OAuth for AI agents is replacing cookie hacks in app access

At a glance

What this is: This is an analysis of four common ways teams let AI agents log into web apps, and why OAuth-based delegated access is the safer model than copied human sessions.

Why it matters: It matters because identity teams have to decide whether agent access will inherit human login controls or be governed as a distinct non-human identity pattern across SaaS, APIs, and workflow systems.

👉 Read WorkOS's analysis of OAuth for AI agent app access

Context

AI agent login is not just an authentication problem, it is an identity governance problem. When a machine uses copied cookies, injected passwords, or reused second factors, the application cannot distinguish delegated agent activity from a human session, which breaks auditability, revocation, and scope control.

The article’s core argument is that agents should not authenticate like humans. For IAM, NHI, and platform teams, the real question is whether access is granted as a cloned session or as a scoped identity grant with clear expiry, visibility, and delegated approval.

Key questions

Q: How should security teams handle AI agents that need to log into SaaS applications?

A: Use delegated authorization rather than cloned human sessions. Give the agent a separate identity grant with explicit scopes, short-lived tokens, and revocation. That preserves auditability and lets IAM and PAM teams control what the agent can do without inheriting the user’s full browser session or password material.

Q: Why do cookies and reused second factors fail as agent authentication controls?

A: They authenticate the wrong thing. Cookies, password fills, and TOTP reuse confirm that a human once proved identity, but they do not prove which machine or workflow will use that access next. For agents, that creates indistinguishable sessions, weak attribution, and no clean way to revoke just the machine path.

Q: How do you know if agent access is actually governed instead of merely enabled?

A: Look for separate grants, bounded scopes, time limits, and logs that distinguish human activity from machine activity. If the agent appears only as the user in your audit trail, or if you cannot revoke its access independently, then the access model is not genuinely governed.

Q: Should organisations let AI agents use the same login flow as employees?

A: Usually no. Human login flows assume interactive decision-making, visible consent, and a person who can notice anomalies. Agents need task-scoped access and clear offboarding. If the same login flow is reused, the organisation usually loses visibility into who or what actually used the session.

Technical breakdown

Cookie syncing and session cloning

Cookie syncing copies a browser session’s stored state, including cookies and related storage, into an agent-controlled browser. That gives the agent the same authenticated context as the person who logged in, which is why it is fast and easy for personal automation. Security-wise, it is a direct inheritance of the human’s session, not a constrained delegation. The application sees one authenticated user, while the browser context may now be driven by software that can act autonomously across sites and tools. That breaks attribution, independent revocation, and scope limitation.

Practical implication: Treat cloned sessions as an uncontrolled identity transfer and block them for enterprise use.

Credential injection, TOTP, and verification code automation

Credential injection moves the login step from session reuse to programmatic form filling, often through a password manager or secret vault. TOTP automation and email or SMS inbox polling extend that pattern by letting the agent complete second-factor prompts with shared secrets or code retrieval flows. These methods improve reliability, but they do not change the core model: the agent still receives human-grade access after proving possession of credentials designed for a person. The result is a login that looks stronger than cookie reuse while still producing indistinguishable human sessions.

Practical implication: Separate human authentication from machine delegation and stop treating shared secrets as agent identity.

OAuth 2.1 and session-scoped delegated access

OAuth 2.1 changes the control point from login impersonation to delegated authorization. Instead of copying a human session, the agent receives a token tied to explicit scopes, expiry, and revocation rules. For MCP-style agent connections, that means the application can authorize only the actions the agent needs, then expire access automatically when the task ends. This is the architectural difference that makes audit logs meaningful and enterprise governance possible. The model also fits third-party integrations because each grant can be bounded to a session rather than left alive indefinitely.

Practical implication: Use scoped OAuth grants for agent access and enforce expiry at the token and session level.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human session replay is the wrong trust model for agents: Cookie syncing and credential injection work because they inherit a human login pattern into machine execution. That pattern assumes the authenticated subject is the same actor who will decide, inspect, and terminate the session. In practice, an agent can chain actions across systems without that human oversight, which makes the session itself the wrong security boundary. Practitioners should stop treating session replay as a variant of normal identity use and classify it as delegated access without governance.

Session-scoped authorization is the named concept this market needs: The article shows why a copied browser session, a long-lived refresh token, and an agent task are not the same thing. Session-scoped authorization defines access as task-bound, revocable, and separately attributable, which is the correct model for machine-driven workflows. That concept is valuable because it separates delegated agent use from durable application trust. Practitioners should use it to frame policy, logging, and revocation requirements for NHI access.

