent systems. Teams that already map to the OWASP Agentic AI Top 10 should treat bearer portability as a threat vector that crosses identity, application, and logging layers. The practical signal is simple: if a copied token still works, the programme has not yet closed the delegation gap.

For practitioners

• Replace bearer forwarding with token exchange Issue a new downstream token at each hop and reduce scope at every exchange so no agent forwards the original credential unchanged. Use hop-specific entitlements that expire with the task rather than with the process runtime.
• Bind tokens to a proof-of-possession key Require DPoP or an equivalent binding mechanism so a copied token cannot be replayed without the corresponding private key. Validate that logs, caches, and intermediaries never store usable bearer material in plain form.
• Remove credentials from debug paths and memory dumps Treat logging, tracing, and crash capture as hostile to secrets by default. Mask tokens at source, block indexing of sensitive fields, and test whether temporary files or RAM snapshots expose reusable access material.
• Set token lifetime to task lifetime Define the maximum token duration by the business task, not by a default session setting. If the agent completes work in seconds, the credential should die in seconds too, with downstream revocation enforced immediately after task completion.
• Test replay attempts as a standard control check Run controlled replay simulations against agent workflows and confirm that stolen or copied tokens fail in every downstream system. Include log harvesting, stale token reuse, and agent impersonation in the test plan.

Key takeaways

• Bearer tokens fail quickly in agent systems because possession alone is enough to grant access across multiple automated handoffs.
• The scale of the problem is structural: token replay, log leakage, and accountability loss can all happen before a human team can react.
• Bounded delegation, proof-of-possession, and hop-by-hop token exchange are the controls that change the outcome.

Key terms

• Bearer Token: A bearer token is a credential that grants access to whoever presents it. In agent systems, that simplicity becomes a liability because copied tokens can be replayed by downstream services, logs, or attackers without any proof that the original holder is still the rightful user.
• Proof Of Possession: Proof of possession is a control pattern that ties a token to a cryptographic key so the token alone is not enough for access. For autonomous and machine identities, it reduces replay risk by making stolen credential material unusable without the corresponding private key.
• Token Exchange: Token exchange is the practice of replacing an upstream credential with a narrower downstream one at each hop. It limits privilege spread across delegated workflows and is especially useful when agents pass through multiple services that should never see the original token.
• Identity Blast Radius: Identity blast radius is the amount of damage a single compromised credential or identity can create before it is contained. In agentic systems, it expands quickly when tokens are forwarded, logged, or reused across chained actions, making scope reduction a core governance concern.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Strata Identity: Everyone’s grabbing and nobody’s checking IDs. Read the original.