Skip to content
IDENTITY PROVIDER

IdP for AI agents

Issue purpose‑bound Agent Passports (TE + RAR + DPoP) with consent, budgets, and schema/plan pins—made for agents, not browsers.

Platform TeamsSecurity +1 more
Book demo What is ARIA? Decision contract (PDP)
AA compliant AA compliant
Visual representation of structured identity architecture with modular components

Why it wins

Agent→user binding (authorize on sub; track act.sub)

Consent at issuance; obligations before mint

Resource‑targeted audiences (RFC 8707)

Optional DPoP (proof‑of‑possession)

Why purpose‑built for agents

  • Agent→user binding; authorize on sub, record act.sub, keep client in azp
  • Batched capability asks (RAR) with optional PAR/JARM
  • Consent at issuance; obligations handled before tokens mint
  • Proof‑of‑possession (DPoP) for agent runtimes
  • Resource‑targeted audiences (RFC 8707) → fewer 401s

Using External IdPs with EmpowerNow

Federate to your corporate IdP (Microsoft Entra ID, Okta, Auth0) for login, then complete OAuth/OIDC locally so you retain control of token issuance, claims, and policy.

Use cases

  • Standardize tokens across apps while using the corporate IdP for login
  • Migrate or multi‑IdP with a unified claims contract
  • Step‑up and consent based on risk/policy—even after upstream auth
  • Fine‑grained API authorization with consistent scopes/claims
  • Developer tokens and introspection alongside JWTs

Federate but orchestrate

  • Redirect to upstream for login; return and orchestrate locally
  • Apply obligations (step‑up MFA, consent, risk) and bind sessions
  • Outcome parity with “authentication actions” via policy‑driven rules

Collaborative adaptive authentication

  • Normalize upstream attributes to canonical claims; decide locally
  • Emit identity events for analytics and adaptive posture

Standards we implement for agents

Auth Code + PKCE, Refresh, Client Credentials, Introspection. Optional: PAR, JARM‑style JWT responses, CIBA, DPoP, RFC 8693 Token Exchange, JWE/JWS. Discovery advertises supported grants/algorithms; middleware can enforce FAPI‑style rigor.

  • RFC 8693 Token Exchange (OBO)
  • RAR (batched capabilities) + PAR/JARM
  • DPoP (RFC 9449) token binding
  • RFC 8707 Resource Indicators (audience)
  • OIDC Discovery + JWKS

Minimal RAR object


{
  "authorization_details": [
    {
      "type": "tool",
      "actions": ["invoke"],
      "resource": "billing.export",
      "locations": ["https://api.example.com"],
      "dat": { "purpose": "monthly_report" }
    }
  ]
}

Claims & scopes

  • Canonical identity‑first claims with provenance (`orig_iss`, `orig_sub`)
  • Composable claims merged from upstream + internal sources
  • Per‑client customization without leaking provider specifics
  • Introspection parity for local/external tokens

Architecture at a glance

  1. Login at corporate IdP → return to EmpowerNow
  2. Orchestrate obligations and assurances
  3. Issue policy‑controlled tokens / introspection with canonical claims
  4. Enforce with PDP/services; analytics feed adaptive auth

Getting started

  1. Configure upstream provider (discovery/JWKS, redirect URIs)
  2. Enable federation and mapping
  3. Define canonical claims and any internal sources
  4. Enable advanced features as required; verify via discovery
  5. Test end‑to‑end (login, step‑up, issuance, introspection)
OAuth TE RAR DPoP OIDC SCIM CAEP RFC 8707

GitHub Admin Passport

Scope + step‑up enforced.

Copilot delegated action

Consent before issuance.

See it live Read docs

Plans

Book demo See pricing Talk to us

Read more

What is AuthZEN?

Understand decisions, constraints and obligations.

Read →

Constraints & Obligations

How PDP returns enforceable constraints with decisions.

Read →

Explainability

Expose why a decision happened for audits and UX.

Read →

Delegated Authorization

Model relationships and delegations for business context.

Explore →

What's next?

Book a demo

See decisions and constraints live.

Book demo

Talk to a specialist

Map decisions to your domain model.

Contact

Read the docs

Dive into PDP API and examples.

Docs ↗

Explore standards

AuthZEN, OAuth, DPoP and more.

Standards →

Learn more

Technical docs

IdP Docs

Marketing site

Gateway (enforcement)AI Agent Governance

Audience control (RFC 8707)

Set the resource and we mint the right audience—no more 401s from mismatched aud.

Identity ARNs & federation

Identity‑first subjects across IdPs (account ARN → identity ARN) mean you write policy once and reuse everywhere.

Identity ARNs explainer →

Dev‑tool access (PATs)

Scoped Personal Access Tokens for OpenAI/Anthropic proxies—no vendor keys in clients. Introspect, short cache, enforce scopes, emit receipts.

How the Passport is used

GatewayReceipts

AI scenarios

Agent on‑behalf‑of

OBO with sub/act/azp and delegation id.

Batched capability ask

RAR across tools; single mint.

DPoP‑bound tool call

Sender‑constrained tokens for agents.

Proof & performance

  • Discovery/JWKS for easy verification
  • RAR snippet and examples in docs
  • P95 issuance targets with cache

FAQ

  • Replace corporate IdP? No—federate for login, issue Passports here.
  • Delegation for every call? Only agents and elevated service routes.
  • 401 audience? Use resource (RFC 8707) to set aud precisely.