OAuth 2.1 restores the control relationship that cookie hacks erase: The security value is not that OAuth is newer, but that it preserves explicit consent, limited scope, and revocation as first-class identity controls. Those controls map cleanly to NIST Cybersecurity Framework access governance and Zero Trust expectations, where authorization is continuous and bounded rather than implicit in a browser profile. This is the right baseline for NHI access to SaaS applications.

Agent authentication is becoming an NHI governance problem, not a browser problem: Once machines can browse, call APIs, and execute multi-step tasks, the identity issue shifts from front-end login to lifecycle control. Access reviews, offboarding, and audit need to follow the agent grant, not the human account alone. That makes delegation design, not UI convenience, the governing discipline for enterprise automation.

The market is converging on delegated identity for machines because human impersonation does not scale: The article’s strongest signal is that enterprise SaaS will need a machine-access layer that is visible, scoped, and revocable. That validates the broader NHI direction of separating machine grants from human credentials. Practitioners should expect more products to expose agent access through standard authorization flows rather than browser-based workarounds.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how weak the operational baseline remains.
• For a broader view of lifecycle control, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how delegated access should be provisioned, reviewed, and offboarded.

What this signals

Session-scoped access is becoming the dividing line between enterprise-ready agent governance and consumer-style automation. Once agents can act across SaaS apps, the programme question shifts from whether access works to whether access is separately attributable, revocable, and reviewable. Teams that keep relying on human session replay will struggle to prove control when audit and offboarding become operational requirements.

Identity teams should expect OAuth-based delegation to replace browser-based workarounds as the default control plane for agents. The practical implication is that access reviews must track grants, not just users, and that revocation needs to operate at the token and session level. For teams building agent governance, the next step is to align those controls with the Ultimate Guide to NHIs , Static vs Dynamic Secrets so machine access does not depend on borrowed human credentials.

Delegated machine access will expose a visibility gap before it exposes a technology gap. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the problem is not whether agents can authenticate, but whether security teams can see, classify, and govern the grants they are creating.

For practitioners

• Ban cloned human sessions for enterprise agents Disallow cookie syncing and profile copying for production agent access, especially where the application serves multiple users or customers. Require a separate delegated authorization path for any machine that acts on behalf of a person.
• Scope agent access by task, not by user account Define the minimum set of actions an agent needs, then map those actions to explicit OAuth scopes or equivalent grants. Avoid giving the agent full account access just because the human user has it.
• Make token expiry and revocation visible in operations Track when agent grants expire, where they are used, and who can revoke them. Align these logs with NIST Cybersecurity Framework access control expectations and keep the audit trail distinct from the human session.
• Separate human second factors from machine delegation Do not let shared TOTP secrets, inbox polling, or password manager injections become the default path for agent authentication. If the application must support machine access, use a distinct authorization flow instead of replaying human MFA patterns.

Key takeaways

• Cookie syncing and credential injection make agents look authenticated while preserving all the weaknesses of human session reuse.
• OAuth 2.1 is the cleaner control model because it binds agent access to scope, expiry, and revocation instead of a cloned browser state.
• Enterprises should govern agent access as a separate non-human identity pattern, not as a convenience layer on top of employee login.

Key terms

• Session-scoped authorization: A delegation model where access is granted for a specific task or window, then expires automatically. For agents, this means the token, not the human account, defines the boundary of use. It is the practical alternative to copied browser sessions and long-lived refresh grants.
• Cookie syncing: The practice of copying browser session state from a human user into an agent-controlled browser so the agent inherits an already authenticated context. It is convenient for automation, but it collapses identity boundaries and makes the machine indistinguishable from the person whose cookies were copied.
• Delegated identity: An identity model where one actor is allowed to act on behalf of another under explicit scope and governance. In agent use cases, delegated identity is only acceptable when access is separate, attributable, and revocable, rather than hidden inside a normal human login flow.
• NHI access grant: A bounded permission assigned to a non-human identity such as an agent, token, service account, or workload. The grant should define scope, duration, and revocation path. For agents, this is the control object practitioners need to review instead of the user’s original account session.

Deepen your knowledge

OAuth-based agent authentication and session-scoped access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing delegated access for AI agents or other non-human identities, it is worth exploring.

This post draws on content published by WorkOS: Logging AI agents into web apps, from cookie hacks to proper OAuth. Read the original.