An agent identity gives an autonomous AI agent, one that runs on its own with no person in the loop, its own named identity in oakallow instead of sharing one connector login with every other agent. The point is visibility and a clean record: each agent acts under its own name, its activity is attributed to it in the audit trail, and when an action needs a person, the approval stays a clear, separate human step.
What an agent identity is
- Its own credential. The agent authenticates with a token the way a service makes an API call, no human inbox and no interactive sign-in.
- Attributed activity. Every permission check the agent makes is recorded under that agent by name, so you can tell your agents apart instead of collapsing them into one shared account.
- A clear human approval step. An agent can submit and check requests; it can never approve, not its own and not anyone else's. The approver is always a separate person.
Where it is scoped and how it behaves
- Scoped to one organization, chosen when you create the agent. Its whole surface is that org's already-approved tools.
- It can check permissions, submit gated requests, and check the status of its own requests. It cannot read org settings, team, or billing.
- Rate-limited per identity, can carry an expiry, and is revoked instantly from the dashboard. Only a SHA-256 hash of the token is stored; the raw token is shown once on creation.
- Provisioned by a person. Only an owner or admin can create an agent, so a human is accountable for it from day one.
A person using an AI assistant does not need an agent identity: they sign in as themselves, so the action is already attributed to them. Agent identities are for the autonomous case. See oakallow.io/info/agents for the full model.